TERMS AND CONDITIONS

1. SERVICES AND SUPPORT

1.1. This Services Agreement (“Agreement”) is entered into on the Effective Date between SourceWhale Ltd with a registered address of 86-90 Paul Street, London, EC2A 4NE, United Kingdom (“Company” or “Service Provider”), and the Customer.

1.2. The use of the Services may require creating an account (“Account”) and signing into this Account. By creation of an Account, Customer submits a binding offer to conclude an Agreement for the free of charge use of the Services for trial purposes. Company may at its sole discretion accept this offer and grant Customer a free right to use the Software for a limited period for trial purposes (“Trial”). Customer is only entitled to one Trial. Company may extend the Trial at its sole discretion. After the expiration of the Trial, Customer may conclude a fee-based Agreement with Company for the Services. If such an Agreement is not concluded, Customer’s Account will be blocked.

1.3. Subject to the terms of this Agreement, Company will use commercially reasonable efforts to provide Customer the Services in accordance with the Service Level Terms attached hereto as Exhibit B.

1.4. Subject to the terms hereof, Company will provide Customer with reasonable technical support services in accordance with the terms set forth in Exhibit C.

1.5. Customer shall be entitled to increase the number of licenses (as defined in the License Type and Quantity section of the Order Form) (“Licenses”) for the Services at any time during the Service Term, subject to paying the additional Services Fees required. The duration of each additional License shall be for the remainder of the then current Service Term.

2. RESTRICTIONS AND RESPONSIBILITIES

2.1. Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services (“Software”); modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third; or remove any proprietary notices or labels.

2.2. Customer will not use the Services to create, market or distribute any product or service that is similar or competitive with the Services, or engage in any competitive analysis of the Services.

2.3. Customer represents, covenants, and warrants that Customer will use the Services only in compliance with Company’s standard published policies then in effect (the “Policy”) and all applicable laws and regulations.  Customer hereby agrees to indemnify and hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and legal fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Customer’s use of Services. Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.

2.4. Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”).  Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account or the Equipment with or without Customer’s knowledge or consent.

3. CONFIDENTIALITY; PROPRIETARY RIGHTS

3.1. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party).  Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service.  Proprietary Information of Customer includes non-public data provided by Customer to Company to enable the provision of the Services (“Customer Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information.  The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.

3.2. Customer shall own all right, title and interest in and to the Customer Data, as well as any data that is based on or derived from the Customer Data and provided to Customer as part of the Services. Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing.

3.3. Notwithstanding anything to the contrary, Company shall have the right collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and  Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein.

4. PAYMENT OF FEES

4.1. Customer will pay Company the then applicable fees described in the Order Form for the Services and Implementation Services in accordance with the terms therein (the “Fees”).  If Customer’s use of the Services exceeds the Service Capacity set forth on the Order Form or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein.  Company reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Service Term or thencurrent renewal term, upon fourteen (14) days prior notice to Customer (which may be sent by email). If Customer believes that Company has billed Customer incorrectly, Customer must contact Company no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit.  Inquiries should be directed to Company’s customer support department.

4.2. Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Company seven (7) days after the mailing date of the invoice.  Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. Customer shall be responsible for all taxes associated with Services other than U.K. taxes based on Company’s net income.

4.3. Customer indemnities and holds harmless Company against all costs, losses, interest and legal expenses incurred in recovering unpaid fees under this Agreement.

4.4. Customer agrees that its obligations under this Agreement, including all payment obligations, shall be binding upon and enforceable against any successor entity, assignee, or acquirer of Customer’s business, whether by merger, consolidation, asset sale, change of control, or other corporate restructuring. Customer shall provide at least 30 days’ prior written notice of any such event. Any such restructuring shall not relieve Customer of its obligations unless explicitly agreed by Company in writing.

4.5. If Customer undergoes an insolvency event, including but not limited to bankruptcy, liquidation, winding-up, dissolution, name change, merger, restructuring, or any other event that may affect its financial stability, or if Customer takes any action that could impair its ability to meet its payment obligations under this Agreement, all outstanding fees under this Agreement shall become immediately due and payable.

