Data Processing Agreement

DATA PROCESSING AGREEMENT (DPA)


1. PARTIES


Processor:

Fairfox AI (Equio ApS)

Nørredamsvej 64

DK-3480 Fredensborg

CVR: 45307581

Controller: 

[Customer Legal Name]

[Customer Address]

[Customer Registration Number]

[Customer Country]

2. BACKGROUND

This DPA applies as set out in clause 7.1 of the Agreement. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

For full list of controls see our trust center: trust.fairfox.ai 


3. DEFINITIONS

Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:

"Customer Personal Data" means any personal data contained in the Customer Materials, including personal data uploaded by the Customer to the Platform that Fairfox Processes on behalf of the Customer or one of its Affiliates for the duration of the Agreement in connection with the Customer's use of and access to the pay equity analytics services.


For the avoidance of doubt, Customer Personal Data shall not include any personal data which is anonymised or deidentified whether by the Customer at the time of its supply to Fairfox or anonymised or deidentified by Fairfox after which the identifiable data is destroyed.

"Controller" means "controller" as defined by any applicable Data Protection Laws.

"Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("EU GDPR"), and all other equivalent or similar laws and regulations in any relevant EU member state jurisdiction relating to Personal Data and privacy, as each may be amended, extended or re-enacted from time to time.

"Data Subject" means "data subject" as defined by any applicable Data Protection Laws.


"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.


"Personal Data" means "personal data" as defined by any applicable Data Protection Laws.


"Processor" means "processor" as defined by any applicable Data Protection Laws.


"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.


"Standard Contractual Clauses" means the appropriate standard contractual clauses annexed to the Commission Implementing Decision C/2021/3972 or such other clauses as are approved by the European Commission from time to time.


"Subprocessor" means any Processor engaged by Fairfox who agrees to receive from Fairfox Customer Personal Data.

The terms "Process" and "Supervisory Authority" shall have the same meaning as set out in applicable Data Protection Laws.

4. DATA PROCESSING

4.1 In this Agreement Fairfox shall act as a Processor for Customer Personal Data of which the Customer or its Affiliates is a Controller.

4.2 Fairfox will only Process Customer Personal Data in accordance with: a) the Agreement, to the extent necessary to provide the pay equity analytics services to the Customer; and b) the Customer's written instructions, unless Processing is required by European Union or Member State Data Protection Laws to which Fairfox is subject, in which case Fairfox shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data.

4.3 Fairfox shall implement the technical and organisational measures referred to in paragraph 6.1 to protect against unauthorised or unlawful processing and against loss or destruction or damage to the Customer Personal Data.

4.4 The Agreement (subject to any changes to the Services) and this DPA shall be the Customer's instructions to Fairfox in relation to the Processing of Customer Personal Data.

4.5 To the extent that any of the Customer's instructions require Processing of Customer Personal Data in a manner that falls outside the scope of the pay equity analytics services, Fairfox may: a) make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by Fairfox or such additional charges as Fairfox may reasonably determine; or b) terminate the Agreement and the Services.

4.6 The Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Data by Fairfox in accordance with this Agreement.

4.7 The Customer warrants that it has obtained and will obtain any necessary consents required under applicable Data Protection Laws for the lawful transfer to and Processing of Customer Personal Data by Fairfox in accordance with this Agreement.

4.8 Data Processing Particulars - the scope, nature and purpose of and the duration of the Processing together with the types of personal data and categories of Data Subject are set out in Schedule 1 (Data Processing Particulars).

5. SUBPROCESSORS

5.1 The Customer agrees that Fairfox may from time to time use Subprocessors (including Amazon Web Services) to Process Customer Personal Data, provided it enters into, in accordance with Data Protection Laws, a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data as are imposed on Fairfox.


5.2 Fairfox shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor as if they were the acts and omissions of Fairfox.


5.3 Fairfox shall provide the Customer with notice of any proposed changes to the Subprocessors it uses to Process Customer Personal Data (including any addition or replacement of any Subprocessors).


5.4 If the Customer wishes to object (acting reasonably) on the grounds that sub-processing will or is likely to lead to a breach of Data Protection Laws then it shall provide written notice to Fairfox within seven (7) days of notification by Fairfox under paragraph 4.3 (an "Objection"). In the event of an Objection, Fairfox will discuss the same with the Customer in good faith. Unless an actual or likely breach of Data Protection Laws is demonstrated Fairfox is under no obligation to accommodate an Objection. Subject thereto, Fairfox may, at its discretion change the Services to accommodate the Objection. Such a change may involve a change to the Fees. If Fairfox is not prepared to change the Services or if the Customer does not accept the proposal within seven (7) days then the Customer may terminate the Agreement by providing not less than thirty (30) days' written notice to Fairfox. No pre-paid Fees shall be refundable if the Agreement is terminated by the Customer in accordance with this paragraph

6. INTERNATIONAL TRANSFERS

6.1 Fairfox shall not transfer or otherwise process the Customer Personal Data outside the EEA unless: a) the recipient, or the country or territory in which it processes or accesses the Customer Personal Data, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Customer Personal Data as set out in a decision of the European Commission; or b) the transfer is based on the appropriate module of the Standard Contractual Clauses; or c) the transfer is otherwise lawful under applicable Data Protection Laws.


7. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Fairfox shall at all relevant times implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (as appropriate) any measures listed in Article 32(1) of the EU GDPR. Such measures include those which can be found at https://trust.fairfox.ai and shall be at least equivalent to those published at the Commencement Date.


7.2 The Customer may, upon reasonable notice, at reasonable times and at its own cost, audit (either by itself or using independent third party auditors) Fairfox's compliance with the Processing of Customer Personal Data under this DPA including by conducting audits of Fairfox's data processing facilities. Fairfox shall assist with any audits conducted in accordance with this paragraph 6.2, provided that: a) such audits are carried out in a manner that does not disrupt Fairfox's business and are not carried out more than annually; b) the Customer reimburses Fairfox any costs incurred by Fairfox in facilitating such audits, including arranging access to any of Fairfox's or its Subprocessors' processing facilities.

7.3 The Customer acknowledges that in relation to Subprocessors that rights of audit may be subject to additional requirements of the Subprocessor including the right to tender in the first instance assurance reports in order to satisfy Customer concerns.

7.4 Where required under Article 28(3)(h) of the EU GDPR, or other Data Protection Laws, Fairfox shall immediately notify the Customer in the event that Fairfox believes the Customer's instructions conflict with the requirements of applicable Data Protection Laws or other EU or Member State laws.

7.5 If Fairfox or any Subprocessor becomes aware of a Security Incident, Fairfox will (i) notify the Customer of the Security Incident promptly and in any event within forty eight (48) hours after becoming aware of the Security Incident, (ii) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (iii) take steps to remedy any non-compliance with this DPA.

7.6 Fairfox shall treat the Customer Personal Data as the Customer's Confidential Information and shall ensure that any employees or other personnel that have access to the Customer Personal Data have agreed in writing to protect the confidentiality and security of the Customer Personal Data and do not Process such Customer Personal Data other than in accordance with this DPA.

8. ACCESS REQUESTS AND DATA SUBJECT RIGHTS

8.1 Save as required (or where prohibited) under applicable law, Fairfox shall promptly notify the Customer of any request received by Fairfox from a Data Subject, whether directly or through a Subprocessor, in respect of their personal data included in the Customer Personal Data and shall not respond to the Data Subject.


8.2 Fairfox shall provide the Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Platform.


8.3 Fairfox shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.


9. ASSISTANCE

9.1 Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Fairfox shall: a) use all reasonable endeavours to assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights laid down by applicable Data Protection Laws; and b) provide reasonable assistance to the Customer (at the Customer's expense unless the same is due to any breach by Fairfox) with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the information available to Fairfox.


10. DURATION AND TERMINATION

10.1 Fairfox shall, within thirty (30) days of the date of expiry or termination of the Agreement: a) if requested to do so by the Customer, return a complete copy of all Customer Personal Data by secure file transfer; and b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Fairfox or any Subprocessors. Customer Personal Data shall be considered deleted where it is put beyond further use by Fairfox or its Subprocessors. The Customer acknowledges that its Subprocessors may have their own timescales for the return or destruction of Customer Personal Data.

10.2 Fairfox and its Subprocessors may retain Customer Personal Data to the extent required by applicable law, or as Fairfox may deem necessary to prosecute or defend any legal claim, provided that such Customer Personal Data is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue, and always provided that Fairfox shall ensure the confidentiality of all such Customer Personal Data.

11. SCHEDULE 1 - DATA PROCESSING PARTICULARS

Subject matter and duration of the processing: Fairfox will process Customer Personal Data for the purpose of providing pay equity analytics services to enable compliance with EU Pay Transparency Directive requirements, for the duration of the Agreement.

11.1 Nature and purpose of processing:

• Analysis of employee compensation data to identify pay gaps
• Statistical modeling and calculations for pay equity assessments
• Generation of reports and recommendations for pay gap remediation
• Validation of pay grade classifications


11.2 Categories of personal data:

• Employee identification information (names, employee IDs)
• Compensation data (salaries, bonuses, benefits)
• Demographic information (gender, age, ethnicity where provided)
• Employment information (job titles, grades, departments, start dates, locations)
• Performance and qualification data (education, experience, performance ratings where provided)


Categories of data subjects: Current and former employees of the Customer organization whose data is included in compensation analysis datasets.

Frequency of transfer: As required for service delivery, typically during initial setup and periodic analysis updates as requested by Customer.

Retention period: Customer Personal Data will be retained for the duration of the Agreement and deleted within 30 days of termination, except where retention is required by applicable law.

Any question regarding our dpa? Feel free to reach out to info@fairfox.ai


‍