CHECKR, INC. SERVICES AGREEMENT
This Services Agreement together with any Orders (as defined below) (collectively, the “Agreement”) contains the terms and conditions that govern your access to and use of the Platform (as defined below) and is an agreement between Checkr, Inc. (“Checkr”) and you or the entity you represent (“Customer”, “You” or “Your”). This Agreement takes effect when You click the “Continue” button or check box presented with these terms or, if earlier, when You use any of Checkr’s service offerings (the ”Effective Date”). You represent to us that You are lawfully able to enter into this agreement (e.g., You are not a minor). If You are entering into this Agreement and creating an Account for an entity, such as the company You work for, You represent to us that You have legal authority to bind that entity.
By entering into this Agreement and/or creating an Account, You are certifying that You have direct knowledge of the facts You are certifying to herein and certify and agree to the following:
- You certify that You will order and use the Reports only for (i) employment purposes, as defined by the FCRA, including hiring and promotion decisions, or (ii) the permissible purpose You selected when creating Your Account. Prior to ordering any Reports, you must obtain the Consumer’s written authorization, pursuant to Section 3 of the Agreement, and use reasonable steps to verify that all Consumer personal information transferred to Checkr is accurate and belongs to the Consumer for whom a Report is being requested. You certify that You will notify Checkr immediately if Your permissible purpose change(s) for any reason. You acknowledge and agree that the Reports do not verify a Consumer’s identity on your behalf. You also certify that You are the business type stated in Your Account, have a need for consumer credit information in connection with your stated permissible purpose, and are in compliance with any additional state and local requirements for obtaining and using consumer credit information. Each time You order or access a Report, you reaffirm the certifications in Section 3 of the Agreement. See Section 3 of the Agreement for further requirements.
- While You acknowledge sole responsibility for compliance with any state and/or local regulations that require that a copy of the Report be provided to the Consumer upon request, to the extent the Consumer has requested a copy through Checkr’s Hosted Platform or You have communicated the request to Checkr via API, or otherwise configured Your account to do so, You authorize Checkr to provide on your behalf a copy of the Report to each Consumer about whom You have requested a Report, to the email address provided by the Consumer.
- You acknowledge receipt of and certify that You have reviewed and fully understand the following three statutory notices:
- Summary of Your Rights Under the Fair Credit Reporting Act (16 C.F.R. Part 601) located at https://files.consumerfinance.gov/f/documents/bcfp_consumer-rights-summary_2018-09.docx
- Remedying the Effects of Identity Theft located at https://www.consumerfinance.gov/about-us/newsroom/bureau-consumer-financial-protection-issues-updated-fcra-model-disclosures/
- Notice to Users of Consumer Reports (16 C.F.R. Part 601) located at https://www.gpo.gov/fdsys/pkg/CFR-2012-title12-vol8/pdf/CFR-2012-title12-vol8-part1022-aNotice to Users of Consumer Reports (16 C.F.R. Part 601) located at https://www.gpo.gov/fdsys/pkg/CFR-2012-title12-vol8/pdf/CFR-2012-title12-vol8-part1022-appN.pdf
You authorize the use of the documents and links above with Your Consumers via the Platform. Unless You elect to utilize the Checkr Hosted Platform, You agree to give Your Consumers the documents and links above when applicable, as well as any statutory notices required by state or local regulations.
- You understand that Your compliance with all applicable Law is solely Your responsibility. Checkr provides account configuration support (package and product setting suggestions, such as MVR filters and fairness settings), as well as a variety of sample forms (disclosures, notifications, and authorizations), and other support materials in order to assist You with Your compliance obligations, however, none of these materials have been prepared specifically for You or on Your behalf. Use of Checkr forms and other materials, whether as part of the Checkr Hosted Platform or elsewhere, means that You certify that You have reviewed, fully understand, have received independent legal advice on the contents and effects of any such configurations or materials as they relate to your legal compliance and/or liability, and You are solely responsible for the adoption and use thereof. Nothing provided to You by Checkr should be construed as legal advice.
“Address History Scope” means the Consumer’s address history that is determined by Checkr to be relevant to the Order and Consumer, which will be used for searching records.
“Account” means a Checkr account associated with a valid e-mail address.
“Agreement” means collectively, this Agreement and any Order(s) including any Exhibits thereto, entered into between the parties.
“API” means the Checkr Platform’s application programming interface(s) used to provide Checkr’s services.
“App” means a software application owned or controlled by You that implements the API.
“Approved Affiliates” means Customer’s affiliates, parents, or subsidiaries who Checkr has approved in writing to access the Platform under this Agreement.