5. TERM AND TERMINATION

5.1. In addition to any other remedies it may have, either party may also terminate this Agreement upon fourteen (14) days’ notice (or without notice in the case of nonpayment), if the other party materially breaches any of the terms or conditions of this Agreement and fails to cure such breach within fourteen (14) days of receiving written notice from the other party which: (a) specifies the breach in reasonable detail; and (b) expressly states that it will terminate the Agreement if the breach is not cured within fourteen (14) days. Customer acknowledges that payment obligations under this Agreement are independent of the performance obligations by Company. Fees for Services rendered up to and including the termination date shall remain payable in full, regardless of any alleged breach by Company, unless and until such breach has been formally determined by a court of competent jurisdiction in accordance with this Agreement. Any dispute regarding alleged breaches shall not suspend or delay Customer’s payment obligations.

5.2. Upon any termination, Company will make all Customer Data available to Customer for electronic retrieval for a period of thirty (30) days, but thereafter Company may, but is not obligated to, delete stored Customer Data. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.

5.3. If Customer fails to pay any amount due under this Agreement within fifteen (15) days of the due date for payment: (a) Company may with immediate effect, and at its sole discretion, suspend Customer’s access to the Services or terminate this Agreement, by giving notice to Customer (suspension or termination under this clause not relieving Customer of its obligation to pay all outstanding amounts due);
(b) any payments that are due to be made under the remaining part of the Service Term shall become immediately due and owing to Company as liquidated damages, reflecting a genuine pre-estimate of loss arising from early termination; and
(c) Company’s rights under this clause are without prejudice to any other remedies available under this Agreement or applicable law.

6. WARRANTY AND DISCLAIMER

Company shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Implementation Services in a professional and workmanlike manner.  Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.  Due to the nature of large language models and AI technologies, the Services that incorporate these technologies may occasionally hallucinate and produce content which is inaccurate or speculative; Company is not responsible for reviewing or attempting to verify the accuracy or completeness of this content, and Customer is responsible for all decisions or actions taken based on this content. However, Company does not warrant that the Services will be uninterrupted or error free; nor does it make any warranty as to the results that may be obtained from use of the Services.  EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND IMPLEMENTATION SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

7. INDEMNITY

Company shall hold Customer harmless from liability to third parties resulting from infringement by the Service of any United Kingdom or United States patent or any copyright or misappropriation of any trade secret, provided Company is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; Company will not be responsible for any settlement it does not approve in writing.  The foregoing obligations do not apply with respect to portions or components of the Service (i) not supplied by Company, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified after delivery by Company, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of the Service is not strictly in accordance with this Agreement.  If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Company to be infringing, Company may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Customer a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for the Service.

8. LIMITATION OF LIABILITY

NOTWITHSTANDING ANYTHING TO THE CONTRARY, EXCEPT FOR BODILY INJURY OF A PERSON, COMPANY AND ITS SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND COMPANY’S REASONABLE CONTROL; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED £100 IF THE AGREEMENT IS FOR A FREE TRIAL, OR OTHERWISE THE FEES PAID BY CUSTOMER TO COMPANY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9. DATA PROTECTION

Customer and Company agree that for personal data related to third party data subjects (such as a candidate or prospect the Customer is reaching out to regarding a job) that this is Customer Personal Data and Customer is the Data Controller (and Company has the role of a Data Processor), as Customer is determining the purpose and means of processing the personal data. As such Customer is responsible for ensuring they have a lawful basis for processing personal data from a data subject. The contact address for any data protection related matters is

Customer is responsible for following all applicable data protection and privacy laws in the relevant jurisdictions for third parties they enter or add into the SourceWhale platform.

The parties agree that the obligations set out at Exhibit D shall apply in respect of the Service Provider’s processing of Customer Personal Data (as defined in Exhibit D).

MISCELLANEOUS

10.1. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.

10.2. This Agreement is not assignable, transferable or sublicensable by Customer except with Company’s prior written consent.  Company may transfer and assign any of its rights and obligations under this Agreement without consent.

10.3. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. Except for increases in the number of Licenses – which may be agreed between the parties without a signed confirmation – all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. For the avoidance of doubt, communications made through automated tools, chatbots, or similar methods shall not constitute valid amendments, modifications, or waivers, unless expressly confirmed in writing by authorized representatives of both parties.

10.4. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Company in any respect whatsoever.  In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.  All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.

