Data Processing Agreement
1. Parties & Scope
This Data Processing Agreement (“DPA”) is between RefChecker Ltd (“RefChecker”, “we”, “us”, or “our”) and you (“Customer”, “you”, or “your”), together referred to as the “Parties.”
It supplements the Terms & Conditions and applies to RefChecker’s processing of Personal Data under that agreement, particularly where data protection laws such as the EU GDPR, UK GDPR, or the New Zealand Privacy Act 2020 apply.
2. Roles
- Account Setup Data: When you provide Personal Data to create an account, RefChecker acts as a Data Controller.
- Uploaded/Processed Data: When you input or upload Personal Data into the services for processing (for example, reference check data or add-ons), you are the Data Controller and RefChecker acts as a Data Processor.
3. Compliance & Legal Foundations
This DPA aligns with applicable data protection regulations and is designed to meet requirements for cross-border transfers using recognised legal mechanisms where necessary.
4. Processing Details
RefChecker will process your Personal Data only:
- In accordance with documented instructions from you.
- To provide reference checks, add-ons, and related services under the Terms & Conditions.
- With technical and organisational measures appropriate to the sensitivity of the data, including but not limited to encryption, access controls, and regular audits.
5. Subprocessors
RefChecker may engage Subprocessors to support the provision of the Service.
We will:
- Ensure all Subprocessors are bound by written agreements that provide data protection standards no less protective than those in this DPA.
- Provide you with notice of any intended changes concerning the addition or replacement of Subprocessors, giving you the opportunity to object.
6. Security & Data Breach
RefChecker will:
- Implement and maintain reasonable security protocols to safeguard Personal Data.
- Notify you without undue delay upon becoming aware of a Personal Data breach, including sufficient information to help you meet any obligations to report or inform individuals.
7. Data Subject Rights Assistance
RefChecker will assist you in responding to requests from data subjects exercising their rights under applicable laws, including rights of access, rectification, erasure, restriction, portability, and objection, insofar as this is technically possible and legally permitted.
8. Data Return or Deletion
Upon termination of the services:
- RefChecker will, at your choice, return all Personal Data or securely delete it, unless retention is required by law.
- Data will be deleted from our systems within a reasonable timeframe, typically no longer than 30 days after termination.
9. Audits & Compliance
You may, at your own expense, conduct an audit or inspection of RefChecker’s processing activities to verify compliance with this DPA, with reasonable prior notice and during normal business hours.
10. Liability & Indemnification
Each Party will be responsible for any damages or losses caused by its own breach of this DPA or applicable data protection laws. Liability is subject to any limitations set out in the main Terms & Conditions.
11. International Data Transfers
Where Personal Data is transferred outside applicable jurisdictions, RefChecker will ensure such transfers are conducted in compliance with applicable law, using approved transfer mechanisms where required.
12. Term & Termination
This DPA remains in effect for the duration of the Terms & Conditions and for as long as RefChecker processes your Personal Data. Provisions relating to confidentiality, liability, and data return or deletion will survive termination.
13. Governing Law
This DPA is governed by the laws specified in the Terms & Conditions, and any disputes will be resolved in the same forum.
14. Integration
This DPA forms part of your agreement with RefChecker. In the event of a conflict between this DPA and the Terms & Conditions, the terms of this DPA will prevail with respect to the processing of Personal Data.