Data Processing Agreement (DPA) For Biostaffic
This Data Processing Agreement (“DPA”) forms part of the Biostaffic Terms of Service, or other agreement governing the use of Beatific (“Agreement”) entered by and between you, the Client (as defined in the Agreement) (collectively, “you”, "your”, “Client”), and Biostaffic, LLC (“Biostaffic”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by Biostaffic solely on behalf of the Client. Both parties shall be referred to as the “Parties” and each, a “Party”. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with re-spect to the Processing of Personal Data.
HOW TO EXECUTE THIS DPA:
By using our Services, Client accepts this DPA and you represent and warrant that you have full author-ity to bind the Client to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Client or any other entity, please do not provide Personal Data to us.
If you need a signed copy of this DPA, you can contact dataprivacy@biostaffic.com and we’ll provide you a signed copy.
Definitions
Biostaffic means the Biostaffic, company which is a party to this DPA, being Biostaffic, a company organized and existing under the laws of the state of Florida (USA), with its head office at 5352 Carrara Ct, Saint Cloud FL 34771, USA.
Biostaffic Group means Biostaffic and its Affiliates engaged in the Processing of Personal Data.
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with Biostaffic. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Applicable Data Protection Law means all laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data applicable to the processing of Client Personal Data under the Agreement including but not limited to General Data Protection Regulation 2016/679 (“GDPR”), Federal Data Protection Act of 19 June 1992 (Switzerland), UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), Japanese Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) and any US state or federal laws or regulations pertaining to the collection, use, disclosure, security or protection of personal data, or to security breach notification, e.g. California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2020 (when effective); and binding guidance and / or codes of practice issued by a competent supervisory authority under applicable laws (as defined in the GDPR), or the European Data Protection Board.
Business Contact Information means the names, mailing addresses, email addresses, and phone numbers regarding the other Party’s employees, directors, vendors, agents and customers, maintained by a Party for business purposes as further described below.
Client Personal Data means Client-owned or controlled personal data provided by or on Your behalf to Biostaffic or an Biostaffic affiliate or subcontractor for processing under Applicable Data Protection Law pursuant to the Agreement. Unless prohibited by Applicable Data Protection Law, Client Personal Data shall not include information or data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific person.
“Controller“, “Consent“, “Processor“, “Sub-Processor“, “Data Subject“, “Personal Data”, “Processing” or similar terms shall have the meaning given under Applicable Data Protection Law. For the avoidance of doubt, Processor includes without limitation, a “Business” as defined by the CCPA, “Service Provider” as defined by the CCPA, and “business operator handling personal information” as defined by the APPI. For the purposes of this Addendum Processor shall mean Biostaffic.
Personal Data Breach means an actual, confirmed breach of security of Client Personal Data that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such Client Personal Data transmitted, stored or otherwise processed by a Party under the terms of the Agreement.
Standard Contractual Clauses means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“).
UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by subsequent legislation.
UK SCCs Addendum means the standard contractual clauses addendum issued by the UK Secretary of State for the transfer of Personal Data outside the UK and any amendment or replacement of such standard contractual clauses pursuant to Article 46(5) of the GDPR
Representations and Warranties
2.1 Each Party represents and warrants that it will comply with the requirements of Applicable Data Protection Law as applicable to such Party with respect to the processing of the Client Personal Data.
2.2 Each Party warrants and represents it has no reason to believe that the Data Protection Law prevents it from providing or receiving any services under the Agreement; and
2.3 Each Party warrants and represents it has the corporate power and capacity to perform its obligations under this Addendum
2.4 You represent and warrant to Biostaffic that:
2.4.1 You shall comply with and provide all of your obligations under this Addendum in accordance with best industry practice;
2.4.2 You have no reason to believe that Applicable Data Protection Law prevents You from entering into this Addendum or fulfilling any of Your obligations under this Agreement;
2.4.3 You have all necessary authorisations to enable or entitle You to enter into this Addendum, including but not limited to instructions, notices, licenses and consents, and that these have been obtained and are in full force and effect and will remain in such force and effect at all times during the subsistence of this Addendum;
2.4.4 You shall only provide processing instructions that are lawful and You shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which it was acquired;
2.4.5 neither the execution and delivery of this Addendum nor Your performance of any of Your obligations hereunder violates any (a) law to which You are subject; (b) judgment or order by which You are bound; (c) constitution or other equivalent constituting documents; or (d) other agreement or instrument which is binding on You or Your assets; and
2.5 Prior to transmitting Client Personal Data to Biostaffic, You shall inform Biostaffic of any requirements pertaining to the transmitted Client Personal Data.
