Privacy and Security Addendum

This Privacy and Security Addendum (“Privacy Addendum”) is made part of the JBIO Master Services Agreement (“MSA”) entered into by and between Customer and ZipRecruiter, pursuant to which Customer has purchased a Subscription to or obtained a Free Trial of the Services.

The purpose of this Addendum is to reflect the parties’ agreement concerning the Processing of Customer End Users’ Personal Data that concerns (A) Customer End Users located in jurisdictions outside the Territory, and/or (B) Personal Data not otherwise subject to EU/U.K. Data Protection Laws, and memorialize that such Personal Data shall be Processed only for limited and specific purposes as described herein and in the MSA. All capitalized terms not defined herein shall have the meaning set forth in the MSA.

1. Definitions

For purposes of this Privacy Addendum, the following definitions shall apply:

1. “Applicable Privacy Law” means any applicable Federal, state, provincial, or local law or regulation relating to data security, data protection and/or privacy, that applies to Personal Data. This term includes, but is not limited to, the (i) California Consumer Privacy Act, Cal. Civ. Code Title 1.81.5, § 1798.100 et seq., as amended (“CCPA”), including as modified by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et. seq. and its implementing regulations (“CPRA”), as amended or superseded from time to time; (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq., and its implementing regulations (“CDPA”); (iii) Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., and its implementing regulations (“COPA”); (iv) Connecticut’s Data Privacy Act, Conn. Gen. Stat. § 42.515 et seq. (“CTDPA”); (v) Utah’s Consumer Privacy Act, Utah Code § 13-2-1 et seq. (“UCPA”); (vi) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), and (vii) any other applicable Federal, state, provincial, or local law or regulation regarding privacy and data protection that is in effect or will come into effect during the term of the MSA.

2. “Personal Data” shall mean information that is (i) provided to ZipRecruiter by or at the direction of Customer, or information which is obtained by ZipRecruiter on behalf of Customer, in the course of ZipRecruiter’s performance of the Services under the MSA, and (ii) expressly defined as personal data or personal information under Applicable Privacy Law and only to the extent of the obligations under such law, respectively.

3. “Process” or “Processing” means any operation or set of operations which is performed on data or on sets of Personal Data, whether or not by automated means, either actively or passively. Processing includes, but shall not be limited to, collating, collecting, purchasing, accessing, gathering, obtaining, recording, organizing, sorting, structuring, storing, adapting, altering, retrieving, modifying, consulting, using, disclosing, making available, aligning, combining, receiving, erasing, or destroying such Personal Data. For purposes of clarity, the term “Processing” includes words or phrases of like meaning as defined and used under Applicable Privacy Law, including, but not limited to, “collect” or “collecting”.

1. ZipRecruiter may Process Personal Data in the course of performing the Services on behalf of Customer as described in the MSA. ZipRecruiter will Process such Personal Data only on behalf of Customer, according to the directions set forth by Customer (including as set forth in the MSA) and in compliance with Applicable Privacy Law. The categories/types of Personal Data subject to the Processing, specific business purposes for which the Personal Data is processed, the nature and purpose of the Processing, and the duration of the Processing are based on the specific Services being provided to the Customer. For more detailed information on these Processing activities, please email [email protected].

2. ZipRecruiter will not retain, use, or disclose any Personal Data for any purpose other than (i) providing the Services and/or products under the MSA; (ii) using the Personal Data internally to verify or maintain the quality, safety, or security of the Services and/or products, and to improve, upgrade or enhance the Services as permitted by Applicable Privacy Law; (iii) using the Personal Data to comply with ZipRecruiter’s legal obligations; (iv) to retain and employ another Subprocessor (as defined below) to assist in providing the Services and/or products under the MSA; (v) to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity; or (vi) for any other purpose that is expressly permitted of ‘service providers’ or ‘processors’ (or other similar words and phrases of like meaning) under Applicable Privacy Law, including but not limited to service provider or processor exemptions under Applicable Privacy Law.

3. ZipRecruiter acknowledges that it is prohibited from: (i) “selling” the Personal Data or processing Personal Data for purposes of targeted advertising (including “sharing” or conducting “cross-context behavioral advertising” as defined under Applicable Privacy Law); (ii) retaining, using, or disclosing the Personal Data for any purpose other than providing the Services to Customer and/or products specified in the MSA, except as otherwise expressly permitted in the MSA or this Privacy Addendum; (iii) retaining, using, or disclosing the Personal Data outside of the direct business relationship with Customer, except as otherwise expressly permitted in the MSA, Applicable Privacy Law, or this Privacy Addendum; or (iv) with respect to its obligations under the CPRA, combining the Personal Data that ZipRecruiter receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person(s), or collects from its own interaction with a consumer, provided that ZipRecruiter may combine Personal Data to perform any business purpose as defined in the CPRA. 

4. Customer retains control of the Personal Data and remains responsible for its compliance obligations under Applicable Privacy Law, including providing any required notices and obtaining any required consents, and for the Processing instructions it gives to ZipRecruiter. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which Customer acquired Personal Data or instructed ZipRecruiter to process Personal Data on its behalf as a service provider or processor. In addition, upon advance written notice to ZipRecruiter, Customer shall have the right to take reasonable and appropriate steps to stop and remediate ZipRecruiter’s unauthorized use of Personal Data.

