Data Processing Agreement

1.1“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) GDPR.

1.2“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as defined in Article 4(8) GDPR.

1.3“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), as defined in Article 4(1) GDPR, including but not limited to: names, email addresses, employment history, career preferences, and coaching conversation content of the Controller’s employees enrolled in the Services.

1.4“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure or destruction, as defined in Article 4(2) GDPR.

1.5“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, as defined in Article 4(12) GDPR.

1.6“Data Subject” means an identified or identifiable natural person to whom Personal Data relates — in the context of the Services, primarily the Controller’s employees or former employees enrolled in the outplacement program.

1.7“Sub-processor” means any processor engaged by Outpace (as Processor) who processes Personal Data on Outpace’s behalf.

1.8“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), including any national implementing legislation.

1.9“SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries, as adopted by the European Commission.

1.10“Services” means the AI-powered outplacement and career coaching services provided by Outpace to the Controller under the MSA.

1.11“Supervisory Authority” means the independent public authority established pursuant to Article 51 GDPR.

2.1Subject Matter. This DPA governs the processing of Personal Data by Outpace (as Processor) on behalf of the Controller in connection with the provision of the Services, which consist of AI-powered career coaching and outplacement support for the Controller’s transitioning employees.

2.2Nature and Purpose. The processing activities covered by this DPA include: collecting employee profile information, delivering AI-powered career coaching conversations, generating career recommendations and resumes, matching employees with job opportunities, and tracking program participation and outcomes.

2.3Duration. Outpace shall process Personal Data for the duration of the MSA and for a period of 90 days following termination, after which all Personal Data shall be deleted or returned in accordance with Section 9 of this DPA.

2.4A full description of the processing activities, categories of Personal Data, and categories of Data Subjects is set out in Annex 1 to this DPA.

3.1Instructions. Outpace shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable Union or Member State law. In such case, Outpace shall inform the Controller of that legal requirement before processing, unless prohibited by law on important grounds of public interest.

3.2Confidentiality. Outpace shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Outpace shall not disclose or permit access to Personal Data to any person other than those who need to access it for the purpose of providing the Services.

3.3Security. Outpace shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further detailed in Annex 2 to this DPA. These measures include, at minimum: (a) encryption of Personal Data at rest using AES-256; (b) encryption of Personal Data in transit using TLS 1.3; (c) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

3.4Data Subject Rights. Outpace shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including the right of access, rectification, erasure, restriction, portability, and objection.

3.5Assistance to Controller. Outpace shall assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Outpace, including: (a) security of processing; (b) notification of Data Breaches to supervisory authorities; (c) communication of Data Breaches to Data Subjects; (d) data protection impact assessments; (e) prior consultation with supervisory authorities.

3.6No Selling or Training. Outpace shall not sell, license, or otherwise make available Personal Data to any third party for commercial purposes. Outpace shall not use Personal Data to train, improve, or fine-tune any artificial intelligence or machine learning models, except with the explicit written consent of the Controller.

3.7Deletion or Return. Upon termination of the Services, Outpace shall, at the Controller’s election, delete or return all Personal Data to the Controller in accordance with Section 9 of this DPA, unless applicable law requires continued storage.

4.1General Authorisation. The Controller provides general written authorisation for Outpace to engage Sub-processors, subject to the requirements of this Section 4.

4.3Changes to Sub-processors. Outpace shall inform the Controller of any intended addition or replacement of Sub-processors at least 30 days prior to the change, providing the Controller with the opportunity to object to such changes on reasonable grounds. Notice shall be provided by email or via the Outpace security portal.

4.4Sub-processor Obligations. Outpace shall ensure that any Sub-processor is bound by data protection obligations equivalent to those set out in this DPA. Where the Sub-processor fails to fulfil its obligations, Outpace shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

5.1Outpace shall implement and maintain the technical and organisational security measures described in Annex 2 to this DPA.

5.2Outpace shall regularly review and, where necessary, update these measures to account for the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons.

5.3Outpace shall ensure that any Sub-processor implements and maintains appropriate security measures no less stringent than those required under this DPA.

6.1Detection and Reporting. Outpace shall notify the Controller of a confirmed Data Breach without undue delay and, where feasible, no later than 72 hours after becoming aware of a Data Breach affecting Personal Data processed under this DPA.

6.2Content of Notification. Such notification shall, at a minimum, include: (a) a description of the nature of the Data Breach, including the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the data protection officer or other contact point from whom more information can be obtained; (c) a description of the likely consequences of the Data Breach; (d) a description of the measures taken or proposed to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.3Cooperation. Outpace shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of a Data Breach. If the Controller determines that it is required under applicable law to notify a Supervisory Authority or affected Data Subjects, Outpace shall provide the Controller with all information reasonably required to fulfil such notification.