2.6 Biostaffic represents and warrants to You that:
2.6.1 it will process the Client Personal Data (as set out in Appendix A) only in accordance with your documented processing instructions which may be given from time to time (including as as set forth in the Agreement and this Addendum), save as otherwise required by law. The Parties agree that the Agreement and this Addendum, along with the Client’s configuration of or any use of any settings, features, or options in the services (as the Client may be able to modify from time to time) constitute the Client’s complete and final instructions to Biostaffic in relation to the processing of Client Personal Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. For the avoidance of doubt, the Client acknowledges and agrees that the documented instructions include the processing of Client Personal Data for the purposes of providing, supporting, and improving Biostaffic services (including to provide insights and other reporting).
2.6.2 it will promptly notify You if Biostaffic determines that Your processing instruction violates any Applicable Data Protection Law (provided that nothing herein shall require Biostaffic to provide legal or regulatory advice or monitor Applicable Data Protection Law as they apply to You).
3. Disclosure and Processing of Client Personal Data
3.1 When providing or making available Client Personal Data to Biostaffic, You shall only disclose or transmit Client Personal Data that is necessary for Biostaffic to perform the applicable services under the Agreement.
3.2 Following expiration or termination of the provision of services under the Agreement and relating to the processing of Client Personal Data, Biostaffic shall promptly and securely delete all Client Personal Data (including existing copies) pursuant to its data retention schedule and as required by applicable laws. Notwithstanding the data retention schedule, upon Your written request following the termination of services, Biostaffic shall destroy all Client Personal Data in our possession, unless otherwise required or permitted by applicable laws.
3.3 All Biostaffic personnel, including subcontractors, authorized to process the Client Personal Data shall be subject to confidentiality obligations and/or subject to an appropriate statutory obligation of confidentiality.
3.4 You expressly acknowledge and agree that, in the course of providing the services, Biostaffic may anonymize, aggregate, and/or otherwise de-identify Client Personal Data (“De-Identified Data”) and subsequently use and/or disclose such De-Identified Data for the purpose of research, benchmarking, improving Biostaffic’s offerings generally, or for another business purpose authorized by Applicable Data Protection Law provided that Biostaffic has implemented technical safeguards and business processes designed to prevent the re-identification or inadvertent release of the De-Identified Data.
4. Security Measures
4.1 Each Party shall implement appropriate technical and organizational security measures to safeguard Client Personal Data from unauthorized or unlawful processing, destruction, loss, alteration, damage or disclosure. The Parties agree:
4.1.1 taking into account the ongoing state of technological development, the costs of implementation and the nature, scope, context and purposes of the processing of the Client Personal Data, as well as the likelihood and severity of risk to individuals, that Biostaffic’s implementation of and compliance with their security measures set out in are sufficient to provide a level of security appropriate to the risk in respect of the processing of the Client Personal Data; and
4.1.2 the Technical and Organizational Security Measures implemented pursuant to this clause 4 are subject to technical progress and development and that Biostaffic regularly reviews and may update or modify them from time to time in order to ensure that the processing of Client Personal Data is performed in accordance with this Addendum and Applicable Data Protection Law.
4.2 Personal Data Breach:
If Biostaffic becomes aware of an actual or suspected Personal Data Breach, of Client Personal Data, Biostaffic will notify You without undue delay. Biostaffic will provide You with such information, assistance, cooperation, and taking into account the nature of the services provided and the information available to Biostaffic, take reasonable commercial steps to: (i) investigate and mitigate the Personal Data Breach and (ii) assist with respect to Your breach notification obligations under any Applicable Data Protection Law. The Parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected data subjects and/or the appropriate regulator in connection with a Personal Data Breach, provided that nothing in this clause shall prevent either party from complying with its obligations under Applicable Data Protection Law.
5. Audits and Inspections
Upon written request, Biostaffic shall make available to You, no more than once annually and strictly at your own cost, information reasonably necessary to demonstrate Biostaffic’s compliance with its obligations under this Addendum and Applicable Data Protection Law. You shall be solely responsible for determining whether the Services and Biostaffic’s Security Measures will meet your needs, including with respect to any Data Protection Laws.