11. GOVERNING LAW AND JURISDICTION

11.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales, and each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).

EXHIBIT B

Service Level Terms

The Services shall be available 99.9%, measured monthly, excluding holidays and weekends and scheduled maintenance.  If Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance.  Further, any downtime resulting from outages of third party connections or utilities or other reasons beyond Company’s control will also be excluded from any such calculation. Customer’s sole and exclusive remedy, and Company’s entire liability, in connection with Service availability shall be that for each period of downtime lasting longer than one day, Company will credit Customer one (1) day extra usage of the platform for each period of one (1) or more days of downtime.  Downtime shall begin to accrue as soon as Customer (with notice to Company) recognizes that downtime is taking place, and continues until the availability of the Services is restored.  In order to receive downtime credit, Customer must notify Company in writing within 24 hours from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit.  Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Service Fees in any one (1) calendar month in any event.  Company’s blocking of data communications or other Service in accordance with its policies shall not be deemed to be a failure of Company to provide adequate service levels under this Agreement.

EXHIBIT C

Support Terms

Company will provide Technical Support to Customer via telephone, electronic mail or live chat on weekdays during the hours of 9:00am through 11:59pm GMT time, 4:00am through 7:00pm ET and 1:00am through 4pm PST, excluding public holidays (“Support Hours”).

Customer may initiate a Helpdesk ticket during Support Hours by emailing support@sourcewhale.com

Company will use commercially reasonable efforts to respond to all Helpdesk tickets raised during Support Hours within one (1) business hour.

Exhibit D

Data Processing Addendum

1. BACKGROUND

This Data Processing Addendum (“DPA”) is supplemental to the Agreement and applies as set out in clause 9 of the Agreement.

In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.

2. DEFINITIONS

Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:

(a) “Customer Personal Data” means the personal data described in ANNEX 1 and any other personal data that SourceWhale processes on behalf of the Customer in connection with SourceWhale’s provision of the Services;

(b) “Data Protection Laws” means all applicable laws and guidance by relevant supervisory authorities relating to data protection and the processing of personal data including:

(i) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council and, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018  (“GDPR”);

(ii) national legislation implementing Directive 2002/58/EC (as amended); and

(iii)  any applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data;

(c) “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;

(d) “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;

(e) “Subprocessor” means any Processor engaged by SourceWhale who agrees to receive from SourceWhale Customer Personal Data; and

(f) the terms “personal data”, “Controller”, “Processor”, “Data Subject”, “Process” and “Supervisory Authority” shall have the same meaning as set out in the applicable Data Protection Laws.

3. DATA PROCESSING

3.1 Instructions for Data Processing. SourceWhale will only Process Customer Personal Data in accordance with the Agreement, to the extent necessary to provide the Services to the Customer, and Customer’s written instructions. In connection with the provision of the Services and the Processing of Data, each Party will comply with: (a) any and all applicable laws, rules, regulations, directives applicable to the Processing of Customer Personal Data, including all Data Protection Laws, and (b) all industry standards concerning data protection, privacy and information security. In addition, Service Provider will not disclose the Customer Personal Data to any third party apart from Sub-processors authorized by Customer under this Addendum, unless required to do so under the Data Protection Laws to which Service Provider is subject.

3.2 Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and SourceWhale on additional instructions for Processing.

3.3 Required consents. Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained/will obtain all necessary consents, and has provided/will provide the necessary notifications, for the Processing of Customer Personal Data by SourceWhale in connection with the provision of the Services and as otherwise set out in the Agreement.

4. SUBPROCESSORS

4.1 Consent to Subprocessor Engagement. The Customer generally authorises the engagement of third parties as Subprocessors.

4.2 Information about Subprocessors. A maintained list of SourceWhale’s Subprocessors can be found  (as may be updated by SourceWhale from time to time in accordance with this DPA).

4.3 Requirements for Subprocessor Engagement.

When engaging any Subprocessor, SourceWhale will ensure that:

(i) the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and

(ii) the same obligations are imposed on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on SourceWhale under this DPA.

4.4 Opportunity to Object to Subprocessor Changes.

(a) When any new Subprocessor is engaged during the Agreement, SourceWhale will, at least 30 days before the new Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant subprocessor and the activities it will perform), if Customer opts-in to receive such notification prior to any such changes by emailing info@sourcewhale.com and asking to be subscribed.

