PricingCustomersResources
Sign inTry for Free
Open MenuClose Menu icon

Data Processing Addendum

This Data Processing Addendum (“Addendum”) is entered into by and between a OpenComp, Inc. a Delaware corporation with its primary place of business at 2590 Welton St, Suite 200 #1070, Denver, CO 80205 (“OpenComp”), and the legal entity using OpenComp’s platform (“Customer”) pursuant to the OpenComp Terms of Service executed concurrently herewith, available at https://www.opencomp.com/terms, as updated from time to time, or any other agreement between Client and OpenComp governing Client’s use of the Services (defined below), as applicable (the “Agreement”). OpenComp and Client are hereinafter referred to from time to time individually as “party” and collectively as “parties.”

The parties acknowledge that the terms of this Addendum, including the Appendices, are incorporated into and form part of the Agreement. Capitalized terms have the meaning given to them in the Agreement unless defined elsewhere in this Addendum. Where this Addendum uses terms that are defined in Applicable Data Protection Law (defined below), those terms shall have the same meaning as given to those terms (or an equivalent term) in the applicable law.

In the event and to the extent of a conflict between the provisions of the Agreement and this Addendum, this Addendum will prevail. Except as expressly set forth in this Addendum, all other provisions of the Agreement will remain in full force and effect. To the extent that the EU SCCs (defined below) or the UK International Data Transfer Agreement (defined below) are incorporated herein, such terms therein shall take precedence over both this Addendum and the Agreement to the extent necessary to resolve the conflict or inconsistency. For the avoidance of doubt, execution of the Agreement shall be deemed to constitute signature and acceptance of this Addendum and any SCCS or UK International Data Transfer Agreement incorporated herein.

Section 1: Definitions:

  1. “Affiliate(s)” means any business entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with a party to the Agreement. For purposes of this definition, “control” means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.
  2. “Analytics” means any data relating to Client’s use, support, and/or operation of the Services which is used by OpenComp in an aggregated and anonymous manner.
  3. “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data under the Agreement. For the sake of clarity, Applicable Data Protection Law includes, without limitation (1) data protection laws and regulations of the European Union, the European Economic Area and their member states, and Switzerland; (2) data protection laws and regulations of the United Kingdom; and (3) data protection laws and regulations of the United States and its individual states.
  4. “Authorized Users” means individuals who have created an account to access the Services pursuant to the Agreement. Authorized Users include employees and contractors designated by Client to receive access to the Services as well as employees and contractors of any Affiliates authorized to access the Services under the Agreement.
  5. “Client” means the Client entities or Affiliates that are party to the Agreement.
  6. “Client Account Data” means personal data that relates to Client’s relationship with OpenComp and for which OpenComp determines the means and purposes of processing.
  7. “Client Data” means any personal data that is (i) provided or made available or accessible to OpenComp or its Sub-processors by or on behalf of Client or a controller for whom Client acts as a processor; and/or (ii) generated by OpenComp or its Sub-processors in the performance of the Agreement.
  8. “Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers (module 2), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  9. “Data Protection Supervisory Authority” means a supervisory authority or other government body responsible for the administration, implementation, and/or enforcement of Applicable Data Protection Law and includes, without limitation, competent supervisory authorities of the European Union (“EU”) and its member states, the Swiss Federal Data Protection Authority, and the United Kingdom (“UK”) Information Commissioner’s Office.
  10. “Data Transfer” means any situation in which Client Data is transferred, either directly or via onward transfer to a Third Country.
  11. “Elections” means, with respect to the EU SCCs, (i) for purposes of clause 9(a), option 2 applies and the specified time period is the time period required under Section 5 (Sub-processing) of this Addendum for notice of change of a Sub-processor; (ii) for purposes of clause 11, the independent dispute resolution option does not apply; (iii) for purposes of clause 17, option 2 is selected, provided if the EU member state in which the data exporter is established does not allow for third-party beneficiary rights, then the law of Ireland shall govern; and (iv) as pertains to clause 18(b), the courts of the EU member state in which the data exporter is established shall be the choice of forum and jurisdiction.
  12. “EU SCCs” means (i) the Controller-to-Processor Clauses, or (ii) the Processor-to-Processor Clauses, as applicable in accordance with Section 2.1 (Scope and Role of the Parties), including the Elections and on the basis that Appendix 1 of this Addendum operates as Annex I to the EU SCCs and Appendix 2 of this Addendum operates and Annex II to the EU SCCs.
  13. “European and UK Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
  14. “Europe” means, for the purposes of this Addendum, the European Union (“EU”), the European Economic Area (“EEA”), and/or their member states, Switzerland, and the United Kingdom (“UK”).
  15. “Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers (module 3), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  16. “Security Incident” means any confirmed or reasonably suspected unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Client Data on systems managed or otherwise controlled by OpenComp.
  17. “Sensitive Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, data relating to criminal convictions or offenses, or other information that falls within the definition of “special categories of data” (or an equivalent term) under Applicable Data Protection Law.
  18. “Services” means the services OpenComp is providing pursuant to the Agreement.
  19. “Sub-processor(s)” means any person or entity engaged by OpenComp or its Affiliates to perform OpenComp’s obligations under the Agreement.
  20. “Third Country” means a country outside of Europe o the UK not recognized by the European Commission or the competent UK regulatory authority as providing an adequate level of protection for personal data under European and UK Data Protection Law.
  21. “UK International Data Transfer Agreement” means the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner, Version B1.0, effective as of 21 March 2022, and on the following basis: (i) with respect to Table 1 of the UK International Data Transfer Agreement, the parties’ details and key contact information is located in Appendix 1 of this Addendum; (ii) with respect to Table 2, information about the version of the EU SCCs, modules, and selected clauses are located in the Elections, and (iii) with respect to Table 3, information about the parties and a description of the transfer is set forth in Appendix I to this Addendum, a description of OpenComp’s technical and organizational security measures is located in Appendix II, and OpenComp’s list of sub-processors is set forth in Section 5.1 (Authorized Sub-processors).
  22. “UK Personal Data” means Client Data, the processing of which is within the territorial scope of the data protection, privacy, or security laws of the UK.

