Terms & Policies

1. Definitions

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including such as EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), UK’s General Data Protection Regulation (UK GDPR), China's Personal Information Protection Law (PIPL), Brazil’s General Law of Data Protection (LGPD) and others.

“Standard Contractual Clauses” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Controller” means, in particular, the natural or legal person, which determines the purposes and means of the Processing of Personal Data.

“Processor” means, in particular, the natural or legal person, which Processes Personal Data on behalf of the Controller.

“Subprocessor” means a subcontractor engaged by NetHunt for the Processing of Personal Data.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Personal Data” means information about an individual that (a) can be used to identify, contact or locate a specific individual, including data that Customer chooses to provide to NetHunt from services such as applicant tracking systems (ATSs) or customer-relationships management (CRM) services; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “personal information” by applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual.

“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation; or (ii) the public authority governing data protection, which has supervisory authority and jurisdiction over Customer.

2. Nature of Data Processing, Roles of the Parties

This DPA is the main set of data protection rules with the broadest level of protection applicable to Processing, shall illustrate the Processing of Personal Data necessary for the purposes of the Terms of Service concluded between the Parties and constitutes the agreement, which is legally required for the engagement of Processors.

NetHunt does not own, control or direct the use of any of the Personal Data stored or processed by a Customer via NetHunt service. Only the Customer is entitled to access, retrieve and direct the use of such Personal Data. NetHunt is largely unaware of what Personal Data is actually being stored or made available by a Customer to NetHunt service and does not directly access such Personal Data except as authorized by the Customer, or as necessary to provide NetHunt service to the Customer.

NetHunt does not determine the use of the Personal Data or how such data is collected or will be used further. NetHunt does not act as a Controller in terms of the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”) and does not have the associated responsibilities under the GDPR. NetHunt serves only as a Processor and any requests as to how Personal Data is collected and used by NetHunt Customer should be directed to the Customer in question. NetHunt is not responsible for the content of the Personal Data contained or stored on its servers.

If NetHunt receives a demand under Applicable Law to engage in Processing not permitted by the above, NetHunt shall attempt to redirect the demand to Customer and Customer agrees NetHunt may provide information as reasonably necessary for such redirect. If NetHunt cannot redirect the demand to Customer, NetHunt shall, to the extent legally permitted to do so, take commercially reasonable steps to provide Customer reasonable notice of the demand as promptly as possible under the circumstances.

For the NetHunt services, the Parties acknowledge and agree that Customer is the “Controller” and NetHunt is Customer’s “Processor” as such terms are defined in the GDPR (regardless of whether the GDPR applies). For clarity, with respect to CCPA, NetHunt is Customer’s “Service Provider” as defined therein.

NetHunt may also collect Personal Data of Customer’s representatives, authorized persons and/or employees, provided by Customer, that are strictly necessary for the provision of services. Such Personal Data is stored as long as provision of services to Customer is required. This information is not shared with third parties without the approval of Customer. The legal basis of the processing of this kind of Personal Data is the legitimate interests related to the provision of commercial services by NetHunt to Customer and in general is outside of the scope of the DPA.

3. Compliance with Laws

The Parties shall each comply with their respective obligations under all applicable Data Protection Laws and Regulations.

NetHunt will ensure that the persons NetHunt authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data. NetHunt will train relevant persons regarding privacy, confidentiality, and data security. NetHunt shall take commercially reasonable steps to ensure the reliability of any NetHunt persons engaged in the Processing of Personal Data.

NetHunt will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Personal Data, including measures designed to prevent a Personal Data Breach.

NetHunt shall treat Personal Data as confidential information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following: collection, recording, storage, erasure or destruction. Within this context, NetHunt undertakes to comply with the provisions of the Data Protection Laws and Regulations concerning Processors, inter alia concerning data security and the obligation to keep a record of processing activities.

Customer shall, in its use of NetHunt's services provided based on the Terms of Service as well as this DPA, Process Personal Data in accordance with the requirements of the Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with these Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of the Processing of Personal Data and the means by which the Customer acquired such Personal Data.

