+

TestFit’s Data Processing Addendum

Last Update : January 6, 2025

Table of content
Example H2
Example H3
Example H4
Example H5
Example H6

This Data Processing Addendum (“Addendum”) forms part of the agreement (the “Agreement”) between TestFit, Inc acting on its own behalf and as agent for each of its affiliates (collectively “Vendor”), and the undersigned customer (“Customer”) (each a “party” and collectively the “parties”), and reflects the parties’ agreement with regard to the processing of Personal Data in accordance with the requirements of the applicable Data Protection Legislation. 

In the event of any conflict or inconsistency between this Addendum and the Agreement, this Addendum shall prevail.

1. DEFINITIONS AND INTERPRETATIONS

The terms used in this Addendum shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement:  

  1. Controller”, “Personal Data”, “Personal Data Breach”, “Processing (and variants of it, such as “processing” and “processed” (whether capitalized or not)), “Processor”, and “Supervisory Authority” shall be giving their meaning under the Data Protection Legislation;
  2. “Customer Personal Data” shall have the meaning given to it in Clause 3.1; 
  3. Data Protection Legislation means all laws and regulations, including (without limitation) state, federal and national laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”), their Member States, the United Kingdom which are applicable to the processing of Personal Data under the Agreement including (without limitation) the GDPR as amended, repealed or replaced from time to time;
  4. GDPR” means either or both the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) as the context may require;
  5. "Restricted Transfer” means, as applicable:
    • a transfer of Customer Personal Data from the Customer to the Vendor; or
    • an onward transfer of Customer Personal Data from Vendor to a Subprocessor, or between two establishments of Vendor,
      • in each case, where such transfer would be prohibited by Data Protection Legislation in the absence of an approved method of lawful transfer, including through (i) an adequacy decision by a Supervisory Authority; (ii) Standard Contractual Clauses; or (iii) by the terms of other recognized forms of data transfer agreements or other lawful processes approved by a Supervisory Authority;
  6. Services” shall have the meaning set forth in the Agreement or, if the Agreement does not define “Services”, shall mean the services and other activities to be performed by Vendor as set forth in and pursuant to the Agreement;
  7. StandardContractual Clauses” means, as applicable:
    1. the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision (EU) 2021/914 as supplemented by Schedule 2 (“EU Standard Contractual Clauses”); and/or
    2. the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses as approved by the UK Information Commissioner’s Office under section 119A(1) of the UK Data Protection Act 2018 as supplemented by Schedule 2 (“UK Addendum”); and
  8. Subprocessor” means any person or entity appointed by or on behalf of Vendor (or the relevant intermediate Subprocessor) to process Personal Data as described in Clause 5.

1.2 This Addendum shall apply only to the extent Customer is established within the European Economic Area, the United Kingdom or Switzerland and/or Vendor processes Personal Data of Data Subjects located in the European Economic Area or the United Kingdom or Switzerland on behalf of Customer.

2. ROLES OF THE PARTIES

 2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. The parties acknowledge and agree that for the purposes of the Data Protection Legislation, Customer is the Controller and Vendor is the Processor of the Customer Personal Data.

2.2 Customer shall ensure that it has and will continue to have, the right provide the Customer Personal Data to Vendor for processing and shall ensure that all instructions issued to Vendor are lawful.

3.  SCOPE OF PROCESSING

3.1 Vendor shall process Personal Data on behalf of Customer to perform its obligations under the Agreement for the term of the Agreement (“Customer Personal Data”) in accordance with this Addendum. For the avoidance of doubt, the Agreement and this Addendum constitute a documented instruction to process Customer Personal Data as necessary to perform the Services. A list of the categories of data subjects, types of Customer Personal Data and the processing activities are set out in Schedule 1.

3.2 Vendor shall process Customer Personal Data only on the documented instructions of Customer unless Vendor is required by applicable law to process such Customer Personal Data. Where Vendor is relying on applicable Law as the basis for processing Customer Personal Data, Vendor shall notify Customer of this before performing the processing required by the applicable law unless applicable law prohibits Vendor from so notifying Customer.

4. DATA PROCESSING OBLIGATIONS

4.1 Without prejudice to the generality of Clause 2.1, Vendor shall, in relation to any Customer Personal Data processed in connection with the performance by Vendor of its obligations under the Agreement:  some text

  1. ensure that it has in place appropriate technical and organizational measures to protect against a Personal Data Breach and notify Customer without undue delay on becoming aware of a Personal Data Breach;
  2. ensure that all personnel who have access to and/or process Customer Personal Data are obliged to keep Customer Personal Data confidential; 
  3. taking into account the nature of the processing and the information available to Vendor, provide reasonable assistance to Customer in responding to requests from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation, only to the extent that the relevant information or means are not otherwise at the Customer's disposal; 
  4. at the written direction of Customer, delete or return Customer Personal Data and copies thereof to Customer on termination of the Agreement unless required by applicable law to store Customer Personal Data; and
  5. respond to reasonable requests from Customer for information to demonstrate its compliance with this Addendum. Should Customer provide well-founded indications that such information does not reasonably demonstrate compliance with this Addendum or an audit is requested by a Supervisory Authority, Vendor shall allow Customer to audit, by itself or using an independent third-party auditor (acceptable to Vendor and subject to a non-disclosure agreement), Vendor’s compliance. Such audits may be performed at most once annually. Customer shall give Vendor no less than thirty (30) days’ written notice of any audit. Customer and Vendor shall cooperate in good faith to agree a plan covering the scope, duration, and activities of the audit, including necessary precautions to maintain the confidentiality of Vendor data that is outside the scope of the audit. The records and results of such Audit shall be deemed Vendor’s confidential information. Customer shall bear all its own costs and expenses of audit.

