DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) is entered into, BETWEEN:

1. Vinter AI Recruitment Ltd. (“Vinter AI” or “Company”), a private company with limited liability incorporated under the laws of the England and Wales, with its principal place of business in registered at 74a High Street, Wanstead, London, Greater London, United Kingdom, E11 2RJ, registered in England and Wales with company number 15387315, and,
2. The Vinter AI customer party thereto (herein, referred to as “Customer”) pursuant to which Vinter AI provides and Customer purchases a subscription to access and use Vinter AI’s services (“Services”) as further described in the Subscription Agreement (“Subscription Agreement”).

Under this Addendum, Vinter AI and the Customer are individually referred to as a “Party”, and collectively as the “Parties”.

WHEREAS:

1. The Customer and Vinter AI entered into Subscription Agreement that may require Vinter AI to process Personal Data on behalf of the Customer. The terms and conditions outlined in this Data Processing Addendum (“Addendum”) shall be mutually binding upon the Parties by mutual execution of Subscription Agreement which includes reference to this Addendum (“Effective Date”).
2. This Addendum sets out the additional terms, requirements and conditions on which Vinter AI will process Personal Data when providing Services under the Subscription Agreement. This Addendum contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

AGREED TERMS

1. Definitions and interpretation

Unless stated otherwise in this Addendum, capitalised terms in the Addendum have the meaning as defined in the Subscription Agreement.

Authorised Persons: the persons or categories of persons that the Customer authorises to give Vinter AI Personal Data processing instructions and from whom Vinter AI agrees to accept such instructions.

Business Purposes: the Services to be provided by Vinter AI to the Customer as described in the Subscription Agreement.

UK ICO: the United Kingdom Information Commissioner’s Office.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing and Recipient: have the meanings given to them in the applicable Data Protection Legislation.

Controller Personal Data: the Personal Data processed by Processor on Controller’s behalf pursuant to this Addendum.

Data Protection Legislation: all applicable data protection and privacy legislation concerning privacy, security, protection, and the handling of Personal Data. This includes, without limitation, the UK GDPR, the Data Protection Act 2018 (DPA 2018), the EU GDPR, or any legislation of a member state of the European Union applicable to the Customer or Vinter AI concerning the protection of Personal Data. Additionally, it encompasses all other legislation and regulatory requirements in force from time to time, which apply to a party regarding the use of Personal Data.

Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

EEA: the European Economic Area.

Personal Data: means any information relating to an identified or identifiable living individual that is processed by Processor on behalf of the Customer in connection with the provision of the Services under the Subscription Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

Standard Contractual Clauses: (i) international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office for the transfer of Personal Data from the UK to Third Countries; (ii) the agreement pursuant to the European Commission's Implementing Decision 2021/914 published on 4 June 2021 on standard contractual clauses for the transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and any replacement, amendment, or restatement of the foregoing issued by the European Commission (the “EU Standard Contractual Clauses”, “SCC”)) ; (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.

Security Incident: the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access of Personal Data. However, it excludes unsuccessful attempts or activities that do not compromise Personal Data security, such as pings, port scans, denial of service attacks, or unsuccessful login attempts. Additionally, incidental disclosure or access to Personal Data, where no reasonable suspicion of theft, fraud, or malicious intent exists, is not considered a Security Incident unless required by applicable Data Protection Legislation.

Sub-Processor: another processor than Processor, engaged by Processor. Sub-Processors explicitly do not include any third parties that receive Personal Data or that are deployed by Processor at the explicit request of Controller.

Third Country: a country that, where required by applicable Data Protection Legislation, has not received an adequacy decision from an applicable authority relating to cross-border data transfers, including regulators such as the European Commission, UK ICO.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

2. Personal Data types and processing purposes

2.1 The Customer and Vinter AI agree and acknowledge that for the purpose of the Data Protection Legislation:

(a) the Customer is generally the controller (“Controller”) for the Personal Data that is provided to Vinter AI for processing under the Subscription Agreement and Vinter AI is the processor (“Processor”), processing Personal Data on behalf of Controller.

(b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Vinter AI.

3. Controller Obligations

3.1 The provisions of this Addendum apply to all Processing of Controller Personal Data on behalf of Controller by Processor.

3.2 Controller hereby instructs Processor to process Controller Personal Data on behalf of Controller for the purposes of performing the Subscription Agreement. The instructions of Controller are described in more detail in this Addendum and, in certain cases, additionally in the Subscription Agreement. Controller can provide supplementary instructions or changed instructions.

