scalis logo compact
1
This Employer Data Processing Addendum (DPA) applies between Scalis LLC (Scalis) and you, if you are an Employer as defined in our Terms of Service. Only in those circumstances, this DPA is incorporated into our Terms of Service and forms part of our Agreement.
2
This DPA solely applies to Employer Personal Data, meaning Personal Data an Employer provides through the Platform or its use of the Platform ATS. In those limited situations, Scalis acts as a processor of Employer Personal Data on your behalf (as controller) and this DPA governs how you and Scalis will process Employer Personal Data.
3
This DPA does not apply to Personal Data originating with Scalis or any Scalis Job Seekers, whether received through an Employer's use of the Platform ATS or otherwise.

EMPLOYER DATA PROCESSING ADDENDUM

This Employer Data Processing Addendum (DPA) forms part of the Terms of Service between Scalis, Inc. (Scalis) and you (as an Employer) that incorporates this DPA by reference (the Agreement”). This DPA governs the processing of Employer Personal Data by Scalis in providing its job-matching platform (the Platform) pursuant to the Agreement. You (below, you or Employer) and Scalis are referred to collectively as the Parties, and individually each as a Party.

1
Definitions

1.1
Applicable Data Protection Law means applicable law governing the use, access to, deletion of, or processing of Personal Data under this DPA, including, but not limited to, U.S. Data Protection Laws and the European Data Protection Laws, together with any national or subordinate legislation and regulations implementing, in each case as amended, repealed, consolidated, or replaced from time to time.
1.2
Controller to Processor SCCs means the Module Two (transfer controller to processor) of the European Commission Implementing Decision (EU) 2021/914, as updated or replaced from time to time.
1.3
Data Privacy Framework means the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced from time to time.
1.4
Framework Principles means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.
1.5
Employer Personal Data means Personal Data provided by Employer to Scalis through the Platform (including through Employer's use of the Platform ATS). For clarity, “Employer Personal Data” does not include any other Personal Data originating in the Platform or, as between the Parties, any Personal Data originating with Scalis.
1.6
European Data means Employer Personal Data that is subject to the protection of European Data Protection Laws.
1.7
European Data Protection Laws mean (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (GDPR); (ii) in respect of the United Kingdom, the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (UK GDPR); and (iii) the Swiss Federal Data Protection Act and its implementing regulations (FADP); in each case as may be amended, superseded or replaced from time to time.
1.8
Personal Data means personal data or personal information (as defined under the Applicable Data Protection Law) that is subject to the Applicable Data Protection Law and that you authorize Scalis to collect and process on your behalf in connection with Scalis's provision of the Platform under the Agreement.
1.9
commercial purpose, controller, processordata subject, processing (and process), service provider, and supervisory authority each have the meaning given to them in Applicable Data Protection Law, as appropriate.
1.10
Security Incident means a confirmed breach of security of the Platform or Scalis's systems used to process Personal Data leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Scalis. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.11
Sensitive Information means any Personal Data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation; (iii) relating to criminal convictions and offenses; and (iv) any other form of Personal Data that is afforded enhanced protection under the Applicable Data Protection Law.
1.12
U.S. Data Protection Laws mean all state laws in effect in the United States of America that are applicable to the processing of Employer Personal Data under this DPA, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

2.
Representations and Warranties

2.1.
Each Party represents and warrants that:

(a)
it will comply with the requirements of Applicable Data Protection Law as applicable to such Party with respect to the processing of the Employer Personal Data.
(b)
it has no reason to believe that the Data Protection Law prevents it from providing or receiving any services under the Agreement; and
(c)
it has the corporate power and capacity to perform its obligations under this DPA.

