This Data Processing Addendum ("DPA") forms part of, and is subject to, the Terms & Conditions between the Customer and Sell Me This Pen Inc., doing business as Ravenite. It governs how Ravenite handles candidate personal data on the Customer's behalf, and addresses Québec Law 25, PIPEDA, the GDPR, and the CCPA/CPRA. The Customer's name and its acceptance or signature of this DPA are captured at contracting.
For personal data processed on the Customer's behalf to deliver a search, the Customer is the controller (GDPR) / business (CCPA) and Ravenite is the processor / service provider. Ravenite processes such data only to provide the service described in the Terms.
"Personal Data" / "Personal Information", "Processing", "Data Subject", "Controller", "Processor", "Business", "Service Provider", "Sub-processor", and "Standard Contractual Clauses" ("SCCs") have the meanings given in the GDPR, Québec Law 25, PIPEDA, and the CCPA, as applicable. "Confidentiality Incident" has the meaning given in Québec Law 25 and includes a personal data breach under the GDPR. Capitalized terms not defined here have the meanings in the Terms.
Ravenite will: (a) process personal data only on the Customer's documented instructions, including with regard to transfers; (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement appropriate technical and organizational security measures (Annex B, section 10); (d) assist the Customer, taking into account the nature of the processing, with data-subject requests, breach notification, and privacy or data-protection impact assessments; and (e) at the end of the engagement, delete or return the personal data at the Customer's choice, unless retention is required by law.
The Customer authorizes Ravenite to engage sub-processors under written terms imposing obligations equivalent to this DPA. Ravenite maintains and discloses a current sub-processor list — covering cloud hosting and infrastructure and licensed professional-data provider categories — and will give the Customer notice of intended changes with a right to object on reasonable grounds.
For transfers subject to the GDPR, the parties rely on Standard Contractual Clauses or other appropriate safeguards (Annex D, section 12). For personal information communicated outside Québec, Ravenite conducts the privacy impact assessment Québec Law 25 requires before the transfer and ensures the information receives adequate protection.
Ravenite will notify the Customer without undue delay after becoming aware of a Confidentiality Incident affecting personal data processed under this DPA, and will provide the information reasonably needed for the Customer to meet its own obligations — including GDPR notification within 72 hours and Québec Law 25 notification to the Commission d'accès à l'information and to affected individuals where the incident presents a risk of serious injury. Ravenite maintains an incident register.
Where the CCPA applies, Ravenite acts as a service provider: it will not sell or share personal information received under this DPA, and will not retain, use, or disclose it for any purpose other than performing the services, or as otherwise permitted by the CCPA. Ravenite certifies that it understands and will comply with these restrictions.
Ravenite will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to reasonable audits conducted by the Customer or its mandated auditor, on reasonable notice and subject to confidentiality.
Liability under this DPA is subject to the limitations and exclusions in the Terms. If this DPA conflicts with the Terms on the subject of personal data processing, this DPA prevails to the extent of the conflict. This DPA is governed by the laws of the Province of Québec, Canada.
Where a restricted transfer requires them, the applicable module of the European Commission's Standard Contractual Clauses (and the UK Addendum, where relevant) is incorporated into this DPA by reference, completed with the details of processing in Annex A, the security measures in Annex B, and the sub-processor list in Annex C.