This Data Processing Addendum (“DPA”) supplements and is incorporated into the agreement referencing this DPA (“Agreement”) entered into by the applicable HackerRank entity (together with its Affiliates, “HackerRank”) and the customer entering into that Agreement (“Customer”) (HackerRank and Customer being the “parties” under this DPA). This DPA applies to the extent HackerRank processes personal data in connection with Customer’s use of the Services under the Agreement.
2.1. Controller and Processor. The parties acknowledge and agree that: (a) Customer will determine the purposes and means of the processing of personal data; (b) HackerRank will process personal data on behalf of Customer. To the extent applicable, for the purposes of GDPR, UK GDPR, and other Data Protection Laws using these terms, Customer is the “controller” of personal data and HackerRank is the “processor” of personal data on behalf of Customer. To the extent applicable, for the purposes of the CCPA, Customer is a "business" and HackerRank is the "service provider.”
2.2. Scope of DPA. DPA applies to, and references to personal data within this DPA refer to, personal data of which Customer is the controller and HackerRank is the processor.
Schedule 1 (Details of Processing) of this DPA sets forth details of HackerRank’s processing of personal data.
4.1. Customer Instructions.
(a) HackerRank will process personal data only: (i) in accordance with Customer’s documented, reasonable, and lawful instructions; or (iii) as otherwise agreed upon by the parties or as required by applicable law and, if required by law, HackerRank will notify Customer in writing of that legal requirement before processing unless the law prohibits this on important grounds of public interest.
(b) The parties agree that the Agreement (including this DPA) and the performance of HackerRank’s obligations thereunder sets out Customer’s instructions to HackerRank for the processing of personal data and that processing outside the scope of the Agreement, if any, requires prior written agreement of the parties.
(c) HackerRank will immediately inform Customer if, in HackerRank’s opinion, processing instructions given by Customer infringe on applicable Data Protection Laws.
4.2. Purpose Limitation. HackerRank will process personal data only for the purpose of providing the Services to Customer as described in the Agreement, unless it receives further instructions from Customer.
5.1. Technical and Organization Measures. HackerRank will implement at least the technical and organizational measures described at the following webpage (“Technical and Organizational Measures”) to ensure the security of personal data, which includes protecting personal data against Security Incidents:
https://www.hackerrank.com/about-us/technical-organizational-measures/
5.2. Technical and Organizational Measures Assessment and Updates. In assessing the appropriate level of personal data security, the parties will take account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects. The parties acknowledge and agree that Technical and Organizational Measures are subject to technical progress and development such that HackerRank may occasionally update or modify its Technical and Organizational Measures, provided that any update and/or modification does not materially diminish the overall security of the Services or the protection afforded to personal data.
5.3. Confidentiality of Processing. HackerRank will grant access to personal data to its personnel only to the extent necessary for implementing, managing, or monitoring the Services provided to Customer. HackerRank will ensure that its personnel authorized to process personal data have committed themselves to maintaining confidentiality or are under an appropriate statutory obligation of confidentiality with respect to personal data.
The Services are not intended for the processing of sensitive data, sensitive personal information, or special categories of personal data (as each is defined by applicable Data Protection Laws). Customer will not provide (or cause to be provided) any sensitive data, sensitive personal information, or special categories of personal data to HackerRank for processing under the Agreement, unless the parties otherwise agree in writing.
7.1. Compliance With Data Protection Laws. Each party will comply with and be able to demonstrate its compliance with all Data Protection Laws applicable to that party in its performance under this DPA.
7.2. Inquiry Response. HackerRank will deal promptly and adequately with inquiries from Customer about the processing of personal data.
7.3. Audit Rights. HackerRank will maintain and make available to Customer information reasonably necessary to demonstrate HackerRank’s compliance with this DPA. To the extent permitted by applicable Data Protection Laws, Customer may conduct an audit of processing under this DPA by itself or through an independent auditor (subject to reasonable confidentiality obligations) and Customer’s request, HackerRank will permit and contribute to audits of the processing activities covered by this DPA at reasonable intervals or if there are reasonable indications of HackerRank’s non-compliance with this DPA. Any audit under this DPA may be conducted upon at least 30 days prior written notice to HackerRank, at Customer’s sole expense, and during normal business hours. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls.
7.4. Audit Terms. Customer may request an audit of processing activities conducted under this DPA, upon at least 30 days prior written notice to HackerRank. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls. Audits will be conducted at Customer’s sole expense and during normal business hours. Any audits conducted in accordance with the SCC’s will be subject to the audit terms of this DPA.