“Background Check” means the production of a Report.
“Background Information” means the personal information required to be submitted to the Platform to conduct a Background Check on that Consumer.
“Checkr Forms” means any standard disclosure, authorization, and notification forms made available to You by Checkr.
“Checkr Hosted Platform” means the standard Consumer registration flow as presented on Checkr’s Platform.
“Checkr Partner” means a Checkr approved third party service authorized to provide End Users with the access, use or purchase of Checkr’s services.
“Consumer” means an individual applicant who is subject to a Background Check in support of their application for employment or engagement as an independent contractor by You.
“Credit Report” means a specific type of Report including consumer credit information obtained from a credit bureau.
“Customer Credential Application” means the credentialing application form that You must submit to Checkr in order to seek approval to become a customer of Checkr.
“Customer Portal” means the online Checkr portal and related tools that Checkr makes available to You and its other customers, to access the Platform and manage Background Checks.
“Documentation” means any technical literature, end user agreements, Customer instructions, and other written materials ordinarily provided by Checkr with the Platform.
“Employment Purposes” means the specific permissible purpose of a Report concerning the evaluation of individuals for employment, promotion, reassignment or retention as an employee or independent contractor.
“FCRA” means the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.
“Fees” means collectively, the Service Fees, Pass-Through Fees, and Implementation Fees, if applicable.
“Government Pass-Through Fees” means the additional fees that may be imposed by governmental entities for the Background Check that You order, including, but not limited to, court fees, county processing fees, multi-state fees, and international fees. Additional pricing information is located at https://checkr.com/pricing/pass-through-fees, as updated from time-to-time.
“Intellectual Property Rights” means all forms of proprietary rights, titles, interests, and ownership relating to patents, copyrights, trademarks, trade dresses, trade secrets, know-how, mask works, moral rights, and all similar rights that may exist now or later in any jurisdiction, including without limitation any applications and registrations for the foregoing.
“Investigative Consumer Report” means a specific type of Report as defined under FCRA Section 603(e).
“Law” means all applicable laws, rules and regulations, whether federal, state, local or international.
“MVR” means motor vehicle records.
“Order” means the order form or product request form submitted in connection with, or referencing, this Agreement, and specifies the certain products that You are authorized to purchase.
“Pass-Through Fees” means, collectively, Government Pass-Through Fees and Third Party Pass-Through Fees.
“Platform” means the background check platform offered by Checkr, that allows access to Checkr’s various products, including but not limited to the Customer Portal, the APIs and other technology and tools offered by Checkr.
“Report” means a consumer report or other applicable screening product offered on the Platform (as defined under the FCRA and applicable state Laws), including a Credit Report and an Investigative Consumer Report (if applicable).
“Reporting Scope” means the scope of information that may be reported to You by Checkr based on your Order, subject to applicable Law.
“Rules Criteria” means the set of rules defined by Customer that controls how Report content, including, but not limited to criminal records and any applicable motor vehicle records, is filtered, categorized, and/or displayed on a Report, by Checkr on Your behalf.
“Service Fees” means the fees specified in Your Order for purchase of Reports. Service Fees do not include Pass-Through Fees.
“Term” is defined in each applicable Order.
“Third Party Pass-Through Fees” means the additional fees that may be imposed by third party data vendors for the Background Check that You order, including, but not limited to, educational and employment verification fees. Additional pricing information is located at https://checkr.com/pricing/verification-pass-through-fees, as updated from time-to-time.
“You” means the Customer listed on the Order and, if applicable, any Approved Affiliates.
“Variable Costs” is a legacy term that has the same meaning as Pass-Through Fees.
2. USE OF PLATFORM
2.2 Account Creation. In addition to this Agreement, You must create an Account and enter into an Order with Checkr before You can use the Platform. The Order will specify the Service Fees and Report(s) that apply. If You wish to add other Report types later, please contact Your sales representative.
2.3. Use of Platform. During the Term and subject to the terms of the Agreement, You may access and use the Platform solely:
(a) for Your own use of the specific Report(s) in the Order; and
(b) via the Checkr API in compliance with its accompanying Documentation, and any reasonable rules or guidelines that Checkr may provide.