2.2.
You represent and warrant to Scalis that:

(a)
you shall comply with and provide all of your obligations under this DPA in accordance with best industry practice;
(b)
you have no reason to believe that Applicable Data Protection Law prevents you from entering into this DPA or fulfilling any of your obligations under this Agreement;
(c)
you have all necessary authorizations to enable or entitle you to enter into this DPA, including but not limited to instructions, notices, licenses and consents, and that these have been obtained and are in full force and effect and will remain in such force and effect at all times during the subsistence of this DPA;
(d)
you shall only provide processing instructions that are lawful and you shall have sole responsibility for the accuracy, quality, and legality of Employer Personal Data and the means by which it was acquired;
(e)
neither the execution and delivery of this DPA nor your performance of any of your obligations hereunder violates any law to which you are subject or any agreement or instrument which is binding on you or your assets; and
(f)
Prior to transmitting Employer Personal Data to Scalis, you shall inform Scalis of any requirements pertaining to the transmitted Employer Personal Data.

2.3.
Scalis represents and warrants to you that:

(a)
it will process the Employer Personal Data (as set out in Appendix A) only in accordance with your documented processing instructions which may be given from time to time (including as set forth in the Agreement and this DPA), save as otherwise required by law. The Parties agree that the Agreement and this DPA, along with the Client’s configuration of or any use of any settings, features, or options in the services (as the Client may be able to modify from time to time) constitute the Client’s complete and final instructions to Scalis in relation to the processing of Employer Personal Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. For the avoidance of doubt, the Client acknowledges and agrees that the documented instructions include the processing of Employer Personal Data for the purposes of providing, supporting, and improving Scalis services (including to provide insights and other reporting).
(b)
it will promptly notify you if Scalis determines that your processing instruction violates any Applicable Data Protection Law (provided that nothing herein shall require Scalis to provide legal or regulatory advice or monitor Applicable Data Protection Law as they apply to you).

3.
Processing Requirements

3.1.
Roles. Scalis will process Personal Data in its capacity as processor (i) for the purpose of providing and supporting the Platform in accordance with the Agreement, this DPA, and any other documented lawful instructions from you (whether in written or electronic form); (ii) to develop, enhance, and improve the Platform as provided by the Agreement; and (iii) as otherwise required by applicable law. you acknowledge that Scalis is an independent controller when carrying out any activities not related solely to Scalis's processing of Employer Personal Data provided by you to the Platform (such as Scalis's management of its Platform in general, including Job Seeker Accounts, other Employer Accounts and their respective use of the Platform's services)

3.2.
Independent Judgment. You are responsible for independently determining whether the data security provided for in the Platform adequately meets your obligations under Applicable Data Protection Law. you acknowledge and agree that you are solely responsible for (i) certain configurations and design decisions for the Platform and (ii) for implementing those configurations and design decisions in a secure manner that complies with Applicable Data Protection Law. Without limiting the foregoing, you represent, warrant, and covenant that you shall only transfer Personal Data to Scalis using secure, reasonable, and appropriate mechanisms.

3.3.
Accuracy and Legality. you are solely responsible for (i) the accuracy, quality, and legality of Personal Data and the means by which you acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Law for the collection and use of Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring you have the right to transfer, or provide access to, Personal Data to Scalis for processing in accordance with the terms of the Agreement (including this DPA); and (iv) ensuring that your instructions to Scalis regarding the processing of Personal Data comply with applicable laws, including Applicable Data Protection Law.

3.4.
Instructions Notice. In case Scalis cannot process Personal Data in accordance with your instructions due to a legal requirement under any applicable law to which Scalis is subject, Scalis shall (a) promptly notify you in writing (including by e-mail) of such legal requirement before carrying out the relevant processing, to the extent permitted by the applicable law, and (b) cease all processing (other than merely storing and maintaining the security of the affected Personal Data) until you provide Scalis with new instructions.