8.1. General Authorization. HackerRank has Customer’s general authorization to engage the Sub-processors listed on HackerRank’s Sub-processor page, available at:
www.hackerrank.com/about-us/sub-processor-list
8.2. Sub-processor Changes. If HackerRank replaces or adds new Sub-processors, HackerRank will make commercially reasonable efforts to provide Customer with notice of the replacement or addition at least 30 days prior to, but will in any case provide notice at least 10 days prior to, the Sub-processor addition or replacement. HackerRank will provide notice by maintaining an updated list of Sub-processors on HackerRank’s Sub-processor page noted above and also by email if Customer subscribes to receive updates by email via the Sub-processor page noted above.
8.3. Sub-processor Objections. Customer may object to the appointment or replacement of a Sub-processor prior to the appointment or replacement, provided that the objection is in writing and based on reasonable grounds related to data protection. If Customer objects to the appointment of a new Sub-processor, HackerRank and Customer will discuss commercially reasonable alternative solutions in good faith. If HackerRank and Customer cannot reach a resolution within 30 days after the date HackerRank receives Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to HackerRank, without prejudice to fees owed for the time period unaffected by the discontinuation. If Customer does not raise an objection prior to HackerRank replacing or adding a Sub-processor, Customer will be deemed to have authorized the new Sub-processor.
8.4. Sub-processor Obligations. Where HackerRank engages Sub-processors, it will do so by way of a contract which imposes on the Sub-processor, in substance, personal data protection obligations at least as protective of personal data as those imposed on HackerRank under this DPA.
8.5. Responsibility for Sub-processors. HackerRank will be responsible for each Sub-processor's compliance with the obligations of this DPA and with applicable Data Protection Laws. HackerRank will remain fully responsible to Customer for the performance of HackerRank's obligations under the Agreement, notwithstanding HackerRank's engagement of any Sub-processor.
9.1. Transfer of Data. HackerRank may transfer and process Customer personal data to and in the United States and anywhere else in the world where HackerRank, its Affiliates, or its Sub-processors maintain data processing operations. HackerRank will transfer personal data solely in performance of its obligations under the Agreement.
9.2. Transfer Mechanism; SCCs. If HackerRank transfers personal data to or through the Services, either directly or by onward transfer, from the European Economic Area or Switzerland to the United States or any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection to personal data, then that transfer will be governed by and made pursuant to the SCCs.
9.3. SCC Schedule. Schedule 2 to this DPA sets forth certain details of HackerRank’s processing of personal data in accordance with the SCCs, if and to the extent the SCCs apply.
10.1. Notification of Data Subject Requests. HackerRank will promptly notify Customer of any request it receives from a data subject. HackerRank will not respond to the request itself except as reasonably appropriate (for example, to confirm receipt or direct the data subject to contact Customer) or as may be legally required or authorized by Customer.
10.2. Assistance. HackerRank will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing, and in accordance with Customer’s lawful instructions.
10.3. Assessments and Consultations. Taking into account the nature of the processing and the information available to HackerRank in each case, HackerRank will assist Customer in complying with any of Customer’s obligations required by applicable Data Protection Laws with respect to the following: (a) the obligation to carry out an assessment of the impact of HackerRank’s processing of personal data; (b) the obligation to consult with regulatory authorities that may be required; and (c) the obligation to ensure that personal data is accurate and up to date.
10.4. Where HackerRank is a Controller. For clarity, nothing in the DPA will restrict or prevent HackerRank from responding to a data subject or data protection authority requests in relation to personal data for which HackerRank is a controller (as opposed to the processor).
11.1. Security Incident Notification. If HackerRank becomes aware of a Security Incident, HackerRank will notify Customer without undue delay, and in any case, within seventy-two (72) hours after becoming aware of the Security Incident. HackerRank may send notification of a Security Incident by any notification means set forth in the Agreement or, in any case, by email to the administrator contact that Customer designates in Customer’s account within the Services.
11.2. Notification Details. HackerRank’s notification of a Security Incident will at least contain a description of:
(a) the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects and records concerned;
(b) the details of a contact point where more information concerning the Security Incident can be obtained; and
(c) the likely consequences and the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects.
If, and to the extent, HackerRank is not reasonably able to provide all the information at the same time, HackerRank’s initial notification will contain the information then available and it will provide further information without undue delay as it becomes available.
11.3. Reporting Assistance. HackerRank will provide reasonable assistance to Customer in the event Customer is required by applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
11.4. Mitigation. HackerRank will take reasonable steps to investigate and, as necessary, address and mitigate an actual or threatened Security Incident. HackerRank’s notification or addressing of, or response to, a Security Incident will not be construed as an acknowledgment by HackerRank of any fault or liability with respect to the Security Incident.