2.4. Restrictions. You represent and warrant that You shall:
(a) not use, or attempt to use, the Platform for unauthorized purposes (e.g., tenant screening);
(b) not use the Platform for the benefit of any third party without Checkr’s prior written permission;
(c) not do any of the following, or allow any third party to do any of the following: (i) copy, distribute, rent, lease, lend, sublicense or transfer the Platform, or make the Platform available to any third party, including Your affiliates, parents or subsidiaries, other than Approved Affiliates, without Checkr’s express prior written consent, (ii) modify, decompile, reverse engineer, or disassemble the Platform or otherwise attempt to discover any underlying source code, ideas, algorithms, file formats or programming interfaces, (iii) create derivative works based on the Platform; (iv) modify, remove, or obscure any copyright, trademark, patent or other notices or legends that appear on the Platform; or (v) use the Platform to develop a competitive product offering;
(d) not use any agents, robots, scripts, spiders, or other automated means to access or manage the Platform; and
(e) not allow Your personnel to access the Platform or order Reports for improper, illegal or unauthorized purposes, including on themselves, associates, or any other person except in the exercise of their official duties.
2.5 API Keys. Checkr will make API keys available to You to access the Checkr Platform. You are responsible for securing your API keys, and you agree not to publish or share them with any unauthorized persons, including Your service providers, except as approved by Checkr in writing. You will contact Checkr immediately if you become aware of any unauthorized use of your API keys.
3. USE OF REPORTS
3.1 Your Certifications. When requesting and using Reports, You must comply with all Laws, including but not limited to the FCRA, anti-discrimination Laws, and state Laws. You are solely liable for Your failure to do so. You certify and agree:
(a) To request and use each Report only for the permissible purpose(s) to which You certified in each applicable Order and for which You are permitted by Law to use such Report;
(b) To use each Report for only a one-time use (e.g., You may use a Report to determine eligibility for employment, but You may not later use that same Report to determine eligibility for promotion);, and to use each Report within 30 days of completion date;
(c) To develop and follow reasonable procedures to comply with Laws and for the fair and equitable use of Background Information and Reports, as required by applicable equal opportunity and fair chance hiring Laws;
(d) To make adverse action decisions only in compliance with applicable Law;
(e) To strictly comply with the Security Obligations in Section 5 with respect to Reports and related information;
(f) To hold the Reports in strict confidence and not disclose the Reports, unless required by Law, to any third parties;
(g) To comply with and provide all statutorily required notices in FCRA and other state laws when using the Background Information and Reports;
(h) To maintain up-to-date compliance locations with each Report request, based on your applicable package configuration and account segmentation, and ensure such information is correctly reflected in the Platform;
(i) To maintain complete and accurate records of all required consents, authorizations and disclosure forms of each Consumer You requested a Report for, as required by Law, and make these records available to Checkr upon request, including any Checkr Forms that You have adopted and approved for Your own use; and
(j) To obtain the Consumer’s consent to receive from You and from Checkr, as applicable, any legal or other notices and communications electronically, including by SMS message, and to obtain such consent in compliance with U.S. Electronic Signatures in Global and National Commerce Act of 2000.
3.2 California Certification. As applicable to You or the Report that You request, You hereby certify that, under the Investigative Consumer Reporting Agencies Act (“ICRAA”), California Civil Code Sections 1786 et seq., and the Consumer Credit Reporting Agencies Act (“CCRAA”), California Civil Code Sections 1785.1 et seq., if You are located in the State of California, and/or Your request for and/or use of Reports pertains to a California resident or worker, You certify to all of the following:
(a) When, at any time, Reports are sought for Employment Purposes, unless a legal exception otherwise applies, You have provided a clear and conspicuous disclosure in writing to the Consumer, which solely discloses: (1) that an Investigative Consumer Report may be obtained; (2) the permissible purpose of the Investigative Consumer Report; (3) that information on the Consumer’s character, general reputation, personal characteristics and mode of living may be disclosed; and (4) the name, address, telephone number, and website of the Consumer Reporting Agency conducting the investigation; and (5) the nature and scope of the investigation requested, including a summary of the provisions of California Civil Code Section 1786.22.
(b) When, at any time, Reports are sought for Employment Purposes, unless a legal exception otherwise applies, You agree to only request a Report if the applicable Consumer has authorized in writing the procurement of the Report.
(c) In accordance with California Civil Code Sections 1786.16(a)(5) and (b), You agree to provide a means by which the Consumer may indicate on a written form, by means of a box to check, that he/she wishes to receive a copy of any Reports that are prepared. If the Consumer wishes to receive a copy of the Report, You shall send (or contract with another entity to send) a copy of the Report to the Consumer within three business days of the date that the Report is provided to You. The copy of the Report shall contain the name, address, and telephone number of Checkr, who issued the report, and how to contact Checkr.