4.
Disclosure and Processing of Employer Personal Data

4.1.
Necessary Data Only; Deidentified Data. When providing or making available Employer Personal Data to Scalis, you shall only disclose or transmit Employer Personal Data that is necessary for Scalis to perform the applicable services under the Agreement. You expressly acknowledge and agree that, in the course of providing the services, Scalis may anonymize, aggregate, and/or otherwise de-identify Employer Personal Data (De-Identified Data) and subsequently use and/or disclose such De-Identified Data for the purpose of research, benchmarking, improving Scalis's offerings generally, or for another business purpose authorized by Applicable Data Protection Law provided that Scalis has implemented technical safeguards and business processes designed to prevent the re-identification or inadvertent release of the De-Identified Data.
4.2.
Notwithstanding anything to the contrary in the Agreement, Scalis shall not (a) retain, use, or disclose Personal Data other than as provided for in the Agreement or as needed to perform the Platform; (b) “sell” or “share” (as defined by CCPA) Employer Personal Data; or (c) process Personal Data except as necessary for the business purposes specified in the Agreement or this DPA.
4.3.
Security. Scalis shall implement and maintain throughout the term of this DPA reasonable and appropriate technical and organizational measures designed to protect Personal Data against unauthorized or accidental access, loss, alteration, disclosure, or destruction, including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption. Scalis will also provide reasonable assistance to you with conducting any legally required data protection impact assessments with respect to the processing of Personal Data by Scalis (including, where necessary, subsequent consultation with a supervisory authority with jurisdiction over such processing), if so required by the Applicable Data Protection Law, taking into account the nature of processing and the information available to Scalis.
4.4.
Security Incident. If Scalis becomes aware of a Security Incident, Scalis will (a) notify you without undue delay, and not later than 48 hours after Scalis discovers the Security Incident, and (b) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within Scalis's reasonable control. Upon your request and taking into account the nature of the applicable processing, Scalis will assist by providing, when available, information reasonably necessary for you to meet your Security Incident notification obligations under Data Protection Laws. you acknowledge that Scalis providing notification of a Security Incident is not an acknowledgment of fault or liability.
4.5.
Confidentiality. Scalis will ensure that its personnel authorized to process Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.6.
Data Subject Requests. To the extent required under Applicable Data Protection Law and taking into account the nature of the services provided, Scalis shall:
(a)
provide such assistance to you as is reasonably requested with respect to your obligations to comply with requests from your data subjects to exercise their rights under Applicable Data Protection Law. Scalis shall notify you without delay upon receipt of any request by a data subject to exercise his or her rights under Applicable Data Protection Law in respect of any Employer Personal Data. Scalis will not independently respond to such requests from your data subjects except where otherwise required by Applicable Data Protection Law. you undertake to inform Scalis (as the processor / service provider) of any data subject (or consumer) request received and shall provide Scalis with the necessary information to allow Scalis to comply with the request when required to do so; and
(b)
notify you of all enquiries or communications from a competent supervisory authority that Scalis receives which relate to Employer Personal Data processed in connection with providing the services and under this DPA and the Agreement unless prohibited from doing so at law or by a regulator. you shall be responsible for all communications or correspondence with the competent supervisory authority in relation to your role as Controller of Employer Personal Data under Applicable Data Protection Law and, to the extent permitted by law.
4.7.
Privacy Impact Assessments and Prior Consultation
(a)
Upon reasonable notice and appropriate confidentiality agreements, and taking into account the nature of the applicable processing, Scalis will assist you in fulfilling your obligations under applicable Data Protection Laws to carry out a data protection impact or similar risk assessment related to your use of the Platform, including, if required by Data Protection Laws, by assisting you in consultations with relevant government authorities.
(b)
If a law enforcement agency sends Scalis a demand for Personal Data (e.g., a subpoena or court order), Scalis will attempt to redirect the law enforcement agency to request that data directly from you. As part of this effort, Scalis may provide your contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Scalis will give you reasonable notice of the demand to allow you to seek a protective order or other appropriate remedy, to the extent Scalis is legally permitted to do so.
(c)
Following expiration or termination of the provision of services under the Agreement and relating to the processing of Employer Personal Data, Scalis shall promptly and securely delete all Employer Personal Data (including existing copies) pursuant to its data retention schedule and as required by applicable laws. Notwithstanding the data retention schedule, upon your written request following the termination of services, Scalis shall destroy all Employer Personal Data in our possession, unless otherwise required or permitted by applicable laws.