(b) Customer may object to the appointment of that Subprocessor by providing documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA (“Objection”). If SourceWhale does not remedy or provide a reasonable workaround for the Customer’s Objection within a reasonable time, Customer may object to any new Subprocessor by terminating the Agreement immediately upon written notice to SourceWhale, on condition that Customer provides such notice within 90 days of being informed of the engagement of the subprocessor as described in clause 4.4(a). This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.

4.5 Transfers of Personal Data Outside the EEA. To the extent that the Processing of Customer Personal Data by SourceWhale involves the export of such Personal Data to a country or territory outside the EEA, such transfer shall be to a third party:

(a)   in a country, territory or specified sector which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as set out in an adequacy decision by the European Commission, the UK Data Protection Act 2018 or regulations made by the UK Secretary of State under the UK Data Protection Act 2018;

(b)  that is a member of a compliance scheme recognised by the European Commission as offering adequate protection for the rights and freedoms of data subjects; or

(c) that has signed:

the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 (with the Customer as data exporter and the third party as data importer). For this purpose, the Customer appoints SourceWhale to act as its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Customer on its behalf for this purpose; or

the appropriate module of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914,

in each case as amended or approved by the ICO for use in respect of transfers by a data exporter subject to the UK GDPR;

(d) that has entered into any other transfer mechanism approved by the ICO.

5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

5.1 SourceWhale Security Obligations. SourceWhale will develop and maintain a comprehensive security program including without limitation appropriate administrative, technical, organizational and physical security measures to protect the Data against accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure, which measures are described in ANNEX 2. SourceWhale will limit access to the Data to personnel whose roles reasonably require such access and who have agreed contractually in writing to maintain the confidentiality and security of the Data in keeping with the terms of this Addendum. SourceWhale will maintain written policies including without limitation, an information security policy, security and privacy guidelines, an internal acceptable use policy, and internal procedural documentation, and provide Customer with reasonable evidence of its policies and guidelines upon request. Upon hire and annually thereafter, each of SourceWhale’s personnel will receive training in the security and handling of Data and will agree in writing to adhere to SourceWhale’s privacy and security guidelines and policies. SourceWhale will remain responsible for and liable for its personnel’s compliance with the terms of this Addendum.

5.2 Service Provider Security Audits. The Customer may audit (by itself or using independent third party auditors) SourceWhale’s compliance with the security measures set out in this DPA (including the technical and organisational measures as set out in ANNEX 2), including by conducting audits of SourceWhale’s (and Subprocessors’) data processing facilities and such audits may be performed at least once annually.

5.3 SourceWhale shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA. SourceWhale shall immediately inform the Customer if, in its opinion, an instruction pursuant to this clause 5.3 infringes applicable Data Protection Laws.

5.4 Security Incident Notification. If SourceWhale or any Subprocessor becomes aware of, or has reason to suspect that there has been, a Security Incident, SourceWhale will (a) notify the Customer of the Security Incident without undue delay, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.

5.5 SourceWhale Employees and Personnel. SourceWhale shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that:

(a) access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data;

(b) any employees or other personnel who have access to Customer Personal Data have agreed in writing to protect the confidentiality and security of Customer Personal Data.

6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS

6.1 Data Subject Requests. Save as required (or where prohibited) under applicable law, SourceWhale shall notify the Customer of any request received by SourceWhale or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject, unless requested or agreed to by Customer to support in Customer’s responsibilities as Data Controller.

6.2 SourceWhale shall, where possible, assist the Customer with ensuring its compliance under applicable Data Protection Laws, and in particular shall:

(a) provide the Customer with the ability to correct, delete, block, access or copy the personal data of a Data Subject, or

(b) promptly correct, delete, block, access or copy Customer Personal Data within the Services at the Customer’s request.

6.3 Government Disclosure. SourceWhale shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

7. ASSISTANCE

7.1 SourceWhale shall provide Customer with any information or assistance reasonably requested by Customer for the purpose of complying with any of Customer’s obligations under applicable Data Protection Laws, including:

(a) assisting Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the applicable Data Protection Laws;

(b) providing reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to SourceWhale.

