Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between Hailey HR and the Customer.
1. GENERAL
Hailey HR will on behalf of the Customer Process Personal Data during the provision of the Services under the Agreement in its capacity as Customer’s data processor. For the purpose of ensuring compliance with the Data Protection Legislation, the Parties have entered into this DPA which forms an integral part of the Agreement.
2. DEFINITIONS
"Data Protection Legislation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”) as well as supplementary local adaptions.
"Data Subject” means the identified or identifiable natural person whom the Personal Data relates to.
"Personal Data” means any information, which directly or indirectly relates to a Data Subject and which Hailey HR Processes on behalf of the Customer under this DPA.
”Processing” means any operation or set of operations which is performed on Personal Data, or on sets of Personal Data, whether or not by automated means.
”Sub-Processor” means any third party that Processes Personal Data on behalf of Hailey HR (including, but not limited to, Hailey HR’s partners and subcontractors)
”Supervisory Authority” means the independent public supervisory authority/supervisory authorities, authorized to conduct supervision of the Processing of Personal Data or considered to be a “supervisory authority concerned” in accordance with the Data Protection Legislation.
2.1 Unless otherwise stated, any other term or concept used in capitalized letters in this DPA (except in some cases as part of a heading) shall have the meaning and conception that is established in the Data Protection Legislation and otherwise in the Agreement, unless the circumstances obviously require another interpretation.
3. RESPONSIBILITY AND INSTRUCTION
3.1 The Personal Data that Hailey HR on behalf of the Customer will Process is in particular contact details, terms of employment and employment contracts, as further specified in Sub-Appendix 1 (Data Processing Instructions).
3.2 The Customer is the data controller of all Personal Data Processed by Hailey HR on behalf of the Customer under this DPA. Hailey HR shall comply with the Data Protection Legislation applicable to Hailey HR’s Processing.
3.3 Hailey HR, and anyone working under Hailey HR’s supervision, shall only be Processing Personal Data in accordance with the Customer’s documented instructions and not for any other purposes than the purposes the Customer has engaged Hailey HR for under the Agreement. The instructions that apply on the date of signature of this DPA are specified in Sub-appendix 1. In addition, the Agreement constitutes the Customer’s instructions. The Customer shall immediately inform Hailey HR of changes that affect Hailey HR’s obligations according to this DPA. Processing may also be performed where required by EU law or applicable member state law, which Hailey HR or any Sub- Processor is subject to. In the event of such requirement pursuant to EU or applicable member state law, Hailey HR shall inform the Customer of such obligation that is binding on Hailey HR or any Sub-Processor. Such information shall be provided to the Customer prior to the processing of Personal Data for this purpose, unless that law prohibits such information on important grounds of public interest.
4. SECURITY MEASURES
4.1 Hailey HR shall implement technical and organizational measures, as required by the Data Protection Legislation in order to ensure a level of security that is appropriate to the risk and to protect Personal Data being Processed from accidental or unlawful destruction, loss or alteration, or unauthorized disclosure of, or access to, the Personal Data being Processed. [Appendix 1].
Hailey HR shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to Hailey HR.
4.2 Hailey HR shall notify the Customer without undue delay and no later than twenty-four (24) hours after becoming aware of a personal data breach pursuant to Article 33 of the GDPR.
5. DISCLOSURE OF PERSONAL DATA AND INFORMATION ETC.
5.1 Hailey HR shall forward any request to the Customer from the Data Subject, the Supervisory Authority or any other third party, who is requesting receipt of information regarding Personal Data that Hailey HR Processes on behalf of the Customer, without undue delay. Hailey HR, or anyone working under Hailey HR’s supervision, shall not disclose Personal Data, or information about the Processing of Personal Data, without the Customer’s express instruction or as laid down in this DPA, unless required by the Data Protection Legislation.
5.2 By technical and organizational measures, which are appropriate taking into account the nature of the Processing, Hailey HR shall assist the Customer, insofar as this is possible based on the information available to Hailey HR, for the fulfilment of the Customer’s obligation to respond to requests from the Data Subject, when the Data Subject exercises its rights in accordance with the Data Protection Legislation. Such assistance shall be prompt and in consideration of the limited time period that the Customer has to respond to such requests.
5.3 Hailey HR shall inform the Customer of any contacts from the Supervisory Authority that concern the Processing of Personal Data on behalf of the Customer. Hailey HR is not entitled to represent the Customer or act on the Customer’s behalf towards the Supervisory Authority.
5.4 Hailey HR shall assist the Customer in fulfilling potential duties to enable data portability regarding Personal Data, which Hailey HR Processes under this DPA.