4. Communication with Data Subjects

NetHunt shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject wishing to exercise its rights under the Data Protection Laws and Regulations, in particular, to access, correct or delete Personal Data or if a Data Subject objects to the Processing thereof (“Data Subject Request”). NetHunt shall not respond to a Data Subject Request. To the extent Customer, in its use of the NetHunt services, does not have the ability to address a Data Subject Request, NetHunt shall upon Customer's request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent NetHunt is legally permitted to do so and provided that such Data Subject Request is exercised in accordance with the Data Protection Laws and Regulations. To the extent legally permitted, the Customer shall be responsible for any costs arising from NetHunt’s provision of such assistance.

Taking into account the nature of the Processing, NetHunt shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, in order to be able to respond to general inquiries of Data Subjects (“Data Subject Inquiries”). This shall apply where a direct response by NetHunt is the most reasonable solution or where Customer, does not have the ability to address specific Data Subject Inquiries; hence NetHunt shall – upon Customer’s request after the necessary notification regarding Data Subject Inquiries – provide commercially reasonable efforts to assist Customer in responding to such Data Subject Inquiries, to the extent NetHunt is legally permitted to do so. To the extent legally permitted, the Customer shall be responsible for any costs arising from NetHunt’s provision of such assistance.

5. Personal Data Breach Notification

NetHunt will comply with the Personal Data Breach-related obligations applicable to it under the GDPR and other Data Protection Laws and Regulations. NetHunt will assist Customer in complying with those applicable to Customer by informing Customer of a Personal Data Breach without undue delay. NetHunt will provide such notification in accordance with Data Protection Laws and Regulations to Customer. Such notification shall not be construed as an acknowledgement of fault or responsibility and the obligations herein shall not apply to incidents that are caused by Customer. NetHunt shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as NetHunt deems necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within NetHunt’s reasonable control.

6. Nethunt Obligations

NetHunt will:

• Process Personal Data (i) only for the purpose of providing, supporting and improving NetHunt’s services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Customer. NetHunt will not use or process the Personal Data for any other purpose. NetHunt will promptly inform Customer in writing if it cannot comply with the requirements of this DPA, in such case Customer may terminate the Terms of Service or take any other reasonable action, including suspending data processing operations.
• Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on behalf of NetHunt comply with the DPA.
• Ensure that its persons will be required to comply with and acknowledge the confidentiality of the Personal Data, including after the end of their respective employment, contract or assignment.
• Inform Customer if NetHunt becomes aware of:
  • Any non-compliance by NetHunt or its persons with this DPA or the Data Protection Laws and Regulations relating to the protection of Personal Data processed under this DPA.
  • Any legally binding request for disclosure of Personal Data by a law enforcement authority, unless NetHunt is otherwise forbidden by law to inform Customer, for example to preserve the confidentiality of an investigation by law enforcement authorities.
  • Any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data.
  • Any complaint or request (in particular, requests for access to rectification, erasure, restriction, portability, blocking or deletion of Personal Data) received directly from data subjects of Customer. NetHunt will not respond to any such request without Customer’s prior written authorization.
• Provide reasonable assistance to Customer regarding:
  • Any requests from Customer data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Personal Data that NetHunt processes for Customer. In the event that a data subject sends such a request directly to NetHunt, NetHunt will promptly, send such request to Customer.
  • The investigation of Personal Data Breaches and the notification to the Supervisory Authority and Customer's Data Subjects regarding such Personal Data Breaches.
  • Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
• Maintain appropriate organizational and technical security measures (which may include, with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit and at rest) designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data.
• Notify Customer of any Personal Data Breach by NetHunt, its Subprocessors, or any other third-parties acting on behalf of NetHunt without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.

7. Customer Obligation

Customer agrees to comply with its protection, security and other obligations with respect to Personal Data prescribed by Data Protection Laws and Regulations for Controllers.

