This Data Processing Addendum (“DPA”) is part of the agreement between BrightMove, Inc. (“BrightMove”) and the person or entity that is party to an agreement with BrightMove (“Controller”) pursuant to which data processing services are provided by BrightMove to the Controller and which references this DPA (such agreement or contract the “Underlying Agreement”).  This DPA shall apply separately in connection with each underlying Agreement.

Unless otherwise defined in this DPA, all capitalized terms not defined in this DPA will have the meanings given to them in the Agreement.

1. Definitions. For purposes of this Agreement:
2. “CPRA” means the California Privacy Rights Act, as amended from time to time, and the rules and regulations promulgated under such law.
3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For clarity, “Controller” includes all such similar terms under Data Protection Laws, such as “business” under the CPRA.
4. “Controller’s Personal Data” means Personal Data controlled by the Controller.
5. “DPA Effective Date” shall be the date of the Underlying Agreement.
6. “Data Processor” means the entity which Processes Personal Data on behalf of the Controller. For clarity, “Data Processor” includes all such similar terms under Data Protection Laws, such as “service provider” under the CPRA.
7. “Data Protection Laws” means any applicable laws and regulations, as revised from time to time, related to data protection or privacy that apply to the Parties with regard to the Processing of Personal Data under this DPA, including, to the extent applicable, the CPRA, and any other supranational, national, state, or local general privacy and data protection laws and regulations in effect on or after the effective date of this DPA.
8. “Data Subject” means the person or individual to whom Personal Data relates. For clarity, “Data Subject” includes all such similar terms under Data Protection Laws, such as “consumer” under the CPRA.
9. “Data Subject Request” means a Data Subject’s request to access, correct, amend, transfer, delete, or exercise any other right given to the Data Subject under Data Protection Laws with respect to that Data Subject’s Personal Data.
10. “EEA” means the European Economic Area.
11. “Personal Data” means any information relating to an identified or identifiable Data Subject or that may otherwise be considered personal information under Data Protection Laws, including information that may only indirectly identify the Data Subject, that is Processed while providing the Services.
12. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process,” “Processes,” and “Processed” will be interpreted accordingly.
13. “Security Incident” indicates either any accidental, unauthorized or unlawful destruction, loss, alteration, acquisition, unauthorized disclosure of, or access to any Personal Data.
14. “Security Standards” means the security standards provided at https:/brightmove.com/security-standards, as may be amended from time to time, in accordance with this DPA.
15. “Services” means any product or services (including services such as support that are not separately billed) provided by BrightMove to Controller that involve BrightMove’s Processing of Controller’s Personal Data.
16. “Sub-processor” means an entity engaged by a Processor who agrees to receive from the Processor Personal Data exclusively intended for the Processing activities to be carried out as part of the Services.
17. “Term” means the period commencing on the DPA Effective Date and ending upon the termination of the Underlying Agreement, unless extended due to BrightMove’s retention of Personal Data.
18. ‘Underlying Agreement” means an agreement pursuant to which BrightMove is providing Services to Controller. A Controller may have more than one Underlying Agreement with BrightMove.
19. Data Processing and Data Transfers.

2.1. Scope and Roles.  Controller is either a Controller or Processor as the case may be.  BrightMove is a Processor (or Sub-processor if Controller is a Processor).  BrightMove and Controller each have complied with, and will continue to comply with, all applicable Data Protection Laws.  If BrightMove becomes aware or reasonably believes that Processing Personal Data according to Controller’s instructions violates applicable Data Protection Laws, BrightMove will immediately notify Controller and suspend the Processing of Controller’s Personal Data. BrightMove shall only resume Processing upon receipt of revised instructions from Controller that allow the Processing to comply with applicable Data Protection Laws.  If BrightMove cannot resume Processing, Controller may terminate the Underlying Agreement, or relevant portion thereof. Such termination shall be without penalty, provided that the inability to continue Processing of Personal Data in a compliant manner is due to BrightMove’s inability to do so, and not due to Controller’s inability or unwillingness to provide complaint instructions.

