DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Customer’s master customer agreement or license agreement between Symplicity and Customer for the purchase of services for provision of licensed technology/software from Symplicity (hereinafter defined as “Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.

 

By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Symplicity processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

 

In the course of providing the Services to Customer pursuant to the Agreement, Symplicity may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

 

DATA PROCESSING TERMS

 

  1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, including for Symplicity, CareerHub Pty Ltd.

Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Symplicity, but has not signed its own Order Form with Symplicity and is not a "Customer" as defined under the Agreement.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer Data” means the electronic information that Customer or its end-users covered by the Data Protection Laws and Regulations input or upload into the Licensed Technology/Software within the scope of the applicable license or services agreement between Customer and Symplicity.

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“EU Personal Data” means the Processing of Personal Data to which the Data Protection Laws and Regulations of the European Union or European Economic Area and/or any such member state was applicable prior to its Processing by Symplicity.

GDPR” means, in each case to the extent applicable to the Processing: (i) Regulation (EU) 2016/679 (“EU GDPR”); and (ii) EU GDPR as amended and applicable as part of United Kingdom domestic law (“UK GDPR”).

“Personal Data” means any information relating to (i) an identified or identifiable natural person covered by the Data Protection Laws and Regulations and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

“Protected Area” means: (i) in the case of EU Personal Data, the members states of the EU and the EEA and any country, territory, sector or international organisation in respect of which an adequacy decision is in force; (ii) in the case of UK Personal Data, the UK and any country, territory, sector or international organisation in respect of which adequacy regulations are in force; and (iii) in the case of Swiss Personal Data, any country, territory, sector or international organisation which is recognised as adequate under the laws of Switzerland.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Security, Privacy and Architecture Documentation” means the Symplicity Information Security Policy applicable to the specific Services purchased by Customer, as updated from time to time.

“Standard Contractual Clauses” means:

  1. in respect of EU Personal Data, the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, including the text from module two of such clauses and not including any clauses marked as optional (“EU SCCs”);
  2. in respect of Swiss Personal Data, the EU SCCs, provided that any references in the clauses to the EU GDPR shall refer to the Swiss Federal Act on Data Protection (“FADP”); the term ‘member state’ must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses; and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP;
  3. in respect of UK Personal Data, the International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by clause 17 of such Addendum, the parties agree to change the format of the information set out in Part 1 of the Addendum so that:
    1. the details of the parties in table 1 shall be as set out in Schedule 2 (with no requirement for signature);
    2. for the purposes of table 2, the Addendum shall be appended to the EU SCCs (including the selection of modules and disapplication of optional clauses as noted above) and clause 7 of this DPA selects the option and timescales for clause 9; and
    3. the appendix information listed in table 3 is set out in Schedule 2.

“Swiss Personal Data” means the Processing of Personal Data to which the FADP was applicable prior to its Processing by Symplicity.

“Symplicity” means Symplicity Corporation, a company incorporated in Delaware or such other Symplicity entity which may be made a party to this DPA from time to time by amendment executed by the parties.

“Symplicity Group” means Symplicity and its Affiliates engaged in the Processing of Personal Data.

“Sub-processor” means any Processor engaged by Symplicity or a member of the Symplicity Group.

Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the EU GDPR; in the case of the UK, the Information Commissioner’s Office; and in the case of Switzerland, the Federal Data Protection and Information Commissioner.

UK Personal Data” means the Processing of Personal Data to which the Data Protection Laws and Regulations of the UK was applicable prior to its Processing by Symplicity.

 

2.          PROCESSING OF PERSONAL DATA

  • Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Symplicity is the Processor and that Symplicity or members of the Symplicity Group will engage Sub-processors pursuant to the requirements set forth in Section 4 “Sub-processors” below.
  • Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
  • Symplicity’s Processing of Personal Data. Symplicity shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions including with regard to data transfers for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Notwithstanding the foregoing, Symplicity may Process Personal Data as required under applicable laws and shall notify customer of such requirement first unless such laws prohibit this.
  • Details of the Processing. The subject-matter of Processing of Personal Data by Symplicity is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.

 

3.          RIGHTS OF DATA SUBJECTS

  • Data Subject Request. Symplicity shall, to the extent legally permitted, promptly notify Customer if Symplicity receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Symplicity shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Symplicity shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Symplicity is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Symplicity’s provision of such assistance.