(d) Under all applicable circumstances, comply with California Civil Code Sections 1785.20 and 1786.40 in the taking of adverse action, which shall include, but may not be limited to, advising the Consumer against whom an adverse action has been taken that the adverse action was based in whole or in part upon information contained in the Report, informing the consumer in writing of Your name, address, and telephone number, and provide the Consumer of a written notice of his/her rights under the ICRA and the CCRAA.
3.3 Massachusetts Criminal Record Information Policy. As applicable to You or the Report that You request, You hereby certify that, under the Commonwealth’s Criminal Offender Record Information (“CORI”) law, if You are located in the State of Massachusetts, and/or Your request for and/or use of Reports pertains to a Massachusetts resident or worker, You certify to all of the following:
(a) Before asking a Consumer about their criminal records, You will provide a Consumer with copies of these records if You are in possession of such records;
(b) That before taking adverse action based, in whole or in part, on criminal history records, You will notify the Consumer of the potential adverse employment decision by sending required pre-adverse and adverse action notices and any other applicable notices. The pre-adverse action notice will include the criminal history records, the sources of the records, a copy of Your CORI policy, and a copy of information from the state agency about the process for correcting a criminal record; and
(c) That You will also provide the Consumer with an opportunity to dispute the accuracy of the criminal history records by waiting at least five business days before taking final adverse action.
3.4 International Background Screenings. As applicable to You and Your Report requests, You certify that You comply with all international Laws, including but not limited to the GDPR and any regulation belonging to the country in which the Consumer currently resides or will be employed within. In addition to all other applicable certifications in this Section 3, You certify and agree:
(a) To take into consideration the nature, scope and context of the purpose to which You certify in each applicable Order, and to only request screenings that are directly relevant and necessary to the certified purpose;
(b) To only request screenings when a lawful basis of processing can be relied upon; and
(c) To limit use of Background Information to the purpose to which You certify in each applicable Order.
3.5 Employment Purposes. If You use or request a Report for Employment Purposes, You certify and agree:
(a) You will not request a Report for Employment Purposes unless:
i. A clear and conspicuous disclosure has been made in writing to the Consumer by You before the Report is obtained, in a document that consists solely of the disclosure that a consumer report may be obtained for Employment Purposes;
ii. The Consumer has authorized in writing the procurement of the Report; and
iii. Information from the Report will not be used in violation of any employment opportunity Laws.
(b) You further certify that before taking adverse action in whole or in part based on a Report for Employment Purposes, you will provide the Consumer with:
i. A copy of the Report for Employment Purposes, as applicable;
ii. A copy of the Consumer’s rights, in the format approved by the Consumer Financial Protection Bureau; and
iii. The required pre-adverse action notice and any other assessment forms or notices required by applicable Law.
(c) That each time You order or access a Report for Employment Purposes, You are reaffirming the certifications in 3.1, 3.2, 3.5(a), and 3.5(b).
(d) That You understand that Checkr will not initiate a Report for Employment Purposes in the absence of a written authorization.
(e) You shall request a Report for Employment Purposes pursuant to procedures prescribed by Checkr from time to time only when You are considering the individual inquired upon for employment, promotion, reassignment or retention as an employee or contractor, and for no other purpose
(f) That, if and only if you request credit bureau data, You are not any of the following types of persons, entities and/or businesses: bail bondsmen, credit counseling firms, members of the media, resellers, financial counseling firms, credit repair clinics, pawn shops (except companies that do only title pawn), check cashing companies (except companies that do only loans, no check cashing), genealogical or heir research firms, massage or tattoo services, businesses that operate out of an apartment, individuals seeking information for their own private use, adult entertainment services of any kind, companies that locate missing children, companies that handle third party repossession, companies seeking information in connection with time shares, subscriptions companies, individuals involved in spiritual counseling or persons or entities that are not an end-user or decision maker.
(g) That while Checkr shall make commercially reasonable efforts to notify You of a failure to deliver any notices, authorizations, disclosures, pre-adverse or adverse action letters, You understand that the use of Checkr’s Platform, including without limitation, the adverse action features, does not relieve You of Your responsibilities under Section 3.5. In the event Checkr notifies You of a delivery failure for any notice or adverse action letter, You understand that it is Your responsibility as an end user to monitor and complete deliverability or take any other appropriate action necessary to complete Your required obligations.
3.6 MVR Purposes. This Section shall apply if and only if You elect, in Your sole discretion, to receive MVRs and/or driving records. If You request MVRs and/or driving records, You certify and agree:
(a) That You are ordering the MVRs and/or driving records in strict compliance with the Driver Privacy Protection Act (“DPPA”, at 18 U.S.C. § 2721 et seq.), if it applies, and any applicable state Laws.