2.2. Details of Data Processing.  BrightMove Processes Personal Data to perform the Services. BrightMove shall only Process Personal Data on behalf of Controller and in accordance with Controller’s documented instructions for the following purposes: (i) Processing in accordance with the Underlying Agreement; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with subsequent documented reasonable instructions provided by Controller (e.g., via email) where such instructions are consistent with the terms of the Underlying Agreement or where processing pursuant to such subsequent instructions is necessary to comply with Data Protection Laws.  If BrightMove believes Controller’s instructions violate Data Protection Laws, BrightMove will notify Controller and permit Controller to revise the instructions. Controller shall have sole responsibility for the accuracy, quality, and legality of all Personal Data the means by which Controller acquires such Personal Data and the Controller’s uses of the Personal Data. Controller specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures or uses of Personal Data, to the extent applicable under Data Protection Laws or by contract.  

2.3. Categories of Data Subjects. Personal Data Processed during the Services may relate to the following categories of Data Subjects:

2.3.1.    Prospects and clients of Controller who are natural persons, including their employees or contractors;

2.3.2     Persons other than prospects and clients who natural persons and are connected to the business activities of Controller, including but not limited to job prospects and applicants;

2.3.3.    Employees, agents, advisors, and contractors of Controller who are natural persons;

2.3.4.    Participants in a Controller-operated research program; or

2.3.5     Any other user authorized by Controller to use the Services.

2.4. Categories of Personal Data. BrightMove may process the following types of Personal Data:

2.4.1     Personal identifiers, personal records, professional and employment information, and other types of Personal Data to fulfill the purpose of the Services.

2.5. Confidentiality of Personal Data.

2.5.1     BrightMove will treat all of Controller’s Personal Data as confidential information and  limit access to Controller’s Personal Data to those BrightMove personnel performing Services that require access. BrightMove will ensure that all BrightMove personnel with access to Controller’s Personal Data are (1) informed of the confidential nature of the Personal Data; (2) aware of relevant obligations under this DPA; (3) regularly, and in any event no less than annually, provided relevant training on privacy and data protection; and (4) subject to appropriate confidentiality obligations with respect to Controller’s Personal Data.

2.5.2     Except as otherwise required by law, BrightMove will not disclose Controller’s Personal Data without Controller’s prior written consent. If a public authority, including (but not limited to) a court or law enforcement agency, sends BrightMove a request for Controller’s Personal Data (such requests to include but not be limited to search warrants and civil subpoenas), BrightMove will use its best efforts to redirect the public authority to request that Personal Data directly from Controller. As part of this effort, BrightMove may provide Controller’s basic contact information to the public authority. BrightMove will assess and document the legality of any public authority request for Personal Data. In no instance will BrightMove disclose more Personal Data than necessary to comply with any valid legal obligation it may have in connection with such request.

2.6   Transfers of Personal Data.

2.6.1     To the extent Personal Data originating from within the EEA, Switzerland or the UK will be transferred to a jurisdiction that has not received an adequacy decision from the European Commission (or other relevant authority in Switzerland and the UK), the Parties agree to comply with the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries approved by EC Commission Decision of 4 June 2021 and incorporated herein and the United Kingdom’s International Data Transfer Addendum, and the Swiss amendments thereto (collectively, the “Clauses”).

2.6.2     To the extent Personal Data originating in another jurisdiction requires additional provisions or agreement between the Parties to safeguard the Processing, including any cross-border transfers of Personal Data between Controller and BrightMove, the Parties agree to negotiate in good faith and such additional provisions or agreement prior to the cross-border Personal Data transfer.

3. Security and Assistance.

3.1. Security Standards. BrightMove has implemented and will maintain Security Standards that constitute appropriate technical and organizational measures (“Security Measures”) to protect Controller’s Personal Data from unlawful Processing and to preserve the security, integrity, availability, confidentiality, and resilience of Controller’s Personal Data and BrightMove’s Processing systems and services.  At a minimum, BrightMove will maintain those measures described in BrightMove’s then current Security Standards Addendum. BrightMove will ensure that there is no material decrease in the level of security afforded to Controller’s Personal Data while this DPA is in effect. Any material decrease in BrightMove’s Security Measures shall be reported to Controller without delay.