 

4.          SUB-PROCESSORS

  • Appointment of Sub-processors. Customer acknowledges and agrees that (a) Symplicity’s Affiliates may be retained as Sub-processors; and (b) Symplicity and Symplicity’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Symplicity or a Symplicity Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations materially as protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor. Customer authorises Symplicity and Symplicity’s Affiliates to make international transfers of the Personal Data in accordance with this DPA provided that Data Protection Laws and Regulations are complied with.
  • List of Current Sub-processors and Notification of New Sub-processors. Symplicity shall make available to Customer the current list of Sub-processors for the Services which shall include the identities of those Sub-processors and their country of location (“Sub- processor Lists”). Customer may provide Symplicity with email addresses to subscribe to notifications of new Sub-processors for each applicable Service, and if Customer subscribes, Symplicity shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
  • Objection Right for New Sub-processors. Customer may object to Symplicity’s use of a new Sub-processor by notifying Symplicity promptly in writing within ten (10) business days after receipt of Symplicity’s notice in accordance with the mechanism set out in Section 4.2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Symplicity will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Symplicity is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Symplicity without the use of the objected-to new Sub-processor by providing written notice to Symplicity. Symplicity will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
  • Symplicity shall be liable for the acts and omissions of its Sub-processors to the same extent Symplicity would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

 

5.          SECURITY, CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

  • Controls for the Protection of Customer Data. Symplicity shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Documentation. Symplicity shall ensure that its personnel authorised to Process the Personal Data are subject to a duty of confidentiality in respect of such Personal Data.
  • Incident Management and Notification. Symplicity maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Documentation and shall, notify Customer without undue delay after determination that there has been the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Symplicity or its Sub-processors of which Symplicity becomes aware (a “Customer Data Incident”). Symplicity shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Symplicity deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Symplicity’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

 

6.          RETURN AND DELETION OF CUSTOMER DATA

Customer may utilize the tools available within the product retrieve Customer Data and upon request to Symplicity request additional services related to data extraction. To the extent allowed by applicable law, Symplicity may delete Customer Data following the expiry of ordered software services in accordance with the procedures and timeframes observed in Symplicity’s operating protocols.

 

7.          MISCELLANEOUS

  • Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Symplicity and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 7 and Section 8. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
  • The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Symplicity under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
  • Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Symplicity, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following. Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Symplicity directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together.
  • Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Symplicity, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Symplicity's and its Affiliates’ total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

 

8.      EUROPEAN SPECIFIC PROVISIONS

 

  • Data Protection Impact Assessment. Upon Customer’s request, Symplicity shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the EU GDPR and/or UK GDPR in respect of its security obligations and to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Symplicity.
  • Transfer Mechanism. In respect of EU Personal Data, Swiss Personal Data and UK Personal Data, the Standard Contractual Clauses are incorporated by reference. For the purposes of such Standard Contractual Clauses:
    • Under Clause 9, the parties select Option B. The initial list of Sub-processors is as set out in the Sub-Processor Lists, and Symplicity shall update that list at least [15] days in advance of any intended additions or replacements.
    • Under Clause 17, the parties choose Ireland.
    • Under Clause 18, the parties select Ireland.
    • The Annexes to the Standard Contractual Clauses shall be as set out in Schedule 2.
    • The parties’ signature and dating of this DPA shall be deemed signature and dating of the Standard Contractual Clauses.
  • In the event of any conflict or inconsistency between the body of this DPA and any of its Schedules (not including the Standard Contractual Clauses) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. Undefined terms in the appendices to the Standard Contractual Clauses have the meaning set forth in the DPA.
  • Audit. Symplicity will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits including inspections, conducted by Customer or another auditor mandated by Customer, provided that such audit shall be conducted in accordance with the reasonable requirements of Symplicity regarding notice, timing, access and the protection of commercially confidential information. If Customer's request for information or access relates to a Sub-processor, or information held by a Sub-processor which Symplicity cannot provide to Customer itself, Symplicity will promptly submit a request for additional information in writing to the relevant Sub-processor. Customer acknowledges that access to the Sub-processor's premises or to information about the Sub-processor’s previous independent audit reports is subject to agreement from the relevant Sub-processor, and that Symplicity cannot guarantee access to that Sub-processor’s premises or information at any particular time, or at all.