8. DURATION AND TERMINATION

8.1 Deletion of data. SourceWhale shall, within 90 (ninety) days of the date of termination of the Agreement:

(a) upon written request, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by the Customer to SourceWhale; and

(b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by SourceWhale or any Subprocessors.

8.2 SourceWhale and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that SourceWhale shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

9. MISCELLANEOUS

9.1 Except as expressly provided herein, nothing in this DPA will be deemed to waive or modify any of the remaining provisions of the Agreement, which otherwise remains in full force and effect. Specifically, nothing in this DPA will affect any of the terms of the Agreement relating to SourceWhale’s limitations of liability, which will remain in full force and effect.

9.2 In the event of a conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail.

Annex 1

DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA

Subject matter and duration of the Processing of Customer Personal Data

The subject matter of the Processing of Customer Personal Data is the use of and access to the Service by the Customer in accordance with the Agreement. The duration of the Processing of Customer Personal Data is the Term, subject to clauses 8 of this DPA.

The nature and purpose of the Processing of Customer Personal Data

The Processing of Customer Personal Data provided by Customer to SourceWhale for the purposes of providing the Service to the Customer.

The categories of data subject to whom the Customer Personal Data relates

• Candidates
• Prospective Candidates
• Customer Sales Leads
• Customer Clients
• Employees

The types of Customer Personal Data to be processed

Name

• Profile photo
• Social media profile identifiers
• E-mail address
• Phone number
• Education history
• Employment history
• Resume / CV
• Employment applications
• Home address
• Interview feedback
• Interview decisions
• Offer information
• Any other information in the Customer’s Applicant Tracking System or Customer Relationship Management (CRM) system
• Employee email content, contacts, and calendar
• Call recordings, transcripts, and summaries

The obligations and rights of the Customer

The obligations and rights of the Customer are as set out in this DPA and the Agreement.

Annex 2

Technical and Organisational Security Measures

This document is a high-level overview of SourceWhale’s technical and organizational measures. SourceWhale may change these measures from time to time to adapt to the evolving security landscape and where required will notify clients of these changes.

Within this document, the following definitions apply:

Client: any customer of SourceWhale

SourceWhale Platform: the software-as-a-service provided by SourceWhale to its Clients

Client Data: any information provided by the Client that is processed by the SourceWhale Platform

Personnel: employees of SourceWhale and authorized individual contractors/vendors

Organization of Information Security

Objective: To administer SourceWhale’s information security structure

Measures:

• The information security function reports directly to SourceWhale senior management.
• SourceWhale has a comprehensive set of information security policies, approved by senior management and disseminated to all Personnel.
• All Personnel sign confidentiality agreements.
• All Personnel are given training in information security.
• All cloud resources underlying the SourceWhale platform belong to an infrastructure-as-code stack, to enable easy asset tracking, compliance, and auditing.

Physical Access

Objective: To protect the physical assets that contain Client Data.

Measures:

• The SourceWhale Platform is hosted on Amazon Web Services. Amazon’s description of its data center physical security controls can be found here: .

System Access

Objective: To ensure systems containing Client Data are used only by approved, authenticated users.

Measures:

• Access to SourceWhale systems is granted only to SourceWhale Personnel.
• Access is administered under a strict least-privilege model.
• All Personnel access SourceWhale systems with a unique identifier.
• SourceWhale’s password policy prohibits the sharing of passwords. All passwords must fulfil defined minimum complexity requirements and are stored in an encrypted form.
• Personnel passwords have a maximum lifetime of 30 days.
• API access keys for SourceWhale’s cloud service provider have a maximum lifetime of 30 days.
• Multi-factor authentication is required for access to all SourceWhale systems.
• Multi-factor authentication keys have a maximum lifetime of 4 hours.
• All third-party API keys are stored in an encrypted credential manager
• SourceWhale has a comprehensive process to deactivate users and their access when Personnel leave the company or a function.
• All access or attempted access to systems is logged and monitored.
• No databases constituting the SourceWhale Platform are accessible from the public internet.

Data Access

Objective: To ensure Personnel entitled to use systems gain access only to the Client Data that they are authorized to access.