3.2. Data Subject Rights.

3.2.1     If a Data Subject makes a request to BrightMove, BrightMove will use reasonable commercial efforts to redirect the Data Subject to Controller. if Controller can be identified from the request.  Controller authorizes on its behalf, and on behalf of its controllers when Controller is acting as a processor, BrightMove to respond to any Data Subject who makes a request to BrightMove, solely to redirect the Data Subject to Controller.

3.2.2     BrightMove will use reasonable commercial efforts to assist Controller in fulfilling Controller’s obligations to respond to Data Subjects’ requests under Applicable Data Protection Law.  BrightMove shall notify Controller as soon as practicable in the event BrightMove determines that it is unable to comply with a request for assistance. BrightMove will assist Controller as necessary to fulfill valid Data Subject Requests, including  by correcting, deleting, or restricting the Processing of Personal Data processed by BrightMove or its Sub-processors pursuant to Controller’s instructions, or assisting Controller in correcting, deleting, or restricting the Processing of Personal Data within the Services.

3.3.  Risk Assessments. Upon request, BrightMove will provide Controller with reasonably requested information related to BrightMove’s Processing of Personal Data to allow Controller to carry out necessary risk assessments or to respond to regulators.

3.4. Audits and Inspections. BrightMove will allow for and reasonably cooperate with Controller’s auditing of its compliance with this DPA and Data Protection Laws (a) annually, (b) upon reasonable indication of BrightMove’s non-compliance with this DPA or Data Protection Laws, or (c) following a Security Breach. Controller will take reasonable measures to limit unnecessary impact on BrightMove as a result of any audit or other compliance checks. While this DPA is in effect, BrightMove shall annually provide the final reports or findings from any new and relevant audits or inspections, including whether such audit or inspection revealed any material vulnerability in BrightMove’s Systems, facilities, policies, controls, or practices. If during any audit or inspection, any material security vulnerability is discovered, BrightMove shall promptly remediate such vulnerability and provide evidence of the remediation to Controller upon completion. If BrightMove refuses to remediate material security vulnerabilities within an industry-standard time, Controller may terminate the Underlying Agreement, or relevant portion thereof, without penalty.

4. Sub-processing.

4.1. Authorized Sub-processors. BrightMove may engage any Sub-processor disclosed to Controller prior to the execution of this DPA in connection with the provision of Services. If BrightMove wishes to engage a new Sub-processor to Process Personal Data, BrightMove will provide written notice, including relevant information regarding BrightMove’s assessment of the Sub-processor and the privacy and data protection provisions of BrightMove’s agreement with the Sub-processor, to Controller at least thirty (30) calendar days in advance of the anticipated date that the new Sub-processor will begin Processing Personal Data. Controller may object to the new Sub-processor in writing within thirty (30) calendar days of receiving BrightMove’s notice. If Controller objects to the new Sub-processor, Controller may terminate the relevant Processing activity without penalty if no acceptable substitute can be identified. Except as set forth in this Section or as otherwise explicitly authorized by Controller, BrightMove will not permit any other Sub-processing activities related to Personal Data. No new Sub-processor may Process Personal Data until Controller has either (a) accepted the new Sub-processor or (b) the time to object has elapsed.

4.2. Sub-processor Obligations. Where BrightMove uses any authorized Sub-processor as described in Section 4.1:

4.2.1.    BrightMove will restrict the Sub-processor’s access to Personal Data only to what is necessary to provide the Services to Controller and prohibit the Sub-processor from Processing Personal Data for any other purpose;

4.2.2.    BrightMove will enter into a written agreement with the Sub-processor imposing substantially the same obligations, and in any case no less onerous obligations, on the Sub-processor as BrightMove has under this DPA and, on request, provide a copy of such provisions to Controller; and

4.2.3.    BrightMove will remain fully responsible for and liable to Controller for each Sub-processor’s Processing of Personal Data. BrightMove may not invoke the conduct of a Sub-processor to avoid BrightMove’s own liability.

5. Security Incident Notification.

5.1. Security Incident. BrightMove will at all times have written procedures in place to enable BrightMove to respond quickly to any Security Incident. BrightMove will notify Controller without undue delay after confirming the occurrence of any Security Incident affecting Controller’s Personal Data,  and take immediate steps to assess and address the Security Incident and mitigate potential harm that may result from the Security Incident.

