This Data Processing Addendum (the “DPA”) is published by Credibled Inc., a corporation incorporated under the Business Corporations Act (Ontario), with its registered office at 391 Keele Street, Toronto, Ontario, Canada, M6P 2K9 (“Credibled” or the “Processor”).
This DPA forms part of and is incorporated into the services agreement, order form, or terms of service between Credibled and the customer that has agreed to those terms (the “Client” or the “Controller”). It applies automatically to the processing of Personal Data by Credibled on behalf of the Client and does not require a separate signature to be effective, although the Parties may execute a countersigned copy where the Client requests one.
Credibled and the Client are each a “Party” and together the “Parties.”
Background
A.The Client and Credibled have entered into, or intend to enter into, a services agreement, order form, or master subscription agreement under which Credibled provides background screening and identity verification services to the Client (the “Principal Agreement”).
B.In providing those services, Credibled processes personal data on behalf of the Client. This DPA sets out the terms on which Credibled processes that personal data and reflects the Parties’ agreement with respect to applicable data protection legislation, including the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), applicable provincial privacy laws including the Act respecting the protection of personal information in the private sector (Quebec) (the “Quebec Private Sector Act”), and, where applicable, the EU and UK General Data Protection Regulation (together, the “GDPR”).
C.This DPA forms part of and is incorporated into the Principal Agreement. In the event of any conflict between this DPA and the Principal Agreement, this DPA controls solely with respect to the processing of Personal Data.
1. Definitions
Capitalized terms not defined in this DPA have the meaning given to them in the Principal Agreement. Where applicable Data Protection Legislation defines a term, that definition prevails. In this DPA:
| Term | Meaning |
| Controller | the Party that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Client is the Controller, except as otherwise stated in Section 2. |
| Processor | the Party that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Credibled is the Processor, except as otherwise stated in Section 2. |
| Subprocessor | any third party engaged by Credibled to process Personal Data on behalf of the Client, as identified in the List of Subprocessors referenced in Annex 3. |
| Personal Data | any information relating to an identified or identifiable natural person that is processed by Credibled on behalf of the Client under the Principal Agreement, as further described in Annex 1. |
| Business Contact Information | the business contact details of a Party’s personnel, including name, job title, business email address, business telephone number, and business address, processed in connection with the administration of the Principal Agreement. |
| Processing | any operation performed on Personal Data, including collection, recording, organization, storage, retrieval, use, disclosure, transmission, restriction, erasure, or destruction, whether or not by automated means. |
| Data Subject | the identified or identifiable natural person to whom the Personal Data relates, being the individuals and applicants subject to background verification services. |
| Data Protection Legislation | all laws and regulations applicable to the processing of Personal Data under this DPA, including PIPEDA, applicable provincial privacy laws (including the Quebec Private Sector Act), and, where applicable, the GDPR. |
| Standard Contractual Clauses | where the GDPR applies, the standard contractual clauses approved by the European Commission and, where the UK GDPR applies, the UK International Data Transfer Addendum issued by the UK Information Commissioner, each as amended or replaced from time to time. |
| Personal Data Breach | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. |
2. Roles of the Parties and Scope
2.1The Parties acknowledge that, for the Personal Data processed by Credibled on behalf of the Client under this DPA, the Client acts as the Controller and Credibled acts as the Processor. Where Credibled is required by law to determine the purposes and means of certain processing, including to meet its own legal or regulatory obligations, Credibled acts as an independent controller for that limited processing only.
2.2To the extent that Credibled discloses its own Personal Data to the Client for processing on Credibled’s behalf, the Parties acknowledge that Credibled acts as the Controller and the Client acts as the Processor for that processing.
2.3Notwithstanding Sections 2.1 and 2.2, each Party acts as an independent Controller of the other Party’s Business Contact Information that it processes in connection with the administration of the Principal Agreement.
2.4This DPA applies to all processing of Personal Data carried out by Credibled and its Subprocessors on behalf of the Client in connection with the services described in the Principal Agreement and in Annex 1.
2.5The Client is responsible for ensuring it has a valid legal basis and, where required, has obtained the necessary consent from Data Subjects for the processing of their Personal Data, and for the accuracy of the instructions it provides to Credibled.
3. Processing of Personal Data
3.1Credibled processes Personal Data only on the documented instructions of the Client, including with regard to transfers of Personal Data, unless required to do otherwise by applicable law. Where such a legal requirement applies, Credibled informs the Client of that requirement before processing, unless the law prohibits such notice on important grounds of public interest.
3.2The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.
3.3The Client’s instructions are set out in the Principal Agreement and this DPA and may be supplemented in writing from time to time. Credibled notifies the Client if, in its opinion, an instruction infringes Data Protection Legislation.
4. Confidentiality
4.1Credibled treats all Personal Data as confidential and ensures that persons authorized to process the Personal Data are bound by an appropriate obligation of confidentiality, whether contractual or statutory.