3.3 Controller must comply with all applicable Data Protection Legislation regarding the disclosure or access to Personal Data, as well as any processing instructions issued to Processor.

3.4 Controller must guarantee that it does not disclose nor allow any Data Subject to disclose any sensitive data categories to Processor. Controller must guarantee that it does not disclose (nor allow any Data Subject to disclose) any sensitive data categories to Processor for processing unless expressly requested in writing by Processor.

3.5 Controller must obtain all necessary notices and consents from Data Subjects to fulfil Controller's compliance obligations under relevant Data Protection Legislation. This includes, but is not limited to, ensuring that template consent and notice statements provided by Processor for Controller's review are approved to satisfy such obligations.

4. Processor Obligations

4.1 Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with Controller’s instructions.

4.2 Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Addendum or the Data Protection Legislation. Processor must promptly notify the Customer if, in its opinion, Controller’s instructions do not comply with the Data Protection Legislation.

4.3 Processor must comply promptly with any Controller instructions requiring Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

4.4 Processor has no independent controller over Controller Personal Data and shall process Controller Personal Data solely on the instructions of Controller and authorized Customer Users accessing the Services. Processor shall not process Controller Personal Data for its own purposes or for those of third parties, nor shall it make them available to third parties other than as instructed by Controller pursuant to the Subscription Agreement and Business Purposes.

4.5 Vinter AI will maintain the confidentiality of the Customer Personal Data and will not disclose the Customer Personal Data to third parties unless the Customer or this Addendum specifically authorises the disclosure, or as required by domestic law, court or regulator (including the UK ICO). If a domestic law, court, or regulator requires Vinter AI to process or disclose the Personal Data to a third party, Vinter AI must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

4.6 Processor agrees to provide Controller reasonably assistance, at no additional cost, in fulfilling Controller’s compliance obligations under the Data Protection Legislation. This assistance will consider the nature of Processor’s processing and the information available to Processor, including Data Subject rights, data protection impact assessments and reporting to and consulting with the UK ICO or other relevant regulator under the Data Protection Legislation. Processor will inform Controller if Processor determines that it is no longer able to meet its obligations under Data Protection Legislation or where in Processor’s reasonable opinion, any of Controller’s instructions infringes any Data Protection Legislation.

4.7 Processor commits not to merge the Customer Personal Data with data obtained from other sources or collected from other individuals or interactions. However, Processor may merge Personal Data as necessary to fulfill the Business Purposes required for providing the Services.

4.8 Processor is authorized to pseudonymize Personal Data. Any data that still carries the risk of being re-identified will be treated as Personal Data. Once Personal Data has been pseudonymized and is not reasonably expected to be re-identified, it will be considered de-identified. Processor undertakes not to re-identify any pseudonymized or aggregated data used for internal purposes.

4.9 Processor will ensure that all of its employees:

(a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

(b) have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and

(c) are aware both of

(d) Processor’s duties and their personal duties and obligations under the Data Protection Legislation and this Addendum.

5. Security

5.1 Processor must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

5.2 Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

(a) the pseudonymisation and encryption of Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

6. Data Breach Reporting and Security Incident Management

6.1 Processor will immediately and in any event without undue delay notify Controller if it becomes aware of:

(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Processor will restore such Personal Data at its own expense as soon as possible.

(b) any accidental, unauthorised or unlawful processing of the Personal Data; or

(c) any Personal Data Breach.

6.2 Where Processor becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide Controller with the following information:

(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

(b) the likely consequences; and

(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the Parties will co-ordinate with each other to investigate the matter. Further, Processor will reasonably co-operate with Controller at no additional cost to Controller, in Controller’s handling of the matter, including but not limited to:

(a) assisting with any investigation;

(b) facilitating interviews with Processor's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;

(c) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Controller; and

(d) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

6.4 Processor will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining Controller written consent, except when required to do so by domestic law.

6.5 Processor agrees that Controller has the sole right to determine:

(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the  Personal Data Breach to any Data Subjects, the UK ICO, other in-scope regulators,  law enforcement agencies or others, as required by law or regulation or in Controller’s discretion, including the contents and delivery method of the notice; and

(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7. Cross-border transfers of Personal Data

7.1 Processor may transfer or otherwise process Personal Data from the UK and EEA to Third Countries. All data transfer and processing of Personal Data originating from the UK and EEA shall comply with the relevant Data Protection Legislation (UK and EEA Data Protection Legislation).