6. SUB PROCESSORS
6.1 The Customer hereby gives Hailey HR prior, general authorization to engage Sub- Processors in the Processing of Personal Data, provided that Hailey HR enters into a data processing agreement with each Sub-Processor, in which data protection obligations are, at a minimum, equally stringent as the ones set out in this DPA are imposed upon the Sub-Processor. Before the Effective Date, Hailey HR shall enter into such corresponding data processing agreements with each Sub-Processor. If the Sub- Processor fails to fulfil its data protection obligations, Hailey HR shall remain liable towards the Customer for the performance of the Sub-Processor’s data protection obligations.
6.2 Hailey HR is in particular responsible for ensuring the compliance of Articles 28.2 and 28.4 of the GDPR when engaging Sub-Processors and ensure that Sub-Processors provide sufficient guarantees to implement appropriate technical and organizational measures, in such a manner that the Processing meets the requirements of the GDPR.
6.3 Hailey HR shall inform the Customer in writing of any intended changes concerning an addition or replacement of a Sub-Processor, to which the Customer may object. If the Customer does not issue such reasonable objection within twenty (20) days from the receipt of the information, the Customer is assumed to not have made an objection. For the purpose of clarity, Hailey HR commits to promptly provide information regarding the Processing by Sub-Processors when requested by the Customer. Hailey HR has the right to cure an objection from the Customer as described above. If no corrective option is available and if the objection has not been cured by Hailey HR within thirty (30) days, the Parties shall be entitled to terminate the Agreement and/or this DPA, partially or wholly, or in relation to specific additional services, by issuing the other Party thirty (30) days’ notice.
7. AUDITS ETC
Promptly, and in any case without undue delay, upon the Customer’s request, Hailey HR shall make available all information necessary to demonstrate Hailey HR’s compliance with its obligations following from the Data Protection Legislation, including as part of the audits or inspections carried out by the Customer or an independent auditor mandated by the Customer and accepted by Hailey HR. For the avoidance of doubt, each Party shall bear its own costs for any audit or inspection pursuant to this section 7 or Article 28(3)(h) GDPR.
8. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA AND DATA PORTABILITY
8.1 Hailey HR shall not transfer personal data to a third country that has not received an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, unless Hailey HR has obtained prior, specific consent for such transfer. If Hailey HR and/or Sub-Processors transfer Personal Data to a location outside of the EU/EEA, Hailey HR and/or Sub-Processor shall ensure that such transfer complies with applicable Data Protection Legislation including but not limited to ensuring that an appropriate assessment of the circumstances of the transfer as well as an assessment of the third country are made and documented prior to the transfer. Hailey HR shall ensure that a transfer is made on the basis of an appropriate safeguard, such as the Commission implementing decision (EU) 2021/914 - of 4 June 2021 - on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council or the decision or clauses that may replace them. Upon an approved transfer, Hailey HR shall obtain a clear mandate from the Customer to enter the aforementioned Standard Contractual Clauses on the Customer’s behalf. Hailey HR shall ensure that appropriate supplementary measures are implemented. Upon request by the Customer, Hailey HR shall provide all relevant information regarding the transfer and the measures undertaken pursuant to Data Protection Legislation and this clause 8.1.
9. CONFIDENTIALITY
9.1 Hailey HR shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This undertaking does not apply to information that the Processor is required to disclose under mandatory law or other statutory rules pursuant to clause 3.3 above. This confidentiality obligation shall remain in force after termination of this DPA.
10. LIABILITY
10.1 If Hailey HR, anyone working under Hailey HR’s supervision or Sub-Processors, Processes Personal Data in violation of this DPA or contrary to lawful instructions of the Customer, Hailey HR shall pay damages to the Customer for the damage suffered due to incorrect Processing. Hailey HR shall indemnify and keep indemnified the Customer from any damages, costs and expenses.
10.2 Hailey HR´s total and aggregate liability under the Agreement is, for each calendar year and regardless of the number of damages limited to the fees paid by Customer during the 24 month period prior to the time when the damage(s) occurred, or, in case the Agreement has been in force for a shorter period, the fees that Customer should have paid if the Agreement had been in force for the 24 months. Hailey HR’s liability for Third-Party Applications will never exceed such amount that Hailey HR is entitled to recover from the provider(s) of such Third-Party Application.
10.3 A Party shall not be liable to the other Party for loss of revenue or other indirect damages. Damages, costs and expenses set forth in Section 10.1 shall be deemed direct damages.
10.4 During the term of this DPA, the Customer shall indemnify and hold Hailey HR harmless from any direct or indirect damage, e.g. requirements from the Data Subject and other Controllers of the Personal Data then the Customer, when Hailey HR has suffered such damage due to unlawful instructions from the Customer, or otherwise, depending on the circumstances on the Customer’s side. Customer’s indemnification and holding harmless Hailey HR shall only apply in the event that Hailey HR has informed the Customer that its instructions infringe Data Processing Legislation prior to the occurrence of the damage and if, upon such information, the Customer has not amended such instructions.