• Ask for the consent of Data Subjects in written or electronic form for the Processing of their Personal Data or ensure that such Processing takes place in accordance with another legal basis provided for by the Data Protection Laws and Regulations.
• Notify Data Subjects about the types of Personal Data being Processed, as well as the purposes for collecting, Processing and storing Personal Data and, beyond that, provide them all necessary Information before the initial data collection takes place.
• Store information (documents) confirming that the Data Subjects have given their consent to the Processing of their Personal Data for the entire period of the Processing; as far as other legal bases provided for by the Data Protection Laws and Regulations are used in order to ensure the lawfulness of processing activities, Customer shall store any other suitable evidence.
• Observe the principles and rules for the Processing of Personal Data provided for by Data Protection Laws and Regulations.
• Be responsible for non-compliance regarding the principles and rules for the Processing of Personal Data, as provided for by the Data Protection Laws and Regulations.

8. Subprocessor

Customer provides general authorization to NetHunt's use of Subprocessors to Process Personal Data in connection with the provision of the NetHunt services, provided that NetHunt has entered into a written agreement with each Subprocessor containing, in substance, data protection obligations no less protective than those in this DPA with respect to the protection of Personal Data, to the extent applicable to the nature of the Processing provided by such Subprocessor.

Current Subprocessors are listed in Schedule B (the “Subprocessor List”). When any new Subprocessor is to be engaged, NetHunt will update Schedule B to include the new Subprocessor at least ten (10) business days prior to giving the Subprocessor access to the Personal Data.

Customer may object to NetHunt’s use of a new Subprocessor, by notifying NetHunt in writing of such objection within ten (10) business days of NetHunt’s notice of the new Subprocessor. If Customer objects to a new Subprocessor for the NetHunt services, as permitted in the preceding sentence, Customer’s sole remedy is to cease use of the NetHunt services.

NetHunt remains liable for its Subprocessors’ acts and omissions to the same extent NetHunt is liable for its own, consistent with the limitations of liability set forth in the Terms or this DPA.

The Parties agree that any audit rights provided under the terms of this DPA do not extend to NetHunt’s Subprocessors’ facilities.

9. Consultation with Supervisory Authorities

To the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to NetHunt, NetHunt will provide reasonable assistance to and cooperation with Customer for (i) Customer’s performance of any data protection impact assessment of the Processing or proposed Processing of the Personal Data involving NetHunt, and (ii) related consultation with supervisory authorities, either or both of which Customer reasonably considers to be required of Customer by Data Protection Laws and Regulations.

10. Compliance Verification and Audits

Upon Customer’s written request and at its own expense, NetHunt will also allow for Customer’s audit of NetHunt’s applicable controls, provided such audit is i) required by a Supervisory Authority or other similar regulatory authority responsible for the enforcement of Data Protection Laws and Regulations; ii) conducted by Customer or a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with NetHunt, and iii) Customer and NetHunt mutually agree on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to such audit.

11. Data Transfers

If in the performance of the NetHunt Services NetHunt makes an international transfer of Personal Data, Customer authorizes such transfer and the transfer mechanisms listed below shall apply, as applicable.

To the extent required under GDPR, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA for such transfer to the extent of any conflict, and they will be deemed completed as follows:

• Customer acts as controller and NetHunt acts as Processor with respect to the Personal Data subject to the 2021 Standard Contractual Clauses, and its Module 2 (Controller to Processor) applies.
• Clause 7 (the optional docking clause) does not apply.
• Under Clause 9 (Use of subprocessors), the Parties select Option 2 (General written authorization). The current list of Subprocessors is set forth below in Schedule B of this DPA. NetHunt shall update the list at least ten (10) business days in advance of any intended additions or replacements of subprocessors.
• Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
• Under Clause 17 (Governing law), the Parties choose and select the law of the country according to the jurisdiction agreed by the parties in cl.14.
• Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts according to the jurisdiction agreed by the parties in cl.14.
• Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule A of the DPA.
• Annex III of the 2021 Standard Contractual Clauses (Subprocessor List) is set forth in Schedule B of the DPA.

To the extent required under UK Data Protection Law, the UK Addendum forms part of this DPA and takes precedence over the rest of this DPA for such transfer to the extent of any conflict, and it will be deemed completed as follows:

• The “exporter” is the Customer, and the exporter’s contact information is set forth in Schedule A below.
• The “importer” is NetHunt, and NetHunt’s contact information is set forth in Schedule A below.
• The Approved EU SCCs described in Table 2 of the UK Addendum shall be the 2021 Standard Contractual Clauses as completed above.
• Annex 1A and 1B of the UK Addendum are set forth in Schedule A of the DPA.
• Annex II of the UK Addendum is set forth in Annex II of Schedule A of the DPA.
• Annex III of the UK Addendum is set forth in Schedule B of the DPA.
• Importer may end the UK Addendum as described in Table 4 of the UK Addendum.