5.
International Processing

5.1.
Right to Process. In connection with the performance of the Agreement, you authorize Scalis to transfer Personal Data internationally, and in particular, that Personal Data may be transferred to and processed by Scalis in the United States and other jurisdictions where Scalis and its Subprocessors have operations. Whenever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws.
5.2.
U.S. recipient. To the extent applicable to you, you acknowledge that in connection with the performance of the Platform, Scalis is a recipient of European Data in the United States.
5.3.
Supervisory Authority. The competent supervisory authority shall be as follows for these types of Employer Personal Data:
(a)
If GDPR applies, the competent supervisory authority is the Irish Data Protection Commission.
(b)
If UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the ICO).
(c)
If FADP applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
5.4.
You understand and acknowledge that Scalis may at any time choose to become certified under the Data Privacy Framework. Upon such certification, Scalis may revise the terms of this DPA substantially in accordance with the Framework Principles and such modified version of this DPA will take effect upon notice to you, as consistent with the provisions of this DPA.

6.
Subprocessors. In using the Platform, you agree that:

6.1.
Scalis engages certain outside businesses to help process Personal Data on the Platform. You generally authorize the engagement of Subprocessors by Scalis and a list of existing Subprocessors may be made available upon request.
6.2.
Scalis will enter into a written agreement with each Subprocessor imposing data processing and protection obligations substantially the same as those set out in this DPA.
6.3.
Scalis may change Subprocessors from time to time. If you have requested a Subprocessor list and notice of updates, then in the event that Scalis seeks to add any Subprocessors, Scalis will provide notice of such additions to you (which may be via email, a posting, or notification on an online portal for our services, or other reasonable means).
6.4.
In the event that you do not wish to consent to the use of such additional Subprocessor, you may notify Scalis that you do not consent within fifteen days based on reasonable data protection concerns. In such case, the parties will discuss such concerns in good faith.
6.5.
If the parties are unable to reach a mutually agreeable resolution to your objection to a new Subprocessor, you, as your sole and exclusive remedy, may terminate the order for the affected Platform for convenience, and Scalis will refund any prepaid, unused fees for the terminated portion of the applicable subscription term for the affected Platform.

7.
Modification. Notwithstanding anything to the contrary in the Agreement, Scalis may periodically modify this DPA as required to comply with Applicable Data Protection Law.

Annex A

LIST OF PARTIES & DESCRIPTION OF TRANSFER (Annex 1(A-B))

Data importerScalis
AddressAs listed above.
Contact person's name, position, and contact detailsRoy Mathew
Chief Technical Officer (CTO)
dataimporter@scalis.ai
Activities relevant to the data transferred under these ClausesProvision of the Platform
Role (controller/processor)Processor

Data exporter(s):Employer (“you”)
AddressAs detailed in the communications between us from time to time.
Contact person's name, position, and contact detailsAs detailed in the communications between us from time to time.
Activities relevant to the data transferred under these ClausesReceipt of the Platform
Role (controller/processor)Controller or Processor

Categories of data subjects whose personal data is transferred
Data subjects:Employer's personnel, agents, and other individuals whom data exporter permits to use the Platform, as well as Personal Data relating to the data exporter's job seekers, candidates, applicants and other employment-related individuals provided by Employer through the Platform ATS.
Data exporter may submit Personal Data to the Platform, which may include, but is not limited to the following Personal Data:First and Last Name, Billing Address, Credit Card Information, IP Address, Access Token, User Identifiers, Password, Integration Configuration, Cookies
Sensitive data transferred:If provided by Employer: Demographic information; employment data; any other sensitive
Frequency of the transfer:Continuous basis
Nature of the processing:The performance of the Platform pursuant to the Agreement and any other contracts between the parties.
Purpose(s) of the data transfer and further processing:The performance of the Platform pursuant to the Agreement and any other contracts between the parties.
Retention period:For the duration of the Agreement, unless earlier removed by Employer or otherwise, such as pursuant to a data subject request.