10.5 Hailey HR’s obligation to pay damages, laid down in section 10.1 above, only applies, provided that i) the Customer without undue delay informs Hailey HR in writing of any claims against the Customer; and ii) the Customer allows Hailey HR to control the defense of the claim and make independent decisions regarding conciliation. Such defense and decisions made by Hailey HR shall be carried out in good faith, and with due care in relation to the Customer.
Hailey HR shall make reasonable efforts to keep the Customer informed about any decisions related to the defense of the claim that may affect the Customer’s rights or obligations. In the event Hailey HR intends to make a decision or take an action in the defense of the claim that the Customer reasonably believes may adversely affect the Customer’s interests, the Customer shall have the right to object to such decision or action as soon as possible, but no later than 10 business days from the date of notification by Hailey HR.
In the event of the Customer's objection, the Parties shall engage in good faith discussions with the Customer to resolve any concerns.
10.6 The limitations set out in the Agreement shall not apply in relation to a loss or damage caused by gross negligence, intentional acts or breaches against the confidentiality undertakings in this Agreement.
11. TERM AND TERMINATION
11.1 This DPA enters into force when duly signed by both Parties and remains in force as long as Hailey HR Processes Personal Data on behalf of the Customer.
11.2 Upon termination of the Agreement or this DPA (depending on which is first terminated), Hailey HR shall in accordance with the Customer’s instructions return or delete the Personal Data that the Customer has transferred to Hailey HR and delete any existing copies, where appropriate, and unless storage of the Personal Data is required by EU law or applicable member state law and ensure that each Sub-Processor does the same. Hailey HR shall certify to the Customer in writing that such deletion has been carried out.
12. CHANGES AND ADDITIONS
12.1 If the Data Protection Legislation are changed during the term of this DPA, or if the Supervisory Authority issues guidelines, decisions, or regulations concerning the application of the Data Protection Legislation that result in this DPA no longer meeting the requirements for a DPA, the Parties shall make the necessary changes to this DPA, in order to meet such new or additional requirements. Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of change to the other Party or otherwise no later than prescribed by the Data Protection Legislation, guidelines, decisions or regulations of the Supervisory Authority.
13. MISCELLANEOUS
13.1 This DPA supersedes and replaces all prior DPAs between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the Agreement.
13.2 Swedish law applies in all aspects to Hailey HR’s Processing of Personal Data under this DPA. Any dispute arising out of or in connection with this DPA shall be settled in accordance with the dispute resolution provision in the Agreement.
Sub-Appendix 1 – Data processing instructions
In these data processing instructions, all capitalized words shall have the same meaning as defined in the DPA, unless otherwise is expressly stated.
Purposes
Please specify all purposes for which the Personal Data will be Processed by the Supplier as the Customer’s data processor:
To facilitate normal operation of the Service on Customer’s behalf. The personal data is not processed by Hailey HR in any other way.
Categories of data
Please specify the Personal Data that will be Processed by the Supplier as data processor:
The following Personal Data may be processed depending on services used by the customer:
· Information related to the data subject’s employment at the customer i.a. name, profile image, social security number, address, phone, scheduling, information related to salary, terms of employment, CV’s, educational history and certificates, notes from feedback sessions and other, for the employment, relevant information.
· Documents associated with the employment of the Data subject at the customer.
Special categories of data
Please specify the Special Personal Data that will be Processed by the Supplier as data processor:
The following Special Personal Data may be processed depending on services used by the customer:
· Sensitive information related to the data subject's employment at the customer i.a. notes from rehab-cases, absence information and other, for the employment, relevant information.
· Custom fields, defined and set up by the Customer, related to the Customers handling of its employees, may include other types of Special Personal Data.
Categories of data subjects
Please specify the categories of data subjects whose Personal Data will be Processed by the Supplier as data processor:
Employees and board members at the Customer. Relevant consultancy agreements.
Processing operations
Please specify all Processing activities to be conducted by the Supplier as data processor:
Processing operations are limited to modules used by the Customer and usually include HR-master and onboarding at a minimum. Compensation- and feedback related processes.
Location of processing operations
Please specify all locations where the Personal Data will be Processed by the Supplier as data processor and – when applicable – by Sub-processors:
All personal data is stored at Upcloud, a Finnish limited liability company, with business ID 2431560-orgnummer, a fully GDPR-compliant partner with data centers in the EU and a parent company registered in the EU.
Other data, considered not to be personal data, may be stored in Azure Data Centers in the EU, primarily in Amsterdam with failover to Dublin.
Retention requirements When applicable
Please specify the retention time of Personal Data stored by the Supplier:
Personal data is retained until removal is requested by Customer. Backups may be kept up to 30 days.