(b) You have the Consumer’s written consent to obtain “driving records” and MVRs, and have stored original copies of such consents for audit by MVR regulators if they so request, or have otherwise satisfied this obligation (e.g., Consumer consent secured via the Platform).
(c) You will only use this MVR in the normal course of business to obtain lawful information relating to the holder of a commercial driver’s license or to verify information provided by the Consumer.
(d) You will not transmit any data contained in the MVR via the public internet, email or any other unsecured means.
(e) That default MVR filters are made available as a reference solely for Your efficiency, and Your use of such MVR filters means that You have reviewed and approved such categories.
3.7 Investigative Reports. If You request an Investigative Consumer Report, You certify and agree:
(a) That You have clearly and accurately disclosed to the Consumer, not later than three days after the date on which the Investigative Consumer Report was first requested, that
i. an Investigative Consumer Report including information as to his or her character, general reputation, personal characteristics and mode of living may be made; and
ii. the Consumer has the right to request a complete and accurate disclosure of the nature and scope of the investigation requested (“Investigative Report Disclosure”).
(b) The Investigative Report Disclosure shall include a copy of the Consumer’s rights, in the format approved by the Consumer Financial Protection Bureau.
(c) If the Consumer makes a written request within a reasonable amount of time after receipt of the Investigative Report Disclosure, You will make a complete and accurate written disclosure of the nature and scope of the investigation requested. This information will be provided to the Consumer no later than five (5) days after the request for such disclosure was received from the Consumer or such Report was first requested, whichever is the later.
3.8 Customer Rules Criteria. This Section shall apply if and only if You elect, in Your sole discretion, to implement and/or customize Rules Criteria
(a) To the extent You elect to implement and/or customize Rules Criteria and to the extent permitted by Law, You authorize Checkr to apply such Rules Criteria to the information contained in a Report in order to facilitate Your adjudication process provided that, You acknowledge and agree that You are solely responsible for: (1) Your Rules Criteria and for any decisions taken based on Your Rules Criteria; (2) determining when and whether to apply the outcomes from the application of Your Rules Criteria to Your evaluation of a Report; (3) reviewing the content of the Reports in the manner and method prescribed by applicable Law, including, but not limited to, conducting and/or documenting individualized assessments and performing final adjudications on all Reports; and (4) ensuring that Your utilization of the Rules Criteria in evaluating the Reports and in Your final adjudication is in compliance with all applicable Laws. You acknowledge and agree that Checkr shall not be liable for any application of Your Rules Criteria, and that application of Your Rules Criteria is deemed to be purely clerical in nature and shall be performed by Checkr on Your behalf. You further acknowledge and agree that: Checkr is not authorized to make any decision regarding employment, or any other decision on Your behalf, based on the information contained in a Report.
(b) You certify that You have reviewed Your Rules Criteria to ensure that they comply with applicable Law, and that You will regularly update such criteria in order to ensure Your ongoing and continued compliance with applicable Law.
(c) With each order for a Report, You reaffirm the statements in 3.5(a) and certification in 3.5(b) above.
(D) You certify and agree that the application and/or customization of a Rules Criteria is made available as a reference solely to facilitate Your adjudication obligations and Your use of such Rules Criteria means that You have reviewed and approved Checkr’s classification of record categories and that You adopt the Rules Criteria as Your own.
3.9 Drug Tests. This Section shall apply if and only if You elect, in your sole discretion, to order drug tests.Checkr will arrange for drug tests as You may request and will include the results of those tests received from drug test providers in Reports. You understand and represent that any drug test You may request or require is requested in accordance with any applicable federal, state, or local law, including the FCRA, if applicable. Drug tests will be performed by third-party vendors in accordance with directions received by You.
3.10 Continuous Check Service. This Section shall apply if and only if You elect, in Your sole discretion, to use the Continuous Check Service.
(a) General. At Your election and for the price(s) set forth on the applicable Order Form, Checkr will provide criminal record monitoring services and products to identify other criminal activity of subscribed Consumers after their initial onboarding and Report by Checkr and monitor for subsequent court-related activity as an extension of Checkr’s existing background screening process (the “Continuous Check Service”). Checkr will provide a new Report whenever any component of the Continuous Check Service returns pointers to reportable information on a Consumer to the extent permitted by law. Checkr must have completed a Report with a criminal search on the Consumer on Your behalf in order to enroll the Consumer in the Continuous Check Service.