6. Data Subject and Supervisory Authority Requests
To the extent required under Applicable Data Protection Law and taking into account the nature of the services provided, Biostaffic shall:
6.1 provide such assistance to You as is reasonably requested with respect to Your obligations to comply with requests from Your data subjects to exercise their rights under Applicable Data Protection Law. Biostaffic shall notify You without delay upon receipt of any request by a data subject to exercise his or her rights under Applicable Data Protection Law in respect of any Client Personal Data. Biostaffic will not independently respond to such requests from Your data subjects except where otherwise required by Applicable Data Protection Law. You undertake to inform Biostaffic (as the processor / service provider) of any data subject (or consumer) request received and shall provide Biostaffic with the necessary information to allow Biostaffic to comply with the request when required to do so; and
6.2 notify You of all enquiries or communications from a competent supervisory authority that Biostaffic receives which relate to Client Personal Data processed in connection with providing the services and under this Addendum and the Agreement unless prohibited from doing so at law or by a regulator. You shall be responsible for all communications or correspondence with the competent supervisory authority in relation to Your role as Controller of Client Personal Data under Applicable Data Protection Law and, to the extent permitted by law.
7. Data Protection Impact Assessments and Prior Consultation
To the extent required under Applicable Data Protection Law and taking into account the nature of the services provided and the information available to Biostaffic, and to the extent You do not otherwise have access to the relevant information, Biostaffic shall provide reasonable assistance to You as reasonably requested with respect to Your obligations to conduct data protection impact assessments with respect to the processing of Client Personal Data.
8. Subprocessors
You generally authorize the engagement of Subprocessors by Biostaffic and a list of existing Subprocessors (to the extent that Subprocessors shall be used) may be made available via our Privacy Policy. Biostaffic shall enter into a written agreement with each Subprocessor(s) that imposes on the Subprocessor the same data protection obligations that are imposed on Biostaffic pursuant to this Addendum. You shall promptly, and in any event within 10 business days, notify Biostaffic in writing of any reasonable objection to such changes / appointment. You acknowledge that Biostaffic’s Subprocessors are essential to provide the services and that if You object to Biostaffic’s use of a Subprocessor, then notwithstanding anything to the contrary in the Agreement, Biostaffic will not be obligated to provide the services to You for which Biostaffic uses that Subprocessor and any adjustments required by You shall be at your cost. Any disagreements between the Parties shall be resolved via the contract dispute resolution procedure.
9. Transfers
9.1 Transfers of EEA/Swiss Data:
To the extent that GDPR and complementary data protection laws in EU member countries (“EU Data Protection Law”) applies to the processing of Client Personal Data, Biostaffic agrees that it will not transfer Client Personal Data out of the EEA and/or Switzerland to a country that has not been identified by the European Commission or a Supervisory Authority under EU Data Protection Law as a country that provides an adequate level of data protection except where Biostaffic has ensured appropriate safeguards are in place, such as the Standard Contractual Clauses approved by the European Commission unless otherwise required by applicable law. Biostaffic and You hereby enter into the Standard Contractual Clauses (as further set out in the Schedule to this Agreement) in respect of such transfers.
9.2 Transfers of UK Data:
Subject to subsection 9.4 below, the Parties shall rely on the UK Standard Contractual Clauses as amended from time to time by the Information’s Commissioner Office (the “UK SCCs”), to protect Client Personal Data being transferred from the United Kingdom (UK) to a country outside the UK not recognized as providing an adequate level of protection for personal data. You, acting as data exporter, shall execute, or shall procure that Your relevant entities execute, such UK SCCs with the relevant Biostaffic entity or a third-party entity, acting as a data importer.
9.3 Transfers of non-EEA/Swiss/UK Data:
In the event that Client Personal Data is to be transferred outside the country of origin in connection with the provision of Services under the Agreement and this country is not located within the EEA, Switzerland or the United Kingdom, the Parties will work together expeditiously and in good faith to establish the appropriate transfer mechanism to be implemented, as required by applicable Data Protection Law.
9.4 Transfer Mechanism:
In the event that the transfer mechanisms agreed by the Parties herein are amended, replaced, or cease to be authorized as a means to provide “adequate protection” with respect to transfers of Client Personal Data, the Parties will work together expeditiously and in good faith to establish another valid transfer mechanism and/or implement supplementary measures as needed to establish appropriate safeguards for such data. Any impacts on the terms of the Agreement and the provision of the services caused by such new requirements will be addressed by the Parties in accordance with Section 16 (Changes in Laws) below.