4.2Credibled limits access to Personal Data to those personnel who require access to perform the services and are trained on their data protection responsibilities.
5. Security Measures
5.1Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Credibled implements and maintains appropriate technical and organizational measures to protect Personal Data against a Personal Data Breach. Those measures are described in Annex 2.
5.2Credibled regularly tests, assesses, and evaluates the effectiveness of those measures and updates them as necessary to maintain an appropriate level of security.
5.3Credibled maintains documented information security policies, including a Data Protection Policy, a Password Policy, and a System Access Control Policy, and makes summaries of those policies available to the Client on reasonable request through its trust page at credibled.com/trust.
6. Subprocessing
6.1The Client provides general written authorization for Credibled to engage the Subprocessors identified in Credibled’s then-current List of Subprocessors, as described in Annex 3, to process Personal Data in connection with the services. Credibled makes that list available to the Client on request.
6.2Credibled imposes on each Subprocessor, by written contract, data protection obligations no less protective than those set out in this DPA, and remains responsible to the Client for the performance of each Subprocessor’s obligations.
6.3Credibled notifies the Client of any intended addition or replacement of a Subprocessor, giving the Client a reasonable opportunity to object on legitimate data protection grounds. If the Parties cannot resolve the objection, the Client may terminate the affected services in accordance with the Principal Agreement.
6.4Credibled remains liable to the Client for the acts and omissions of its Subprocessors in the processing of Personal Data to the same extent Credibled would be liable if performing the relevant processing directly, subject to Section 13.
7. Data Subject Rights
7.1Taking into account the nature of the processing, Credibled assists the Client by appropriate technical and organizational measures, insofar as this is possible, in responding to requests from Data Subjects seeking to exercise their rights under Data Protection Legislation, including access, correction, deletion, and, where applicable, portability.
7.2If Credibled receives a request directly from a Data Subject, it promptly forwards the request to the Client and does not respond to the request itself except on the documented instructions of the Client or as required by law.
8. Personal Data Breach
8.1Credibled notifies the Client without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client.
8.2The notification describes, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
8.3The Client, as Controller, is responsible for determining whether a Personal Data Breach requires notification to a supervisory or regulatory authority or to affected Data Subjects, and for making any such notification. Credibled reasonably assists the Client in meeting those obligations, taking into account the nature of the processing and the information available to Credibled.
9. Data Protection Impact Assessments
9.1Taking into account the nature of the processing and the information available to Credibled, Credibled provides reasonable assistance to the Client with any data protection impact assessments and prior consultations with supervisory authorities that the Client is required to carry out under Data Protection Legislation.
10. International and Interprovincial Data Transfers
10.1Personal Data processed under this DPA is hosted in Canada in the Amazon Web Services Canada (Central) region by default, and may be processed in other jurisdictions where Credibled or its Subprocessors operate, including the United States, as identified in the List of Subprocessors referenced in Annex 3.
10.2Where Personal Data relating to a resident of the Province of Quebec is transferred outside Quebec, including to a Subprocessor, Credibled conducts a privacy impact assessment in accordance with the Quebec Private Sector Act before the transfer, to confirm that the Personal Data would receive adequate protection having regard to its sensitivity, the purposes of its use, the protection measures that would apply, and the legal framework of the receiving jurisdiction.
10.3Where a transfer of Personal Data is subject to the GDPR and is made to a jurisdiction that has not been recognized as providing an adequate level of protection, the Parties enter into the applicable Standard Contractual Clauses or an equivalent transfer mechanism, which are incorporated into this DPA by reference and take precedence in the event of conflict with respect to such transfers.
10.4The supervisory authorities competent for the processing under this DPA are the Office of the Privacy Commissioner of Canada in respect of PIPEDA, and the Commission d’accès à l’information du Québec in respect of Personal Data governed by the Quebec Private Sector Act. Where the GDPR applies to a particular processing activity, the competent supervisory authority is the authority identified under that legislation.
11. Return and Deletion of Personal Data
11.1On termination or expiry of the Principal Agreement, Credibled, at the choice of the Client, deletes or returns all Personal Data processed on behalf of the Client and deletes existing copies, unless applicable law requires continued storage of the Personal Data.
11.2Where Credibled is required by law to retain Personal Data, it protects that Personal Data in accordance with this DPA and processes it only to the extent and for the period required by that law.
12. Audits
12.1Credibled makes available to the Client information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications, audit reports, and security summaries where available, which may be requested through its trust page at credibled.com/trust.
12.2The Client may, on at least thirty (30) days’ prior written notice, conduct an audit or inspection of Credibled’s processing, no more than once in any twelve (12) month period, during regular business hours, at the Client’s expense, and subject to reasonable confidentiality and security conditions. An additional audit may be conducted following a Personal Data Breach or on the reasonable request of a supervisory authority.