Where a transfer of Personal Data is made from Switzerland, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA for such transfer to the extent of any conflict, and they will be deemed completed in accordance with DPA except that:

• Under Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commission to the extent that the transfer is governed by the Swiss Federal Act on Data Protection.
• References to “Member State” in the 2021 Standard Contractual Clauses refer to Switzerland, and data subjects may exercise and enforce their rights under the 2021 Standard Contractual Clauses in Switzerland.
• References to GDPR in the 2021 Standard Contractual Clauses refer to the Swiss Federal Act on Data Protection (as amended and replaced).

12. Data Return and Deletion

The Parties agree that upon the termination of the Personal Data Processing services or upon Customer’s reasonable request, NetHunt shall, at the choice of Customer, return all the Customer Personal Data and copies of such data to Customer or securely destroy them and demonstrate to the satisfaction of Customer that it has taken such measures, unless Data Protection Laws and Regulations prevent NetHunt from returning or destroying all or part of the Customer Personal Data disclosed. In such a case, NetHunt agrees to preserve the confidentiality of the Customer Personal Data retained by it and that it will only actively process such Customer Personal Data after such date in order to comply with applicable laws. For clarity, NetHunt may continue to process Customer Personal Data that has been aggregated in a manner that does not identify individuals or customers to improve NetHunt’s systems and services.

13. Term

This DPA shall remain in effect as long as NetHunt carries out Personal Data Processing operations on behalf of Customer or until the termination of the Terms of Service (and all Personal Data has been returned or deleted in accordance with Section 12 above).

14. Governing Law, Jurisdiction, and Venue

This DPA shall be governed by the laws of the country which jurisdiction agreed by the parties additionally, and any action or proceeding related to this DPA (including those arising from non contractual disputes or claims) will be brought in court of agreed jurisdiction.

Schedule A to DPA

ANNEX I

A. List of Parties

• 1. Data exporter(s): Customer

  The data exporter is the legal entity subject to the Agreement as Customer, and who is engaging NetHunt to provide the services.

• 2. Data importer(s): NetHunt Inc., 651 N Broad St., Suite 206, Middletown, DE 19709.

  The data importer is NetHunt, the provider of the services. NetHunt’s entity and contact details are set forth in the Terms of Service.

B. Description of Transfer

• 1. Categories of data subjects whose personal data is transferred:

  Customer may submit Personal Data to the NetHunt services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include the Personal Data of Customer’s clients, partners and other business contacts.

• 2. Categories of personal data transferred:

  Customer may submit Personal Data to the NetHunt services, the extent of which is determined and controlled by Customer in its sole discretion and may include information about Customer’s clients, partners and other business contacts (e.g., names, email addresses, and telephone numbers) and their website and application activity, login history, location, and device information (e.g., device identifiers (not Apple ID), operating system, and IP addresses).

• 3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

  No sensitive data shall be submitted to the NetHunt services, unless the DPA specifically permits the transfer of such data.

• 4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

  Notwithstanding termination of the Terms of Service, and to the extent submitted to the NetHunt services by Customer, NetHunt will Process Personal Data continuously, until deletion of all Personal Data as described in this DPA.

• 5. Nature of the processing:

  NetHunt will Process Personal Data in its performance of the NetHunt services pursuant to the Terms of Service and this DPA, and to comply with Customer’s request and instruction to do so provided by Customer’s acceptance of the Terms of Service, creation of an NetHunt account, or use of or access to the NetHunt services.

• 6. Purpose(s) of the data transfer and further processing:

  Customer may submit Personal Data to the NetHunt services, the extent of which is determined and controlled by Customer in its sole discretion, for NetHunt’s provision of the NetHunt services, as described in the Terms of Service and further documented, reasonable instructions from Customer specifically agreed upon by the Parties.