10. California Consumer Privacy Act
10.1 The following shall apply to the extent that the CCPA as applicable. Biostaffic shall: (i) not sell or share any Client Personal Data (as defined by CCPA); (ii) not retain, use or disclose any such Client Personal Data for any purpose other than business purpose(s) specified in accordance with the Agreement, unless permitted by law; (iii) not retain, use or disclose such Client Personal Data outside the direct business relationship between Biostaffic and Client, as set forth in the Agreement, unless otherwise permitted by law; (iv) provide the same level of privacy protection required of Client by the applicable obligations under CCPA for Client Personal Data ; (vii) notify the Client if it can no longer meet its obligations under the CCPA and will work with the Client to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Data.
10.2 Client agrees that execution of the Agreement by Biostaffic shall be deemed to constitute any certification that is required under applicable Data Protection Laws to the restrictions on sale, retention, use, or disclosure of Client Personal Data.
11. Use of Business Contact Information
Each Party consents to the other Party using its Business Contact Information for contract management, payment processing, service offering, and business development purposes, including business development with partners, and such other purposes as set out in the using Party’s global data privacy policy (copies of which shall be made available upon request). For such purposes, and notwithstanding anything else set forth in the Agreement or this Addendum with respect to Client Personal Data in general, each Party shall be considered an independent Controller with respect to the other Party’s Business Contact Information and shall be entitled to transfer such information to any country where such Party’s global organization operates.
12. Disclaimer of Liability
Biostaffic will not be liable for any claim brought by a data subject arising from or related to Biostaffic or its Affiliates action or omission to the extent that Biostaffic was acting in accordance with Your instructions.
13. Governing Terms
13.1 This Addendum represents the entire agreement between the Parties in relation to its subject-matter and all previous representations, agreements and statements are hereby excluded.
13.2 For avoidance of doubt and without prejudice to the rights of any data subjects thereunder, this Addendum and any Standard Contractual Clauses (or other data transfer agreements) that the Parties or their affiliates may enter into in connection with the services provided pursuant to the Agreement will be considered part of the Agreement and the liability terms set forth in the Agreement will apply to all claims arising thereunder.
13.3 In the event of any conflict or ambiguity between terms of this Addendum and terms of the Agreement, the terms of the Addendum shall prevail. In the event of any conflict or ambiguity between terms of this Addendum and terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail. All other terms and conditions within the Agreement remain unchanged and in full force and effect.
14. Severability
Each and every provision of this Addendum is severable and distinct from the others and if at any time any provision of this is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction, that will not affect or impair the legality, validity or enforceability in that jurisdiction of any other provision of this Addendum.
15. Notices and Variation
All notices, consents, demands, and other communications required or permitted to be given by either Party under this Addendum shall be in writing. No amendment to this Addendum will be effective unless in writing and signed by both Parties.
16. Changes in Laws
In the event of (i) any newly enacted Applicable Data Protection Law, (ii) any change to an existing Applicable Data Protection Law (including generally-accepted interpretations thereof), (iii) any interpretation of a new or existing Applicable Data Protection Law by You, or (iv) any material new or emerging cybersecurity threat, which individually or collectively requires a change in the manner by which Biostaffic is delivering the services to You, the Parties shall agree in writing upon how Biostaffic’s delivery of the services will be impacted and shall make equitable adjustments to the terms of the Agreement and the Services in accordance with any change procedures as may be agreed to by the Parties.
17. Governing Law and Jurisdiction
17.1 The jurisdiction of this Addendum shall be the jurisdiction of the Agreement. In the event there is no jurisdiction clause in the Agreement, any dispute or claim in connection with this Addendum shall be governed by and construed in accordance with:
17.1.1 in the case of the contracting Biostaffic entity being in Europe, the laws of Ireland,
17.1.2 in the case of the contracting Biostaffic entity being in the USA or elsewhere, the laws of the state of Florida.
SCHEDULE
EEA STANDARD CONTRACTUAL CLAUSES
The relevant Controller-Processor Standard Contractual Clauses (Module 2) are available: here. For the purposes of entering the Standard Contractual Clauses:
a) The optional Clause 7 shall not apply
b) Option 2 of Clause 9 (Use of sub-processors) shall apply.
c) The description of the transfer of Personal Data in Appendix A of this Agreement shall be deemed to be inserted in place of Annex I of the Standard Contractual Clauses;
d) Biostaffic’s security measures shall be deemed to be inserted in place of Annex II of the Standard Contractual Clauses.