Measures:

• SourceWhale Personnel do not access Client Data and where access is required to operate the service or assist in a Client issue, the request for access must be formally justified/tracked and approved by the Client.
• SourceWhale restricts Personnel access to Client Data on a “need-to-know” basis based on this justification.
• Each such access and its subsequent operations are logged and monitored.
• Personnel training covers access rights to and general guidelines on definition and use of Client Data.
• Client authentication is performed using the Google and Microsoft identity platforms, following industry best practises regarding the Oauth2 standard.
• Client authentication cookies have a maximum lifetime of 2 weeks.
• The SourceWhale platform implements strict security headers and other measures to protect against cross-site scripting, cross-site request forgery, and clickjacking.

Data Transmission/Storage/Destruction

Objective: To ensure Client Data is not read, copied, altered or deleted by unauthorized parties during transfer/storage.

Measures:

• Client access to the SourceWhale Platform portals are protected by the most current version of Transport Layer Security (TLS).
• SourceWhale uses industry-standard encryption for all Client Data, both in transit and in rest.
• Upon a Client’s request, their Client Data will be promptly deleted.
• With each deletion request, the Client Data is logically deleted in the first storage copy and then completely deleted across the other copies. This is done in order to prevent accidental deletions or possible intentional damage.
• The SourceWhale systems have been designed to allow for easy compliance with GDPR deletion requests.
• SourceWhale relies upon Amazon Cloud controls for the destruction of media. An outline of these controls can be found at https://aws.amazon.com/compliance/data-center/controls

Confidentiality And Integrity

Objective: To ensure Client Data remains confidential throughout processing and remains intact, complete and current during processing activities.

Measures:

• SourceWhale has a formal background check process and carries out background checks on all new Personnel.
• SourceWhale trains its engineering Personnel in application security practices and secure coding practices.
• SourceWhale has a central, secured repository of product source code, which is accessible only to authorized Personnel.
• Access to SourceWhale’s source code repository is further restricted to a limited number of IP addresses.
• All computers storing local copies of the codebase have encrypted hard drives and are protected with biometric authentication.
• SourceWhale has a formal application security program and employs a robust Secure Development Lifecycle (SDL).
• Security testing includes code review, penetration testing, and employing continuous monitoring with static code analysis tools to identify flaws.
• All changes to software on the SourceWhale Platform are via a controlled, approved release mechanism within a formal change control program.
• All encryption and other cryptographic functionality used within the SourceWhale Platform uses industry standard-encryption.
• Where appropriate, Client-generated data is sanitised before storage.
• All client cookies and sensitive personal information are scrubbed before logging.
• The content of emails or calendar events retrieved through the Gmail or Outlook APIs is never stored on SourceWhale systems (a fresh API call is performed every time a client requests this data).

Availability

Objective: To ensure Client Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Client Data in the event of a service incident.

Measures:

All resources underlying the SourceWhale Platform belong to Amazon Web Service’s EU-West-1 region.

• Cloud resources are deployed across multiple availability zones.
• Rate-limiting and DoS protection are enabled across all endpoints on the SourceWhale Platform.
• Full logging and monitoring are implemented across the SourceWhale platform, to ensure rapid event notification and traceability.
• Rolling backups of all non-temporary data are implemented, to ensure data endurance.

Data Separation

Objective: To ensure each Client’s Data is processed separately.

Measures:

SourceWhale uses logical separation within its multi-tenant architecture to enforce data segregation between Clients.

In each step of the processing, Client Data received from different Clients is assigned a unique identifier so data is always physically or logically separated.

• Clients only have access to their own Client Data through the use of industry-standard encryption.

Incident Management

Objective: In the event of any security breach of Client Data, the effect of the breach is minimized and the Client is promptly informed.

• Measures:
• SourceWhale maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
• In the event of a security breach, SourceWhale will notify Clients without undue delay after becoming aware of the security breach.

Audit

Objective: To ensure SourceWhale regularly tests, assesses and evaluates the effectiveness of the technical and organizational measures outlined above.

Measures:

• SourceWhale conducts regular internal and external audits of its security practices.
• SourceWhale ensures that Personnel are aware of and comply with the technical and organizational measures set forth in this document.
• SourceWhale conducts at least annual penetration tests of the SourceWhale Platform using external security experts.
• Clients can request copies of these test results.