6.4Staging. Where all the required information in Section 6.2 cannot be provided at the same time, it may be provided in phases without undue further delay.

7.1General Restriction. Outpace shall not transfer Personal Data to any third country or international organisation without the prior written consent of the Controller, except as expressly permitted under this Section 7.

7.2Approved Transfer Mechanisms. Where Personal Data is processed by a Sub-processor located outside the European Economic Area (“EEA”), Outpace shall ensure that such transfer is subject to an appropriate transfer mechanism, which may include: (a) the EU Standard Contractual Clauses as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914); (b) an adequacy decision adopted by the European Commission pursuant to Article 45 GDPR; (c) binding corporate rules; or (d) any other mechanism recognised as providing adequate protection under applicable data protection law.

7.3US Sub-processors. With respect to the US-based Sub-processors listed in Section 4.2, Outpace confirms that appropriate transfer mechanisms are in place, including Standard Contractual Clauses where required. Documentation of applicable transfer mechanisms is available to the Controller upon request.

7.4Supplementary Measures. Where required by applicable guidance from data protection authorities, Outpace shall implement supplementary technical and organisational measures to ensure an essentially equivalent level of protection to that guaranteed within the EEA.

8.1Right to Audit. Outpace shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

8.2Process. The Controller shall provide at least 30 days’ prior written notice of any audit. Audits shall be conducted no more than once per calendar year during regular business hours, with minimum disruption to Outpace’s operations. The Controller shall bear the costs of any third-party auditor.

8.3Alternative Assurance. Outpace may satisfy its obligations under this Section by providing the Controller with up-to-date certifications, audit reports, or attestations from accredited third-party auditors (e.g., SOC 2 Type II reports, ISO 27001 certificates) under an appropriate confidentiality agreement.

8.4Confidentiality. Any information obtained during an audit shall be treated as confidential by the Controller and shall be used solely for the purpose of verifying compliance with this DPA.

9.1Term. This DPA shall enter into force on the Effective Date of the MSA and shall remain in force for the duration of the MSA.

9.2Termination. This DPA shall automatically terminate upon the termination or expiration of the MSA.

9.3Return or Deletion. Upon expiration or termination of this DPA, Outpace shall, at the Controller’s written request and election: (a) return all Personal Data to the Controller in a commonly used and machine-readable format; or (b) securely delete all Personal Data and certify in writing to the Controller that such deletion has been completed.

9.4Post-Termination Retention. In either case, Outpace shall delete or return all Personal Data within 90 days of the date of termination, unless applicable law requires continued storage. Outpace shall notify the Controller of any such legal requirement.

9.5Survival. Obligations regarding confidentiality, audit rights, and liability shall survive termination of this DPA.

10.1Liability Framework. The parties’ liability under this DPA shall be subject to any limitations of liability set out in the MSA, except to the extent that applicable data protection law requires otherwise.

10.2Processor Liability. Each party shall be liable to the other for proven direct damages caused by a breach of this DPA. Outpace’s total aggregate liability under this DPA shall not exceed the total fees paid by the Controller to Outpace in the twelve (12) months preceding the event giving rise to the claim.

10.3Data Subject Claims. The Controller and Outpace acknowledge that Data Subjects may bring claims under Article 82 GDPR directly against a Processor. Each party shall indemnify the other party against any claims, fines, penalties, and legal costs (on a full indemnity basis) arising from that party’s breach of this DPA or applicable data protection law.

10.4Exclusions. Neither party shall be liable under this DPA for: (a) indirect, consequential, special, or punitive damages; (b) losses arising from the other party’s breach of this DPA; (c) any fine or penalty imposed on a party as a result of that party’s own non-compliance with applicable data protection law.

11.1Governing Law. This DPA shall be governed by the law of the jurisdiction specified in the MSA, provided that mandatory provisions of applicable data protection law (including the GDPR) shall apply regardless of any choice of law clause.

11.2Amendments. No amendment to this DPA shall be valid unless made in writing and signed by authorised representatives of both parties. Where changes to applicable data protection law require amendments to this DPA, such amendments shall be made promptly upon request by either party.

11.3Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

11.4Entire Agreement. This DPA, together with the MSA and its annexes, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements or understandings on the same subject.

11.5Precedence. In the event of any conflict between this DPA and the MSA, this DPA shall take precedence with respect to data protection obligations.