(b) Consent. You shall be responsible for obtaining and maintaining all required disclosures, notices, and consents from the Consumer prior to his or her inclusion in the Continuous Check Service as required by applicable law, and certify as such to Checkr upon request. When requesting and using the Continuous Check Service, You must comply with all Laws, including but not limited to any applicable disclosure and authorization certification requirements and state-specific consent requirements. You reaffirm the certifications in Sections 3.1, 3.2, 3.5(a), 3.5(b), and 3.7 above with Your ongoing use of the Continuous Check Services. You are solely responsible for maintaining an up-to-date list of Consumers to be included in the Continuous Check Service in accordance with applicable Laws and re-obtaining consent if a Consumer is removed and later re-subscribed in the Continuous Check Service.
(c) Subscription Billing and Payment. You shall pay Checkr a monthly fee per each unique Consumer subscribed to the Continuous Check Service at any time within a calendar month, as set forth on Exhibit A of the applicable Order (“Subscription Fee”). You are solely responsible for maintaining an up-to-date list of Consumers to be included in the Continuous Check Service for invoicing purposes. SubscriptionFees will be billed on a monthly basis in arrears. All invoices must be paid within thirty (30) days from the date of invoice.
3.11 Third Party Services. At Your sole discretion, You may choose to take advantage of certain services offered through the Platform that are created, offered, supported and maintained by third parties (“Third Party Developers”) unaffiliated with Checkr or its affiliates (collectively, “Third Party Services”). Notwithstanding anything to the contrary in this Agreement, You acknowledge and agree that: (a) You access or deploy Third Party Services through the Platform at Your sole discretion; (b) You should read the terms and conditions and privacy policies associated with any Third Party Services which govern Your use of such Third Party Services; and (c) Checkr does not own or control any of these Third Party Developers or the Third Party Services. You further acknowledge and agree that Checkr is not responsible or liable for any such Third Party Services or acts or omissions of Third Party Developers, under any circumstances. Checkr does not in any way warrant the accuracy, reliability, security, completeness, usefulness, non-infringement, or quality of any Third Party Services (including without limitation the content contained therein). You agree that You bear all risks associated with using or relying on Third Party Services. If You have any questions about Third Party Services or the terms that govern the use of such Third Party Services, You should contact the applicable Third Party Developer directly.
3.12 Not Legal Advice. Checkr does not, and cannot, provide legal advice or other compliance related services to You or guarantee Your compliance with Laws in your use of the Platform or Reports. You understand that any documents, information, conversations or communication with Checkr’s representatives regarding searches, verifications or other services offered by Checkr are not to be considered a legal opinion regarding such use. You agree to consult with your own legal counsel (1) about the use of Rules Criteria and background screening information, including but not limited to, the legality of using or relying on reported information, and (2) to review any forms as well as the content of prescribed notices, adverse or pre-adverse action letters and any attachments to this Agreement for compliance with all Laws. You agree that the provision of such notices, pre-adverse or adverse action letters and the contents thereof is Your sole responsibility. You acknowledge and agree that You have no obligation to use, and are solely responsible for independently vetting the contents of, any sample forms that Checkr has provided to You.
3.13 Notice of Penalty Under the FCRA. THE FCRA PROVIDES THAT ANY PERSON WHO KNOWINGLY AND WILLFULLY OBTAINS INFORMATION ON A CONSUMER FROM A CONSUMER REPORTING AGENCY UNDER FALSE PRETENSES SHALL BE FINED UNDER TITLE 18 OF THE UNITED STATES CODE OR IMPRISONED NOT MORE THAN TWO YEARS, OR BOTH.
4. DELIVERY TERMS AND LIMITATIONS
4.1 International Criminal Records. Checkr may use third party contractors to perform international background screenings. Because of differences in foreign laws, language, and the manner in which foreign records are maintained and reported, Checkr cannot insure or guarantee the accuracy of the information reported. You acknowledge and agree that You are solely responsible for complying with all applicable obligations under foreign Laws related to the ordering, use and evaluation of Background Checks.
4.2 National/Multi-State/County Database; Additional Costs. Checkr recommends that You screen applicants at the county courthouse or online system, federal, and multi-state/nationwide database levels. If You choose not to conduct certain searches or searches at these levels, Checkr is not liable for any records that exist that are not included in the Report. Checkr will include any Pass-Through Fees associated with this verification in Your invoice.