• 7. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
  (For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing)

  The period for which Personal Data will be retained in the NetHunt services is determined by Customer during the term of the relationship. Upon termination of the Terms of Service, Customer may retrieve its Personal Data as set forth in the Terms of Service and this DPA and NetHunt will destroy (including on all Subprocessor systems) Personal Data within the timeline described in this DPA.

C. Competent Supervisory Authority

Module Two: Transfer controller to processor

• 1. Identify the competent supervisory authority/ies in accordance with Clause 13.

  Where Customer is established in an EU Member State, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to NetHunt upon request. Where Customer is not established in an EU Member State, the supervisory authority of the country which jurisdiction agreed by the parties in cl.14 of this DPA shall act as the competent supervisory authority for these SCCs.

ANNEX II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

NetHunt, the data importer, maintains administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the NetHunt services by Customer, the data exporter. The following concepts apply to NetHunt’s platform and its provision of the NetHunt services and are contextually important to understanding NetHunt’s security controls.

NetHunt is data neutral and data agnostic:
The NetHunt does not know what data Customers choose to send to the platform and will process all data regardless of its nature as long as it fits the predefined characteristics that allow it to be processed. NetHunt does not make any data-based decisions other than following Customers’ instructions as they configure the platform to perform their desired operations.

No persons access:
NetHunt does not directly access Personal Data as part of their normal job duties, except as necessary to provide the NetHunt services or to provide support to a Customer upon a Customer’s request, or to comply with the law or a binding order of a governmental body. Only the NetHunt platform interacts with such data, and only according to the programmatic instructions provided by each NetHunt Customer with respect to its data.

Confidentiality:

• Physical access control:
  No unauthorized access to data processing systems, with the assistance of magnetic or chip cards, keys, electric door openers, plant security or gatekeepers, alarm systems, video systems.
• Access rights:
  No unauthorized system use, using a (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media.
• Access control:
  No unauthorized reading, copying, modification or removal within the system, e.g. Authorization concepts and needs-based access rights, logging of accesses.
• Separation control:
  Separate processing of data collected for different purposes, e.g. multi-client capability, sandboxing.
• Pseudonymization:
  The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the inclusion of additional information, provided that this additional information is kept separately and is subject to appropriate technical and organizational measures.

Integrity:

• Transmission control:
  No unauthorized reading, copying, modification or removal during electronic transmission or transport, e.g. encryption, Virtual Private Networks (VPN), electronic signature.
• Entry control:
  Determining whether and by whom personal data have been entered, modified or removed from data processing systems, using logging, document management.

Availability and resilience:

• Availability control:
  Protection against accidental or wilful destruction or loss, e.g. backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and emergency plans.
• Rapid restorability.

Procedures for regular review, assessment and evaluation:

• Data protection management;
• Incident-Response-Management;
• Privacy-friendly default settings;
• Order control.

No order data processing without corresponding instruction of the Controller, e.g. clear contract drafting, formalized order management, obligation to assure in advance, follow-up checks.

Schedule B to DPA

Subprocessor Lisat

To deliver the NetHunt services, NetHunt may use the following Subprocessors to Process Personal Data.

Subprocessor	Purpose	Location	Data Center	Transfer Mechanism
Google Cloud Platform	Cloud hosting and infrastructure provider	1600 Amphitheatre Parkway Mountain View, California 94043 USA	USA	https://cloud.google.com/privacy/gdpr
Stripe, Inc.	Payment processing	54 Oyster Point Blvd South San Francisco, CA 94080 United States	USA	https://stripe.com/legal/dpa
MongoDB	Database program	Paramount Plaza New York City, U.S.	USA	https://www.mongodb.com/legal/dpa
Intercom, Inc.	Customer Success and Support	San Francisco, California, U.S.	USA	https://www.intercom.com/legal/data-processing-agreement
Google Analytics	Data Analytics	1600 Amphitheatre Parkway Mountain View, California 94043 USA	USA	https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20130906.html
Profitwell (now part of Paddle)	Data Analytics	Boston, Massachusetts, United States	USA	https://www.paddle.com/legal/data-processing-addendum