This CPRA Data Processing Addendum (“CDPA”) replaces the CCPA Data Processing Addendum, amends the terms and forms part of the JazzHR Terms of Service or other agreement governing the use of the applicable JazzHR cloud product(s) (“Services”) (collectively, the “Agreement”) by and between you (the “Customer”) and Hireku, Inc. (d/b/a JazzHR) (“JazzHR”). This CDPA shall apply to “Personal Information” of a “Consumer” as those terms are defined under the California Privacy Rights Act of 2020 (“CPRA”) (referred to hereafter as “Customer Data”), that JazzHR processes in the course of providing Customer the Services under the Agreement.
This CDPA shall be effective the later of: (a) the date JazzHR receives a complete and executed Order Form from the Customer indicated in the signature block above (the “Effective Date”).
This DPA was last updated January 25, 2023. JazzHR reserves the right to periodically modify this DPA upon written notice to Customer, and such modification will automatically become effective in the next service term.
JazzHR understands the terms in this CDPA and agrees to comply with them. In the event of any conflict between the Order Form, the CDPA and/or the Agreement, the following order of precedence shall apply (in descending order): (1) the CDPA (if applicable), (2) the Agreement, and (3) the Order Form. There will be no force or effect to any different terms of any related purchase order or similar form even if signed by the parties after the date hereof.
1 Effectiveness. This CDPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this CDPA.
2 Data Processing
2.1 Customer’s Role. The Customer is a Business (as such term is defined under the CPRA), and as such Customer determines the purpose and means of processing Customer Data. Customer will provide Customer Data to JazzHR solely for the purpose of JazzHR performing the Services.
2.2 JazzHR’s Role. JazzHR is a Service Provider (as such term is defined under the CPRA), and as such JazzHR shall provide the Services and process any Customer Data in accordance with the Agreement. JazzHR may not retain, use, or disclose Customer Data for any other purpose other than for providing the Services and in performance of the Agreement.
2.3 Data Processing, Transfers and Sales. JazzHR will process Customer Data only as necessary to perform the Services, and will not, under any circumstances, collect, combine, share, use, retain, access, share, transfer, or otherwise process Customer Data for any purpose not related to providing such Services. JazzHR will refrain from taking any action that would cause any transfers of Customer Data to or from JazzHR to qualify as “selling personal information” as that term is defined under the CPRA.
2.4 Sub-Service Providers. Notwithstanding the restrictions in Section 2.3, Customer agrees that JazzHR may engage other Service Providers (as defined under the CPRA), to assist in providing the Services to Customer (“Sub-Service Providers”), provided always that such engagement shall be subject to a written contract binding each such Sub-Service Provider to terms no less onerous than those contained within this CDPA. A list of JazzHR’s Sub-Service Providers can be found at www.jazzhr.com/subprocessors. JazzHR shall be responsible for all acts or omissions of its Sub-Service Providers as if they were the acts or omissions of JazzHR.
2.5 Security. JazzHR will use commercially reasonable security procedures that are reasonably designed to maintain an industry-standard level of security, prevent unauthorized access to and/or disclosure of Customer Data. An outline of JazzHR’s minimum security standards can be found at www.JazzHR.com/security-exhibit/.
2.6 Retention. JazzHR will retain Customer Data only for as long as the Customer deems it necessary for the permitted purpose, or as required by applicable laws. At the termination of this CDPA, or upon Customer’s written request, JazzHR will either destroy or return Customer Data to the Customer, unless legal obligations require storage of the Customer Data.
2.7 Consumer Rights Requests. JazzHR provides Customer with tools to enable Customer to respond to a Consumer Rights’ requests to exercise their rights under the Data Protection Laws. See Stay CPRA Compliant with JazzHR. To the extent Customer is unable to respond to Data Subject’s request using these tools, JazzHR will provide reasonable assistance to the Customer in responding to the request.
2.8 Assistance with Consumers’ Rights Requests. If JazzHR, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under the CPRA in relation to that Consumer’s Customer Data, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with Consumers in relation to such requests.
3 Assessments & Third-Party Certifications
3.1 Impact Assessment Assistance. Taking into account the nature of the Processing and the information available, JazzHR will provide assistance to Customer in complying with its obligations under Applicable Law (inclusive) (which address obligations with regard to security, breach notifications, data risk assessments, and prior consultation). Upon request, JazzHR will provide Customer a list of processing operations.
3.2 Security Compliance. In addition to the information contained in this CDPA, upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement place, JazzHR will respond to reasonable questionnaires, so that Customer can reasonably verify JazzHR’s compliance with its obligations under this CDPA.
3.3 If Customer has reasonable cause to suspect that JazzHR is not providing the platform in a manner consistent with CPRA and allowing unauthorized use of personal information, Customer may (i) submit an inquiry to firstname.lastname@example.org, (ii) cease use of their license until they are able to confirm JazzHR’s compliance, or (iii) with evidence of non-compliance of CPRA terminate the Agreement between the parties. JazzHR will provide notice if it believes it can no longer meet its obligations under this CDPA.
4 Enforceability. Any provision of this CDPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision into this CDPA.
5 Liability. To the extent permitted by applicable laws, liability arising from claims under this CDPA will be subject to the terms of the Agreement.