13. Liability
13.1Each Party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.
14. Term and Termination
14.1This DPA takes effect on the effective date of the Principal Agreement and remains in force for as long as Credibled processes Personal Data on behalf of the Client, and thereafter until the deletion or return of all Personal Data in accordance with Section 11.
15. General Provisions
15.1This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, except where Data Protection Legislation requires otherwise. Where the GDPR applies to a particular processing activity, the mandatory provisions of the GDPR apply to that activity.
15.2If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full force and effect.
15.3This DPA, together with the Principal Agreement and its Annexes, constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes any prior arrangement on that subject.
16. Contacts and Notices
16.1Any notice under this DPA, including notices relating to a Personal Data Breach, a Data Subject request, or a change of Subprocessor, must be given in writing and sent to the data protection contact of the receiving Party set out below.
16.3Client data protection contact: the administrative or billing contact associated with the Client’s account. The Client is responsible for keeping that contact information current so that notices under this DPA reach the appropriate person.
Acceptance
By agreeing to Credibled’s services agreement, order form, or terms of service, or by using the Credibled platform to process Personal Data, the Client accepts this DPA and it becomes binding on both Parties. No signature is required. Where the Client requires a countersigned copy for its records, Credibled will provide one on request.
Annex 1: Details of the Processing
| Item | Details |
| Subject matter | Provision of background screening and identity verification services by Credibled to the Client under the Principal Agreement. |
| Duration | For the term of the Principal Agreement and thereafter until deletion or return of Personal Data under Section 11. |
| Nature and purpose | Collection, verification, storage, and reporting of background check and identity information for the purposes of employment screening, tenancy, or other lawful and permissible purposes instructed by the Client. |
| Categories of Data Subjects | Individuals and applicants subject to background verification services, including prospective and current employees, contractors, and other candidates submitted by the Client. |
| Types of Personal Data | Identification data (name, date of birth, contact details, government identifiers as permitted by law); employment and education history; criminal record and court record information; credit and financial information where applicable; identity document images and verification results; consent records. |
| Special / sensitive data | May include criminal record information and other sensitive data as defined under applicable Data Protection Legislation, processed only to the extent necessary and permitted by law. |
| Frequency of transfer | On an ongoing, ad hoc basis for the duration necessary to perform the services. |
Annex 2: Technical and Organizational Security Measures
The measures below reflect the controls set out in Credibled’s Data Protection Policy, Password Policy, and System Access Control Policy.
| Control area | Measures |
| Data hosting | Production Data is hosted on Amazon Web Services in the Canada (Central) region (ca-central-1) by default. |
| Encryption | Production Data is encrypted at rest using encryption keys managed by Credibled. Volume encryption keys and key generating machines are protected, with key material accessible only to privileged accounts. Data in transit is protected using encryption. |
| Access control | Access to production systems is disabled by default and granted only through a documented approval and ticketing process, on a least privilege, need to use basis. Access is reviewed and is revoked on role change, contract termination, or when no longer required. |
| Authentication | Unique user accounts are required for all workforce members. Shared, generic, and default accounts, including root, are disabled. Role based access control and single sign on are enforced, and multi factor authentication is enabled on all systems that support it. |
| Password management | Passwords are stored using a unique salt and a one way hash. Complex password requirements apply, credentials are held in an approved password manager, and passwords are rotated on personnel departure. |
| Data segregation | Customer data is logically separated using a unique customer identifier. API access tokens restrict data access to the authenticating account, and the account identifier is included in all data queries. |
| Logging and monitoring | Access to production systems is logged for traceability. Security monitoring is enabled on production systems, including activity and file integrity monitoring, vulnerability scanning, and, where applicable, malware detection. |
| Secure transmission | Restricted and sensitive data is not sent over end user messaging channels such as email or chat unless end to end encryption is enabled. |
| Personnel and confidentiality | Workforce members are bound by confidentiality and non disclosure obligations and receive access and security awareness training during onboarding and on the job. |
| Incident response | Credibled maintains a documented breach management process, including prompt risk assessment and reporting in line with applicable privacy laws, coordinated by its Security Officer. Security matters may be directed to [email protected]. |
| Retention and disposal | Records are identified with defined retention periods, disposed of using appropriate secure methods, and de identified or anonymized where appropriate. |
Annex 3: List of Subprocessors
Credibled engages Subprocessors to process Personal Data on behalf of the Client. The Subprocessors authorized under Section 6.1 are set out in Credibled’s List of Subprocessors, a separate document that Credibled maintains and updates from time to time and that forms part of this DPA.
Credibled makes the current List of Subprocessors available on request through its trust page at credibled.com/trust, subject to the requester being bound by an appropriate confidentiality or non-disclosure obligation. Credibled notifies the Client of any intended addition or replacement of a Subprocessor in accordance with Section 6.3.