9.          Compliance with Applicable Laws

9.1       Each party agrees that it will comply with the country specific provisions set out in Schedule 3 to this DPA whenever and to the extent that the Data Protection Laws and Regulations of a country listed in Schedule 3 is applicable to it, either because it is itself subject to such Data Protection Laws and Regulations or because it is processing Personal Data on behalf of a party to whom such Data Protection Laws and Regulations apply.

 

List of Schedules

Schedule 1: Details of the Processing

Schedule 2: Annexes to the Standard Contractual Clauses

       Schedule 3: Country specific terms

 

 

 

 

 

 

SCHEDULE 1

DETAILS OF THE PROCESSING

 

Nature and Purpose of Processing

 

Symplicity will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.

 

Duration of Processing

 

Subject to Section 6 of the DPA, Symplicity will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 

Categories of Data Subjects

 

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

 

  • Students, alumni and staff of Customer (who are natural persons)
  • Employees or contact persons of employers seeking to recruit students and alumni of Customer
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services

 

Type of Personal Data

 

Customer and Customer’s users may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

 

  • First and last name
  • Contact information (email, phone number, address)
  • ID data
  • Academic and other student data
  • Professional life data
  • Personal life data

 

 

 

SCHEDULE 2

ANNEXES TO THE STANDARD CONTRACTUAL CLAUSES

 

ANNEX I

 

A: LIST OF PARTIES  

Data exporter(s): The Customer, whose details are as identified in the Agreement. The Customer’s activity as relevant to the data transferred is the use of the Services, and the Customer is the Controller.

 

Data importers:

 

Names: Symplicity Corporation and Affiliates

Address: 4040 Wilson Blvd. Suite 300 Arlington, VA, USA 22203

Contact person’s name, position and contact details: Andrew Wippl, Data Protection Officer, awippl@symplicity.com

Role (controller/processor): processor

 

The importers’ activity as relevant to the data transferred is the provision of the Services to the Customer.

 

B: DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: As set out in Schedule 1 above.

 

Categories of personal data transferred: As set out in Schedule 1 above.

 

Sensitive data transferred (if applicable). N/A

 

Frequency of transfer (e.g. whether on a one-off or continuous basis): Continuous

 

Nature of the processing/ processing operations: As set out in Schedule 1 above.

 

Purpose(s) of the data transfer and further processing: The Processing as set out in clause 2 of the DPA.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set out in Schedule 1 above.

 

For transfers to (sub-) processors, the subject matter, nature and duration of the processing: As set out in Schedule above.

 

C: Competent supervisory authority: The parties shall follow the rules for identifying such authority under Clause 13 of the Standard Contractual Clauses.

 

Annex II: technical and organisational measures: As set out in the Security, Privacy and Architecture Documentation.

 

 

SCHEDULE 3

COUNTRY SPECIFIC TERMS

 

AUSTRALIA

  1. Definitions

Capitalised terms in this Schedule 3 have the meaning given to them in the DPA except as amended or defined below:

  • "APPs" means the Australian Privacy Principles set out in Schedule 1 of the Privacy Act.
  • Privacy Act” means the Privacy Act 1988 (Cth)
  • Terms defined in the DPA have the meaning given in the GDPR, whether or not the GDPR is applicable to the Customer or to the Agreement, subject to the following modifications:
  • "data breach" includes "eligible data breach" as defined in the Privacy Act;
  • "Data Subject" includes an "individual" as defined in the Privacy Act;
  • "Personal Data" includes "personal information" as defined in the Privacy Act; and
  • "Process" includes “collect”, "disclose", "hold" and "use" as defined in the Privacy Act.

 

  1. AUSTRALIA SPECIFIC TERMS
  • The Customer warrants that it has obtained from all Data Subjects the necessary consents and rights required to disclose the Personal Data to Symplicity in order for Symplicity to use that Personal Data in accordance with the Agreement, and has provided Data Subjects with any requisite notifications, as required under applicable Data Protection Laws and Regulations.
  • Nothing in this DPA excludes, restricts, or modifies any obligations that a party has under the Privacy Act.
  • Each party must:
  • in a timely manner, provide all reasonable assistance required by the other party to allow that other party to comply with its regulatory obligations under the Privacy Act (if any), particularly in relation to a data breach; and
  • cooperate in good faith with the other party in relation to the content of, and who will issue, any notices required to be issued under the Privacy Act in relation to a data breach.
Symplicity Logo

Higher Ed

Employers

Company

Government

Contact Us

© Copyright All Rights Reserved 2025 Symplicity

Terms of Service   |   Privacy Policy