Section 2: Processing of Personal Data

Section 3: Responding to Data Subjects and Other Requests

Section 4: Security

Section 5: Sub-processing

Section 6: International Data Transfers

Section 7: Limitation of Liability

Section 8: Modification and Termination of this Addendum
This Addendum shall remain in effect until the later of (i) termination of the Agreement or (ii) such time as OpenComp no longer processes any Client Data on behalf of Client. Failure to comply with any of the material provisions of this Addendum is considered a material breach of the Agreement. In the event of termination, OpenComp will return or destroy data pursuant to Section 2.7 (Return or Deletion of Client Data). OpenComp may update the terms of this Addendum from time to time; provided, however, OpenComp will provide at least thirty (30) days prior written notice to Client of any proposed update. The then-current terms of this Addendum are available at https://www.opencomp.com/gdpr.

Section 9: Entire Agreement; Conflict
This Addendum supersedes and replaces all prior and contemporaneous agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Client and OpenComp. If there is any conflict between this Addendum and any agreement, including the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the EU SCCs and their Annexes and/or the UK International Data Transfer Agreement and its Tables (as applicable); then (b) this Addendum and its Appendices; then (c) the Agreement.

Section 10: Invalidity and Severability

10.1 General. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid and unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

10.2 Invalidity of the EU SCCs and/or UK International Data Transfer Agreement. If the EU SCCs and/or UK International Data Transfer Agreement (as applicable) cease to or do not (including due to insufficient supplementary measures) meet the requirements under European and UK Data Protection Law or otherwise cease to or do not provide a valid legal basis to transfer personal data outside the EEA, EU, UK, or Switzerland, OpenComp shall (i) promptly notify Client using the email address on file; (ii) upon request (whether or not OpenComp has provided notice to Customer) immediately stop and, as applicable procure the cessation of the processing by its Sub-processors of the affected personal data promptly after the occurrence of any such notifiable event outside the relevant countries (except to the extent directed otherwise by Customer), and as soon as possible put in place commercially reasonable measures to mitigate the impact of such; and (iii) discuss with Client commercially reasonable alternative measures in order to ensure an adequate level of protection with respect to the privacy rights of individuals and the lawful transfer of, or access to, personal data outside the relevant countries whilst continuing the provision of the Services with minimum disruption to Customer. If the parties cannot reach resolution, Client may suspend or terminate the Agreement without liability to either party, in which case, notwithstanding anything to the contrary in this Addendum or the Agreement, OpenComp shall refund Client any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.

APPENDIX 1

Data exporter(s):

The data exporter is the legal entity identified as “Customer” in the Agreement. Client may be a controller or a processor with respect to Client Data.

Data importer(s):

The data importer is OpenComp, Inc. located at 2590 Welton St, Suite 200 #1070, Denver, CO 80205.

Justin Byers, VP Engineering, is OpenComp’s contact person with responsibility for data protection and can be reached at justin@opencomp.com or 310-403-4726.

OpenComp provides a cloud-based compensation benchmarking platform. OpenComp is either a processor or a sub-processor with respect to Client Data processed pursuant to the Agreement.

Categories of data subjects whose personal data is transferred

Client may upload, submit, or otherwise provide personal data concerning the following categories of data subjects:

Categories of personal data transferred

Client may upload, submit, or otherwise provider certain personal data to OpenComp, the extent of which is typically determined and controlled by Client in its sole discretion, and may include the following types of personal data:

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

To the extent collected, OpenComp shall apply strict purpose limitation to the processing of such data.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Client Data will be transferred on a continuous basis for the duration of the Agreement. As between Client and OpenComp, the duration of the processing under this Addendum is determined by Client; provided that, generally the duration of the processing of Client Data shall be for the duration of the Agreement and for the minimum period thereafter required to wind-down the parties’ relationship under the Agreement and properly return or dispose of Client Data pursuant to Section 2.7 (Return or Deletion of Client Data).

Nature of the processing

Client Data will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:

Purpose(s) of the data transfer and further processing

OpenComp shall only process Client Data for the Permitted Purposes outlined in Section 2.2 (Client Instructions).

The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period

Client Data will be retained for the duration of the Agreement plus thirty (30) days after expiration or termination unless expressly instructed by Client to delete or destroy Client Data sooner or as otherwise required or permitted by law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For all transfers to Sub-processors the subject matter, nature, and duration of the processing are as follows:

Duration of the processing: The duration of the processing is for so long as is necessary for the purpose for which the information was transferred to the Sub-processor and in any event, for no longer than the duration of the agreement between OpenComp and the relevant Sub-processor.

DATA PROTECTION SUPERVISORY AUTHORITY

The applicable Data Protection Supervisory Authority for purposes of this Addendum shall be established in accordance with the EU SCCs or UK International Data Transfer Agreement (as applicable) incorporated herein, or if neither are incorporated, the applicable Data Protection Supervisory Authority shall be any such entity with authority over the parties involved.

APPENDIX 2 - SECURITY MEASURES

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

OpenComp, at a minimum, has implemented the following types of security measures:

https://trust.opencomp.com/

You are in safe hands with us.

Feel confident that your comp data is safe and secure with OpenComp's access controls, data encryption, security certifications and system audits.