Competent Supervisory Authority (Annex 1(C))

The Data Importer's competent supervisory authority will be determined in accordance with the DPA (Section 5).

Technical and Organizational Security Measures (Ex. B)

This Security Measures exhibit describes certain technical and organizational measures used by Scalis and the Platform to ensure the security of Employer Personal Data. In general, these Security Measures are designed to protect any Personal Data the Platform processes, but this Exhibit applies to Employer Personal Data specifically.
Overall, Scalis is committed to maintaining administrative, physical, and technical safeguards designed for protection of the security, confidentiality, and integrity of Personal Data uploaded to the Platform. This Exhibit specifies particular measures employed for that purpose. Capitalized terms used but not defined in this Exhibit have the meanings given to them in the DPA.
1.
Security Governance
(a)
Scalis maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to: (a) help our customers secure their data processed using Platform against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Platform, and (c) minimize security risks, including through risk assessment and regular testing. Scalis's head of security coordinates and is primarily responsible for the company's information security program.
(b)
The team covers the following core functions:
(i)
Application security (secure development, security feature design).
(ii)
Infrastructure security (data centers, cloud security, and strong authentication)
(iii)
Monitoring and incident response (cloud native and custom)
(iv)
Vulnerability management (vulnerability scanning and resolution)
(v)
Compliance and technical privacy
2.
Access Control
(a)
Preventing Unauthorized Product Access
(i)
Third party data hosting and processing: We host our Platform with third party cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Platform in accordance with the DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
(ii)
Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of such providers are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
(iii)
Authentication: Customers who interact with the products via the user interface are required to authenticate before they are able to access their non-public data.
(iv)
Authorization: Employer Personal Data is stored in multi-tenant storage systems which are only accessible to Customers via application user interfaces and application programming interfaces. The Platform's authorization model is designed to ensure that only the appropriately assigned individuals can access relevant features, views and customization options. Authorization to data sets is performed through validating the user's permissions against the attributes selected by the Employer administrative account user(s).
(b)
Preventing Unauthorized Product Use. We implement industry-standard access controls and detection capabilities for the internal networks that support our products.
(i)
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.
(c)
Limitations of Privilege & Authorization Requirements
(i)
Product access: A subset of our personnel have access to ATS data and Employer Personal Data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect, and respond to security incidents, and implement data security.
(ii)
Personnel Security: Scalis personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
(iii)
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Scalis's confidentiality and security policies.
3.
Encryption Technologies
(a)
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on all our login interfaces and for free on every customer site hosted on the Platform. Our HTTPS implementation uses industry-standard algorithms and certificates.
(b)
At-rest: We store user passwords following policies that follow industry standard practices for security.
4.
Input Controls
(a)
Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate personnel of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
(b)
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and/or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and customer damage or unauthorized disclosure. Notifications will be in accordance with the terms of the Agreement.
5.
Data Deletion and Portability. Scalis enables customers to delete their account and delete or export their ATS and Account data in a manner consistent with the functionality of the Platform and as described in the DPA and the Agreement. Instructions and related details are provided within the applicable functionality within the Platform.
6.
Availability Controls.Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
(a)
Redundancy: The infrastructure providers use designs to eliminate single points of failure and minimize the impact of anticipated environmental risks. The Platform is designed to allow Scalis to perform certain types of preventative and corrective maintenance without interruption.
(b)
Business Continuity: Scalis has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
Ladder Logo

Hiring shouldn't suck.

For Companies
For Job Seekers
Resources
Copyright © SCALIS. All rights reserved.
;