4.3 Support. You can request Platform support during Checkr’s normal business hours via email sent to email@example.com. While Checkr makes commercially reasonable efforts to ensure continuous availability of the Platform, Checkr makes no representation, warranty or guarantee regarding the continuous availability or performance of the Platform.
4.4 Updates. Checkr may change the Platform features, and the production, support, delivery, layout or maintenance of the Reports from time to time, or discontinue the provision of a Report, in its sole discretion, provided that no such change will result in any material reduction in the utility, functionality, or integrity of Checkr’s services to You. For any material and adverse changes to Report features and details, Checkr will use commercially reasonable efforts to provide at least 30 days advance notice to You. You also acknowledge that within thirty (30) days of a Report completion date, Checkr may update the Report as part of our quality assurance purposes. In such cases, Checkr will provide You and the Consumer a copy of the updated Report.
4.5 Platform Analytics. You understand and agree that the Platform offers a number of analytics (e.g., estimated Report completion date, geography, etc.) that are strictly for informational purposes and should not be used as a factor for Consumer assessment or adverse action purposes.
5. YOUR SECURITY OBLIGATIONS
You represent and warrant that:
(b) You are solely responsible for any Background Information You collect on behalf of Consumers.
(c) You will designate a limited number of key personnel who have a need to know about Background Information and Reports and inform them of Your obligations under this Agreement.
(d) Neither You nor Your personnel will give Your account credentials (login or password) to any unknown caller, even if the caller claims to be an employee of Checkr.
(e) You agree that any system access software that You use, whether developed by Your company or purchased from a third-party vendor, will keep your account number and password “hidden” or embedded and be known only by supervisory personnel. You will assign a unique logon password to each user of the system access software. You will strictly prohibit the sharing of passwords. If such system access software is replaced by different access software and therefore no longer is in use or, alternatively, the hardware upon which such system access software resides is no longer being used or is being disposed of, or if the password has been compromised or believed to be compromised in any way, You will change Your password immediately.
(f) You and Your personnel will secure all hard or electronic copies of Background Information and Reports within Your offices and facilities so that unauthorized persons cannot easily access them.
(g) You will place all terminal devices used to obtain Background Information and Reports in a secure location within Your facility so that unauthorized persons cannot easily access them.
(h) You will shred or destroy all hard copy Reports, and delete or render unreadable any electronic files containing Reports, after it is no longer needed and when Laws permit destruction.
(i) You are solely responsible for the activities of any person accessing the Platform using any credentials issued to You.
(j) You and Your personnel must use reasonable and industry standard means to secure account credentials, Reports, and Background Information, and promptly notify Checkr if you suspect that any of the foregoing have been compromised.
(k) You will abide by all applicable obligations set forth in the Data Protection Addendum attached hereto as Attachment 1.
Checkr may review Your records that are reasonably required to demonstrate compliance with the terms of this Agreement at any time upon reasonable prior notice during the Term, and for 5 years thereafter, to confirm Your compliance with this Agreement. Your breach of this Agreement or violation of Law discovered by Checkr may result in immediate suspension and/or termination of Your account, under Section 12 of this Agreement, legal action and referral to regulatory agencies.
6.2 Public Records. The data collected on Your behalf with respect to running Background Checks on Consumers, include without limitation, DMV records, criminal records, and other publicly available information is deemed to be “Public Records” that Checkr may retain, use, disclose, and delete in its sole discretion and as required or permitted by Law, provided that Checkr retains the Public Records in a manner that does not identify You.
6.3 Usage Data. Checkr owns all right, title and interest in and to all data collected by Checkr related to the operation of the Platform and Your use thereof (“Usage Data”). Usage Data may include Platform performance metrics and analysis, but does not include any Background Information or Public Records. Checkr will not disclose Usage Data to any third party in a manner that identifies You without Your consent other than (i) to Checkr’s third party service providers who use it for the sole benefit of Checkr or as required to provide You the Platform; or (ii) as may be required by Law or legal process.
7. FEES AND PAYMENT
7.1 Fees. During the Term, You are authorized to order the Reports specified in Your Order. You will pay Checkr the Fees specified in each Order, in consideration for Reports ordered and Your use of the Platform. Checkr will automatically debit the ACH debit account You provide, or charge your credit card on file, each month. Notwithstanding the foregoing, You shall not be required to pay any Fees reasonably in dispute, provided that You promptly notify Checkr in writing of the amount in dispute and the reasonable basis therefore within thirty (30) days following the end of month during which such Fees were earned. Any dispute not raised by You during the foregoing time period shall be deemed waived. The parties will investigate and resolve any dispute in a timely and reasonable manner. Checkr reserves the right to adjust fees (i) to the extent you have not committed to a fixed-term Order, upon written notice to you; or (ii) to the extent you have committed to a fixed-term Order, upon sixty (60) days’ notice to you in the event of a ten percent (10%) or greater increase in Pass-Through Fees (for flat-rate packages that include Pass-Through Fees) or international currency fluctuations (for international packages) that are outside of Checkr’s reasonable control.