7.2 In order to comply with the transfer of Personal Data to Third Countries, subject to the use of Standard Contractual Clauses (SCCs) or other measures, the Parties agree to promptly implement such measures and document the corresponding implementation requirements.

8. Engaging Sub-Processors

8.1 Processor is authorised to engage Sub-Processor for carrying out specific Processing activities on behalf of Controller under this Addendum and Controller hereby gives it revocable general authorisation to engage such Sub-Processors, provided that Processor duly notifies Controller of all Sub-Processors it intends to add or replace, whereby Controller has the opportunity to object to such changes. If Processor cannot reasonably be asked to not make such changes, Processor may terminate the Subscription Agreement without incurring any liability in connection therewith.

8.2 When engaging a Sub-Processor, Processor will ensure that the same data protection obligations as set out in this Addendum and the Subscription Agreement are imposed on that Sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of applicable Data Protection Legislation. For the avoidance of doubt, Processor is required to impose similar provisions on any Sub-Processors but is not required to impose the obligations of this Addendum verbatim or back-to-back.

8.3 At the start of this Addendum, Processor must list the approved sub-processors, as detailed in Processor‘s website. Any changes to these Sub-Processors must be notified to Controller in advance. This notification can be carried out either through the customer's subscription to a specified URL or through the customer account maintained by Processor.

8.4 Where the Sub-Processor fails to fulfil its obligations under the written agreement with Processor which contains terms substantially the same as those set out in this Addendum, Processor remains fully liable to Controller for the Sub-Processor's performance of its agreement obligations.

8.5 The Parties agree that Processor will be deemed to control legally any Personal Data controlled practically by or in the possession of its Sub-Processor.

9. Complaints, Data Subject requests and third-party rights

9.1 Processor must take such technical and organisational measures as may be appropriate, and promptly provide such information to Controller as Controller may reasonably require, to enable Controller to comply with:

(a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and

(b) information or assessment notices served on Controller by the UK ICO or other relevant regulator under the Data Protection Legislation.

9.2 Processor must notify Controller immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

9.3 Processor will give Controller, at no additional cost to Controller, its reasonable assistance in responding to any complaint, notice, communication or Data Subject request.

9.4 Processor must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with Controller’s written instructions, or as required by domestic law.

10. Term and termination

10.1 This Addendum will remain in full force and effect so long as:

(a) the Subscription Agreement remains in effect; or

(b) Processor retains any of the Personal Data related to the Subscription Agreement in its possession or control (Term).

10.2 Processor’s failure to comply with the terms of this Addendum is a material breach of the Subscription Agreement. In such event, Controller may terminate the Subscription Agreement on written notice to Processor without further liability or obligation of Controller.

11. Data return and deletion

11.1 At Controller’s request, Processor is obliged to either delete or return to Controller all Controller Personal Data, including any copies that are in the possession of Processor.

11.2 This requirement will not apply if any law, regulation, or government or regulatory body mandates Processor to retain any documents, materials or Personal Data that Processor would otherwise be required to return or delete, or to Personal Data archived on backup systems, provided the same remains protected under confidentiality obligations and subject to Data Protection Legislation.

12. Audit

12.1 Processor will permit Controller and its third-party representatives to audit Processor compliance with its Addendum obligations. Controller must give Processor reasonable prior notice of such intention to audit, conduct its audit during normal business hours, take all reasonable measures to prevent unnecessary disruption to Processor’s operations and be subject to Processor’s standard confidentiality terms.

12.2 The audit should also be reasonable in scope and duration, and to the extent practicable, Controller will rely on Processor’s security reports and information instead of conducting an independent audit of such controls.

12.3 Processor will give Controller and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:

13. Miscellaneous

13.1 This Addendum is subject to the terms of the Subscription Agreement and is incorporated into the Subscription Agreement. This Addendum shall be effective as of the Effective Date and shall remain into effect for the same period as the Subscription Agreement remains into effect. If and insofar the Subscription Agreement is legally terminated, this Addendum shall without any liability whatsoever be terminated by operation of law without any notice of termination to the other Party being required.

13.2 In the event of differences between the provisions of this Addendum and the Subscription Agreement, the provisions of this Addendum shall take precedence, unless explicitly agreed otherwise in the Subscription Agreement.

13.3 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.