Data Processing Agreement
1. Definitions and scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Information Direct, Inc. ("Processor") and the client ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with background screening services.
For purposes of this DPA: "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the services; "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure; "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller; "Data Protection Laws" means all applicable data protection and privacy legislation, including the GDPR, CCPA/CPRA, and the FCRA as applicable.
2. Data processing scope and purpose
The Processor shall process Personal Data only for the purpose of providing the background screening services requested by the Controller, including: compiling consumer reports under the FCRA, performing courthouse research and criminal records searches, conducting employment, education, and professional license verifications, facilitating drug testing through certified laboratory partners, and delivering reports and results through the Information Direct platform.
The categories of Personal Data processed include: applicant identifiers (name, date of birth, Social Security number, address history), employment and education history, criminal records and court filings, professional license information, and drug test results. The categories of data subjects include: job applicants, employees, contractors, tenants, and other individuals for whom the Controller has a permissible purpose under applicable law.
3. Processor obligations
The Processor shall: (a) process Personal Data only on documented instructions from the Controller, unless required by law; (b) ensure that persons authorized to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures as described in Section 5 of this DPA; (d) assist the Controller in responding to data subject requests; (e) assist the Controller in ensuring compliance with data protection impact assessments and prior consultation obligations where required; (f) make available all information necessary to demonstrate compliance with this DPA; and (g) immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable Data Protection Laws.
4. Sub-processor management
The Controller provides general authorization for the Processor to engage Sub-processors in connection with the services. The Processor shall maintain a current list of Sub-processors, which will be made available upon request. The Processor shall notify the Controller at least thirty (30) days before adding or replacing a Sub-processor, providing the Controller with an opportunity to object.
If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached within fifteen (15) days, the Controller may terminate the affected services without penalty.
The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those set forth in this DPA, and shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
5. Security measures
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include but are not limited to: encryption of data at rest (AES-256) and in transit (TLS 1.2+), role-based access controls with multi-factor authentication, regular security assessments and penetration testing, continuous monitoring and intrusion detection systems, documented incident response procedures, employee security awareness training, physical access controls at all facilities, and regular backup and disaster recovery testing.
The Processor maintains SOC 2 Type II and ISO 27001 certifications and shall provide copies of current audit reports or certifications upon the Controller's reasonable request.
6. Data breach notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach. The notification shall include: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and records affected; (b) the name and contact details of the Processor's data protection contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its effects.
The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach, and shall provide timely updates as additional information becomes available.
7. Data return and deletion on termination
Upon termination or expiration of the services agreement, the Processor shall, at the Controller's election, return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, or securely delete all Personal Data in the Processor's possession and certify such deletion in writing.
Notwithstanding the foregoing, the Processor may retain Personal Data to the extent required by applicable law, including FCRA record retention requirements and applicable state retention schedules. Any retained data shall continue to be protected in accordance with this DPA and shall be deleted promptly upon expiration of the applicable retention period.
8. Audit rights
The Controller shall have the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or a qualified independent auditor appointed by the Controller, subject to reasonable confidentiality obligations. The Controller shall provide at least thirty (30) days' prior written notice of any audit.
Audits shall be conducted during normal business hours, no more than once per twelve-month period (unless required by a supervisory authority or following a data breach), and in a manner that minimizes disruption to the Processor's operations. The Processor shall cooperate with audits and provide reasonable access to relevant facilities, systems, and documentation.
In lieu of an on-site audit, the Processor may provide the Controller with copies of current SOC 2 Type II audit reports, ISO 27001 certifications, or other independent third-party audit reports that demonstrate compliance with the obligations of this DPA.
9. International data transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to the Processor in the United States, the parties agree to execute the European Commission's Standard Contractual Clauses (SCCs) as adopted under Commission Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference. Additional supplementary measures will be applied as appropriate based on the transfer impact assessment.
10. Liability and indemnification
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service, except that neither party's liability for breaches of its data protection obligations shall be limited to the extent prohibited by applicable Data Protection Laws.
11. Term and amendments
This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. The Processor may update this DPA from time to time to reflect changes in applicable Data Protection Laws or processing practices. Material changes will be communicated to the Controller at least thirty (30) days before taking effect.
For questions or requests related to this DPA, please contact: Information Direct, Inc. · Attn: Data Protection · 1519 E Chapman Ave #342, Fullerton, CA 92831 · Email: privacy@informationdirect.us · Phone: (800) 707-2450