Following termination of the Agreement, HackerRank will, at the choice of Customer, delete or return to Customer all personal data processed by HackerRank, except to the extent applicable law requires the retention of any personal data. If Customer does not notify HackerRank of Customer's preferred choice within 30 days following termination of the Agreement, HackerRank will delete Customer’s data in accordance with HackerRank’s standard data deletion cycle. Until the personal data is deleted or returned, it will remain subject to the terms of this DPA.
13.1. Governing Law. This DPA will be governed by, and construed in accordance with, the governing law of the Agreement, and any dispute between the HackerRank and Customer will be subject to the exclusive jurisdiction of the forum set forth on the Agreement, unless otherwise required by applicable Data Protection Laws.
13.2. Term. This DPA will remain in effect for as long as HackerRank processes personal data on behalf of Customer.
13.3. Order of Precedence. In the event of any conflict or inconsistency between this DPA and any other part of the Agreement, the provisions of first the SCCs and then of this DPA will prevail over any provisions of any documents of the Agreement to the contrary.
13.4. Agreement Unchanged. Except for any modifications to the Agreement as may be made by this DPA, the Agreement remains unchanged and in full force and effect.
13.5. No Third-Party Beneficiaries. No one other than the parties to this DPA and their successors and permitted assigns will have any right to enforce any terms of this DPA, but without prejudice to the rights available to data subjects under applicable Data Protection Laws or this DPA (including the SCCs).
14.1. California. Where HackerRank’s processing of personal data is subject to the CCPA as personal information under the CCPA, the following terms will apply to supplement the DPA and will control over any conflicting provisions of the DPA:
(a) Each party will comply with its obligations under the CCPA.
(b) Any data subject rights and HackerRank’s obligations with respect to those data subject rights, as described in this DPA, also apply to Consumer rights under the CCPA.
(c) The parties intend for HackerRank’s provision of the Services and the exercise of its rights under the Agreement or as permitted by the CCPA to constitute a “business purpose” under the CCPA.
(d) HackerRank will not “sell” or “share” personal information, as each term is defined by the CCPA.
(e) HackerRank will not retain, use, or disclose personal information outside of the direct business relationship between HackerRank and Customer.
(f) HackerRank will not combine personal information controlled by Customer with personal information HackerRank receives from other customers, except as may permitted by the Agreement or applicable Data Protection Laws.
(g) HackerRank will take steps to ensure that Sub-processors or any other person engaged by HackerRank to assist in the processing of personal information are “Service Providers” under the CCPA, and HackerRank will enter into a written agreement with each service provider obligating the service provider to the applicable requirements under the CCPA.
(h) HackerRank will notify Customer if HackerRank makes a determination that it can no longer meet its obligations under the CCPA.
(i) Customer will have the right, upon notice to HackerRank, to take reasonable and appropriate steps to stop and remediate any unauthorized use of personal information and to help to ensure that HackerRank uses the personal information in a manner consistent with Customer’s obligations under the CCPA.
14.2. United Kingdom. Where HackerRank’s processing of personal data is subject to UK GDPR, the UK Addendum to the SCCs included with this DPA will apply.
The categories of data subjects whose personal data may be processed are:
HackerRank may process the following categories of personal data in providing the Services:
HackerRank does not intentionally, and the parties do not anticipate that HackerRank will, collect or process any “special categories of personal data” or “sensitive personal information” (as each is defined by applicable Data Protection Laws) in connection with the use or provision of the Services.
HackerRank will process personal data in connection with the provision of HackerRank Services as set forth in the Agreement.
Personal data is processed on a continuous basis until the data is deleted or returned to Customer in accordance with the Agreement.
1. Module 2 (Controller to Processor). For transfers of personal data where the SCCs apply, the SCCs will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
2. Specific Clauses. The following clauses of the SCCs will apply as set forth below:
3. Appendix to SCCs. The Annexes to this DPA set forth information that populates the corresponding Annex to the SCCs.
---------------------------------------------------------
Data Exporter: Customer
Data Importer: Interviewstreet, Inc. d/b/a HackerRank
The transfer of personal data is as described in Schedule 1 of this DPA.
---------------------------------------------------------
The technical and organizational measures are as described in the DPA.
---------------------------------------------------------
The controller has authorized the use of the following sub-processors: As authorized by the DPA.
---------------------------------------------------------
Where HackerRank’s processing of personal data is subject to Data Protection Laws of the United Kingdom (including the UK GDPR and Data Protection Act of 2018), the SCC terms above in this Schedule will apply, as supplemented or modified by the UK Addendum, as follows:
The SCCs are deemed amended as set forth in Part 2 of the UK Addendum.