5. APPOINTMENT OF SUBPROCESSORS

5.1 Customer authorises Vendor to appoint (and permit each Subprocessor appointed in accordance with this Clause 5 to appoint) Subprocessors in accordance with this Clause 5 and any restrictions in the Agreement.  

5.2 Vendor shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Customer the opportunity to object to such changes on reasonable grounds. Customer shall notify Vendor in writing of any objections within fourteen (14) days of notice.

5.3 With respect to each Subprocessor, Vendor shall take commercially reasonable steps to ensure that the arrangement between on the one hand (a) Vendor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum;

5.4 As between Customer and Vendor, Vendor shall remain fully liable for the performance of the Subprocessor’s obligations. 

6.RESTRICTED TRANSFERS

6.1 To the extent that Vendor processes Customer Personal Data to which the GDPR and/or the UK GDPR applies in a territory outside of the European Economic Area and/or the United Kingdom that does not provide adequate protection for Personal Data (as determined by applicable Data Protection Legislation), Vendor and Customer hereby enter into the Standard Contractual Clauses (which are incorporated by reference in, and form an integral part of, this Addendum) in respect of any transfer of Customer Personal Data from Customer to Vendor where such transfer would be prohibited by Data Protection Legislation (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Legislation) in the absence of the Standard Contractual Clauses. 

6.2 The Standard Contractual Clauses shall not apply to a Restricted Transfer unless its effect, together with all compliance steps required under Data Protection Legislation (which, for the avoidance of doubt, do not include obtaining consents from individuals), is to allow the Restricted Transfer to take place without breach of applicable Data Protection Legislation. The Standard Contractual Clauses shall come into effect on the commencement of a Restricted Transfer as described in this Clause 6.

6.3 In the event that Vendor self-certifies under an any applicable adequacy decision or adequacy framework by a Supervisory Authority, Vendor shall notify Customer promptly of such self-certification and the parties agree and acknowledge that any Restricted Transfer will be subject to such decision or framework instead of the Standard Contractual Clauses. Vendor shall at all times during the term of the Agreement maintain compliance with any applicable rules of the decision or  framework and provide Customer with evidence of its compliance upon request.

7. GENERAL TERMS

7.1 Termination and Survival. The parties agree that this Addendum shall terminate automatically upon termination of the Agreement. Notwithstanding the foregoing, any obligation imposed on Vendor under this Addendum in relation to the processing of Customer Personal Data shall survive any termination or expiration of this Addendum.

7.2 Governing Law and Jurisdiction. This Addendum shall be governed by the governing law of the Agreement. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement.

7.3 Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

SCHEDULE 1

DATA PROCESSING DETAILS

 
Subject Matter of processing The performance of the Services in accordance with the Agreement.
Duration of processing The processing shall continue until the later of:
- the Agreement being terminated or expiring in accordance with its terms and any notice period or transition period prescribed by the Agreement having expired; and
- the Vendor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.
Nature and purpose of processing The processing is being conducted to facilitate the performance of the Services documented in the Agreement.
Types of personal data Name, email address, job title/role, employer, use of the Services.
Types of sensitive personal data N/A
Categories of Data Subject Employees and other authorised users of the Services provided to the Customer

SCHEDULE 2

APPENDIX TO THE EU STANDARD CONTRACTUAL CLAUSES

 
A. LIST OF PARTIES
Data exporter
The data exporter is: Customer.
Role: Controller.
Data importer
The data importer is: Vendor.
Role: Processor.
Signature and date: The parties' signature and date on the Agreement constitutes their signature and date on this Annex I.A.
B. DESCRIPTION OF TRANSFER
Data subjects, categories of data, and sensitive data As set out in Schedule 1.
Frequency of the transfer Continuous
Nature and purpose of the processing As set out in Schedule 1.
The period for which the personal data will be retained The duration of the Services as described in the Agreement, unless otherwise stated in the Agreement or this Addendum.
Transfers to subprocessors See list of subprocessors here:
C. DESCRIPTION OF TRANSFER
Competent supervisory authority/ies in accordance with Clause 13: Irish Data Protection Commission.
Governing law in accordance with Clause 17: Republic of Ireland.
Choice of forum and jurisdiction in accordance with Clause 18: Republic of Ireland.

ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational security measures implemented by the data importer:

Please see TestFit’s Information Security Policy.

OPTIONAL CLAUSES

The following optional clauses shall apply to the Standard Contractual Clauses:

 
Clause 7 (Docking clause) Not used.
Clause 9 (Use of sub-processors) Option 2: General authorisation.
Clause 11 (Redress) The optional language is not used.

UK ADDENDUM

Tables 1, 2, and 3 to the UK Addendum are populated with the information contained in this Schedule 2.  Table 4 shall be “Exporter” only.

Submit
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.