5.2. Controller Assistance.  With regard to any Security Incident affecting Controller’s Personal Data, BrightMove will at all times cooperate with Controller and follow Controller’s reasonable instructions. As requested by Controller, BrightMove will at BrightMove’s own cost reasonably assist Controller with performing a thorough investigation, assessing the potential risk to affected Data Subjects, and providing any required notification to regulatory authorities and affected Data Subjects.

5.3. Communication. BrightMove will provide detailed, timely information to Controller about the Security Incident without undue delay as such information becomes known, including (a) a description of what happened in the Security Incident; (b) the date and time when the Security Incident took place and was discovered by BrightMove; (c) the number of people and records affected by the Security Incident; (d) the categories of Personal Data involved; (e) the security measures in place at the time of the Security Incident; (f) any measures taken or planned to address the Security Incident, including measures to mitigate the possible adverse effects of the Security Incident and prevent recurrence; and (g) a description of the likely consequences to Data Subjects as a result of the Security Incident. BrightMove will designate a point of contact who can respond to Controller’s questions and provide Controller with additional information about the Security Incident, provided that BrightMove may choose to communicate such updates via a status page or other automated method, particularly for updates which apply to multiple Controllers. BrightMove will not communicate with any other party regarding any Security Incident (except professionals engaged in assisting BrightMove with managing such Security Incident and BrightMove’s insurers), unless and until expressly permitted or instructed to do so by Controller.

5.4 Unsuccessful Security Incidents. Controller agrees that: (i) an unsuccessful Security Incident will not be subject to this Section 8. An unsuccessful Security Incident is one that results in no unauthorized access to Controller’s Personal Data or to any of BrightMove’s equipment or facilities storing Controller Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and (ii) Neither BrightMove’s obligation to report or respond to a Security Incident hereunder, nor BrightMove’s fulfillment of such obligation, is not and will not be construed as an acknowledgement by BrightMove of any fault or liability of BrightMove with respect to the Security Incident.

7. Notice and Cure. If BrightMove violates this DPA or Data Protection Laws and fails to remedy the breach within thirty (30) calendar days of the violation being brought to BrightMove’s attention, Controller may immediately suspend or terminate the Services and/or the Underlying Agreement without penalty.
8. Deletion of Personal Data. BrightMove will securely delete Personal Data, and any copies thereof, within ninety (90) calendar days following the termination of the Agreement or within thirty (30) calendar days of a written request from Controller. Following deletion, BrightMove will provide certification of the deletion to Controller. If BrightMove is required to retain any Personal Data, BrightMove must inform Controller of the legal obligation. Any Personal Data retained by BrightMove must be securely maintained and not further processed, except to the extent necessary to comply with BrightMove’s legal obligation(s). BrightMove must continue to protect the retained Personal Data in compliance with this DPA and applicable Data Protection Laws.
9. Limitations of Liability. Notwithstanding anything to the contrary herein, the liability of each party under this DPA will be subject to the exclusions and limitations of liability set out in the Underlying Agreement, provided such limitations are permitted under applicable Data Protection Laws.
10. Governing Law. To the extent allowable under Data Protection Laws, this DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Underlying Agreement.
11. Entire Agreement. This DPA supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between BrightMove and Controller, whether written or verbal, regarding the subject matter of this DPA, including any prior data processing addenda entered into between Controller and BrightMove with regard to the Processing of Personal Data and on the free movement of such data.
12. Modification of Terms. This DPA may be modified by BrightMove upon email notice to Controller under the notice provisions of the Underlying Agreement.  If Controller’s decision to opt out results in Controller’s instructions no longer being compliant with applicable Data Protection Laws, then Section 2.1 shall apply.
13. Notices. All notices, permissions and approvals to BrightMove hereunder shall be made as provided in the Underlying Agreement.
14. Conflict, Hierarchy. If there is a conflict between any other agreement between the Parties, the terms of this DPA will control. Except as amended by this DPA, the Underlying Agreement will remain in full force and effect.