INFORMATION SECURITY MEASURES
Technical and Organizational security measures
Security policies and procedures
We have an Information security policy that is based on the ISO-standard ISO27001. This policy provides guidelines for management, and mitigation of threats to information security at Hailey. It encompasses the entire organization and all employees at Hailey. The main purpose of this document is to ensure proper handling of information and mitigation of security risks. All employees sign this policy.
Continuous improvement
The Information policy is revised and internally controlled twice a year to review and improve security controls and practices to ensure they are effective and up-to-date with evolving threats and risks.
Security awareness training
All employees at Hailey take a course in IT security and GDPR as part of their onboarding. All developers further take a course in security related to risks arising during development and deployment. All employees take a refresher course in IT security and GDPR yearly.
Multi-factor authentication
Hailey has two factor authentication turned on for all employees, requiring SMS or authenticator code validation, in addition to password protection.
Regular software updates and patches
Computers and mobile devices are updated continuously to keep software updated and latest security patches installed in order to address known vulnerabilities and protect against cyberattacks.
Regular security assessment
Vulnerability scans are made continuously, and external penetration tests are made twice a year.
Security monitoring and logging
Azure Application Insights is used for monitoring all applications, including data access. The monitoring only contains technical data and no personal data is stored.
Data backup and recovery
Backups are facilitated by our sub-processors and may be kept up to 30 days. Backups are retained offsite, i.e. geographically separate, from where databases and file storages are located. Backups are tested twice a year. As part of the Information security policy, we have a disaster recovery plan defined. Disaster recovery is tested every six months.
Incident response plan
As part of the Information security policy, we have an incident response plan defined.
Data classification and retention
Personal data in Hailey is classified based on its sensitivity and an appropriate retention policy is implemented to ensure it is disposed of when no longer needed.
Deletion
Personal data is destroyed using crypto shredding.
Encryption of data communication
TLS 1.2 is used for data in transit and AES256 for data at rest to help protect sensitive information from unauthorized access or theft.
Firewalls, separation of environments and antivirus Protection
Firewalls environments and antivirus is provided by UpCloud. UpCloud has ISO27001 certification.
Service and repair of devices where Personal Data is stored
All Personal data is stored in Upcloud. Upcloud facilitates service and repair of devices. UpCloud has ISO27001 certification.
Access control
All services are protected by OIDC and a centralized login.
Authorisation and permissions
Roles are limited to Employees, Managers, People officers and Company administrators, each having a range of permissions to use the Service. Apart from system administrators at Hailey HR, who have access at a database level, there is no way for anyone at Hailey HR to access Personal data.
Sub-Appendix 2 – Sub-Processors
UpCloud Oy
UpCloud Oy is a Finnish limited liability company, with business ID 2431560.
UpCloud is our sub-processor for storage of data. All personal data is stored at Upcloud and is encrypted with AES256.
Data centers are located in Amsterdam and Helsinki. UpCloud runs their own datacenters.
Microsoft Azure
No personal data but some configuration data and meta-data may be stored in Azure Data Centers in the EU, primarily in Amsterdam. Computing is done in Microsoft Azure servers before sent for storage in UpCloud.
Microsoft Corp. is a US based company.
Microsoft Azure is our sub-processor for computing and transfer of data. No personal data is stored here. Some configuration data and meta-data may be stored with Azure. Data in transfer is encrypted with TLS 1.2.
Data center is located in Amsterdam. Azure runs their own data-center.
Bitio Services AB
Bitio Services AB is a Swedish limited company.
Bitio is our sub-processor for electronic signatures of documents. Some personal data is stored with Bitio.
Data center is located in Stockholm and Falkenberg. Bitio uses the Swedish limited company Glesys AB as their sub-processor for storage of data.
Flowmailer B.V.
Flowmailer B.V. is a Dutch limited company.
Flowmailer is our sub-processor for e-mail services and is used when activities trigger Hailey to send emails to users. Some personal data is stored with Flowmailer.
Data center is located in Amsterdam. Flowmailer run their own datacenter.
OPTIONAL SUBPROCESSORS – ONLY USED UPON REQUEST BY CUSTOMER
Below is a list of optional sub-processors that a customer can choose to share personal data with via activating the integration in Hailey. To activate one of these integrations the customer needs to have an active customer-supplier relationship with the sub-processor directly. Except for use of Azure OpenAI. The list below consists of sub-processors where the initial relationship can be such that sensitive personal data is not included in the service.
Slack
Get updates in Slack for you organization and enable your employees to have their dashbord and tasks in Slack.
Google Workspace
New employees can be created in Google Workspace when they are created in Hailey.
Okta
New employees can be created in Okta when they are created in Hailey.
Azure OpenAI
You can use AI to enhance your writing in some areas of Hailey, It's important to note that using AI is entirely optional and not mandatory. The AI settings is per default inactivated in Hailey. Only an admin can toggle on the AI functionality.