UK STANDARD CONTRACTUAL CLAUSES
- The UK SCCs Addendum is available: here.
- For the purposes of entering the UK SCCs Addendum:
- a) The information contained in Appendix A of this Agreement shall be deemed to apply to Tables 1, 2 and 3 of the UK Standard Contractual Clauses; and
- b) Biostaffic’s security measures shall be deemed to apply to the final row (Annex II) of Table 3 of the UK Standard Contractual Clauses.
APPENDIX A
A. LIST OF PARTIES
Data Exporter(s) / Client:
Name:
Address:
Contact Name, Position, Details:
Relevant Activities:
Roles:
Data Importer:
Name:
Biostaffic, LLC
Address:
5352 Carrara Ct, Saint Cloud FL 34771, USA
Contact:
Biostaffic, LLC
Relevant Activities:
Biostaffic is engaged in the business of providing a networking website that will connect biotechnologists and companies worldwide (the “Biostaffic Services”).
Role:
Processor
B. DESCRIPTION OF TRANSFER
Categories Data Subjects
The personal data transferred concern the following categories of data subjects: Individuals about whom Personal Data is provided to Biostaffic via the Services by (or at the direction of) Client, which may include without limitation Client’s or its Affiliates’ employees, contractors, and end users.
Purposes of the transfer(s)
The transfer is made for the following purposes: Biostaffic will only process Client Personal Data as Processor for the following purposes and only when necessary and proportionate to comply with the Client’s instructions: Providing and updating the Services as licensed, configured, and used by Client and its users, including through Client’s use of Biostaffic settings, administrator controls or other Service functionality; Securing and real-time monitoring the Services; Resolving issues, bugs, and errors; Providing Client requested support, including applying knowledge gained from individual Client support requests to benefit all Biostaffic Clients but only to the extent such knowledge is anonymized as set out in the Agreement and this Appendix A detailing the subject matter, nature, purpose, and duration of Personal Data Processing in the Controller to Processor capacity; Any other documented instruction provided by Client and acknowledged by Biostaffic as constituting instructions for purposes of this Addendum.
Categories of Personal Data
Depending on the Services you use, the personal data transferred may primarily concern the following categories of data:
Biostaffic Account Information: Data associated with the end user’s Biostaffic account, password, company name, and Client’s preferences. This will include: Biostaffic unique user ID, social media login (optional), and display name.
Client Authentication Data: This may include username and password.
Interview Content. This may include video, audio, transcripts, interview notes, and interview questions.
Chat Messages. Content sent between users on an Biostaffic hosted platform. Candidate Materials: Data that Candidates disclose to employers in the hiring process. This data may include applications, which generally contain Candidate resumes, screening data (such as answers to screener questions or assessment results), cover letters, and any other data a Candidate agrees to share with Employers when they express interest in employment opportunities, for example, by applying or registering for events.
Employer Materials: This may include recruiter profiles, disposition information and employers’ notes about candidates, and candidate preferences.
Interview Metadata: This may include information about your interview product usage, such as frequency, quality, timezone, attendance, and duration of events, as well as network activity and sample text you save to dash.
Device and Network information: Information about your desktop and mobile device, which may include network data, operating system, user agent, MAC / IP address, and service logs.
User Feedback and Satisfaction Data: This may include ratings and plain text feedback on how we can improve our services.
Frequency of the transfer (e.g. whether the data transfer is a one-off or continuous basis)Continuous
Special categories of personal data (if appropriate)
Special categories are not required to use the Services. Such special categories of data include, but may not be limited to, Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical belief, genetic or biometric data, data concerning your health or sexual orientation. To the extent such sensitive data is submitted, it is determined and controlled by Client in its sole discretion.
Duration of processing
The applicable term of the Agreement unless otherwise required by law.
Nature and Subject Matter of the Processing
Biostaffic will process Client Personal Data for the purposes of providing the Services to Client in accordance with the Addendum.
Retention period (or, if not possible to determine, the criteria used to determine that period)The applicable term of the Agreement unless otherwise required by law.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs:The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.
With respect to Personal Data to which GDPR applies, the competent supervisory authority is the Irish Data Protection Commission.
With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”).