3. Confidentiality; Security

1. ZipRecruiter will restrict access to Personal Data to those authorized persons who need such information to provide the Services under the MSA. ZipRecruiter will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.

2. ZipRecruiter will implement administrative, physical, technical, and organizational measures and good industry practices to ensure the security of Personal Data, including the measures specified in https://www.ziprecruiter.global/en/security. 

4. Subprocessors

1. Customer grants a general authorization to ZipRecruiter to appoint third party sub-processors, contractors,  or vendors (each, a “Subprocessor”) to support the performance and fulfillment of the Services.  Subprocessors shall be engaged pursuant to a written contract that requires the Subprocessor to meet its obligations under Applicable Privacy Law, and which imposes on such Subprocessor terms substantially no less protective of Personal Data than those imposed on ZipRecruiter in this Privacy Addendum. A current list of Subprocessors for the Services are identified at www.jobboard.io/Subprocessor-List (“Subprocessor List”). ZipRecruiter may add a new Subprocessor by updating the Subprocessor List. Customer may reasonably object to ZipRecruiter’s use of a new Subprocessor by notifying ZipRecruiter promptly via email to [email protected] within five (5) business days of ZipRecruiter’s update to the Subprocessor List. If Customer objects to a new Subprocessor as permitted in the preceding sentence, ZipRecruiter will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If ZipRecruiter is unable to make available such change within a reasonable period of time, ZipRecruiter may terminate the applicable Agreement with respect only to those Services which cannot be provided by ZipRecruiter without the use of the objected-to new Subprocessor by providing email notice to Customer.

2. Customer grants a general authorization to ZipRecruiter to allow each Subprocessor to appoint another third party subprocessor and/or vendor to support the performance of ZipRecruiter’s Services hereunder (each, a “Sub-subprocessor”) provided that such engagement is pursuant to a written contract which imposes on such Sub-subprocessor terms substantially no less protective of Personal Data than those imposed on ZipRecruiter in this Privacy Addendum. Information on Sub-subprocessors is available in the Subprocessor List.

5. Oversight and Monitoring of Compliance

1. Customer shall have the right to take reasonable steps to ensure that ZipRecruiter uses Personal Data in a manner consistent with the obligations under Applicable Privacy Law. Upon the reasonable request of Customer (and subject to an applicable non-disclosure agreement satisfactory to ZipRecruiter, where required), ZipRecruiter shall make available to Customer such information reasonably necessary to help demonstrate ZipRecruiter’s or Customer’s compliance with the obligations under Applicable Privacy Law, including to allow Customer to conduct any data protection assessments and any third-party assessments of ZipRecruiter’s policies and/or technical and organizational measures (such as ZipRecruiter’s SOC 2 report).

2. ZipRecruiter shall notify Customer if ZipRecruiter can no longer meet the obligations under this Privacy Addendum and/or Applicable Privacy Law.

6. Data Subject Rights; Retention of Personal Data

1. ZipRecruiter shall cooperate and provide the ability for Customer to directly manage and respond to deletion and access requests from Customer End Users within the Admin Panel.  At any time before or shortly after termination of this MSA, Customer can download a file of Customer data contained on the Job Board in CSV format via the Admin Panel. 

2. If ZipRecruiter receives a request from a Customer End User in relation to his or her Personal Data, ZipRecruiter reserves the right to respond to that Customer End User and/or advise that Customer End User to submit his/her request to Customer directly and in either case, Customer will be responsible for responding to any such request. Pursuant to the foregoing, Customer accepts that ZipRecruiter may provide such Customer End User with pertinent information about Customer including, without limitation, Customer’s identity and the name and contact information of Customer’s representatives.

3. Upon termination or expiration of the Agreement, Customer may request that ZipRecruiter return (where feasible) or delete Personal Data. ZipRecruiter shall have the right to retain Personal Data stored pursuant to the MSA in the ordinary course of business, pursuant to its retention schedules for client materials and in accordance with applicable law, including any exemptions permitted under Applicable Privacy Law.

7. GDPR Data Processing Agreement

1. Where ZipRecruiter will process the Personal Data of data subjects in the European Economic Area, European Union, Switzerland, and/or the United Kingdom, the GDPR Data Processing Agreement, available at: www.jobboard.io/GDPR-Data-Processing-Addendum (“GDPR DPA”) will govern. 

2. In the event of any conflict between the terms of this Privacy Addendum and the terms of the GDPR DPA, the conflicting provision of the GDPR DPA shall prevail.

8. Miscellaneous

1. In the event there is any conflict or difference between the terms and conditions of this Privacy Addendum and the terms and conditions of the MSA, the terms and conditions of this Privacy Addendum will prevail.

2. ZipRecruiter may amend this Privacy Addendum at any time and Customer’s continued use of the Services after such change indicates Customer’s acceptance of the amended Privacy Addendum.

Last updated: June 27, 2023