7.2 Accepted Payment Methods. You must provide valid ACH debit or credit card information to Checkr for Your account in the Customer Portal before You can order any Background Checks. You are solely responsible for ensuring that Your payment information is complete and accurate at all times
7.3 Automatic Payment Terms. After the close of each calendar month, You will receive an invoice for the Fees that You incurred that month. Immediately thereafter, Checkr will automatically charge or withdraw funds via Checkr’s accepted payment methods for the Fees on each invoice. All payments must be made in the currency reflected in Your invoice. Any undisputed amounts due to Checkr under this Agreement not received by the date due will be subject to a late fee of 1.5% per month, or the maximum charge permitted by law, whichever is less. You are responsible for paying any withholding, sales, value added or other taxes, duties or charges applicable to this Agreement. You agree to pay any reasonable attorneys’ fees required for collection of late payment.
7.4 For Customers of Checkr Partners Only: Sections 7.1, 7.2 and 7.3 do not apply. You will pay Checkr Partner the Fees specified in each invoice sent by Your Checkr Partner, in consideration for Reports ordered and in accordance with such Checkr Partner’s terms of service. You must provide valid ACH debit or credit card information to such Checkr Partner for Your account before You can order any Reports.You will be required to reach out to Your Checkr Partner for any billing and payment related matters or disputes.
8. OWNERSHIP; CONFIDENTIALITY
8.1 Checkr Ownership. Checkr owns all right, title, interest, and Intellectual Property Rights, in and to the Platform and any software, technology, materials and information related to the Platform, whether currently existing or later developed.
8.2 Your Ownership. You own all right, title, interest, and Intellectual Property Rights, in and to the Apps (excluding any APIs or Checkr trademarks incorporated therein).
8.3 Feedback. You are not required to provide any ideas, feedback or suggestions regarding any of Checkr’s products or services (“Feedback”) to Checkr. If You do provide any Feedback to Checkr, You agree to assign all right, title and interest in and to such Feedback to Checkr and agree that Checkr may freely use and exploit such Feedback without compensation to You.
8.4 Confidential Information. Each party will keep confidential, all information and materials provided or made available, directly or indirectly, by the other party that is marked as confidential or proprietary, or is identified as confidential or proprietary at the time of disclosure, or the nature of the information and the manner of disclosure are such that a reasonable person would understand it to be confidential (collectively, “Confidential Information”). Checkr’s Confidential Information includes but is not limited to, the features, functionality and content of the Platform and any planned modifications or updates thereto, Fees and pricing information. Each party will maintain all Confidential Information in strict confidence by using at least the same level of care that is uses for its own confidential information, but in no case less than a prudent and reasonable standard of care. Each party may use Confidential Information solely for the purposes of performing its obligations or exercising its rights hereunder. Information that either party can establish: (a) was lawfully in a party’s possession before receipt from the other party; or (b) is or becomes a matter of public knowledge through no fault of the receiving party; or (c) was independently developed or discovered by a party without the benefit of any Confidential Information of the other party, shall not be considered Confidential Information under this Agreement. Each party may disclose Confidential Information solely to its employees and representatives that have a need to know to accomplish the purposes of this Agreement and each of whom are bound to protect the Confidential Information from unauthorized use and disclosure under the terms of a written agreement with terms as protective of the Confidential Information as those set forth in this Agreement. Each party may also disclose Confidential Information in response to a valid order of a court or other governmental body or as otherwise required by law to be disclosed; provided that, the responding party gives sufficient notice to the disclosing party to enable the disclosing party to take protective measures, and/or in any event only disclose the exact Confidential Information, or portion thereof, specifically requested. Except as otherwise expressly set forth in this Agreement, no rights or licenses to intellectual property in Confidential Information is granted by either party under this Agreement, whether express, implied or otherwise, to the other party. The obligations imposed on a receiving party shall survive until such time as the Confidential Information of the disclosing party becomes publicly available and/or made generally known through no action of the receiving party. All Confidential Information will be returned immediately to the disclosing party, or destroyed, after the receiving party’s need for it has expired or upon request of the disclosing party or termination of this Agreement. Each party agrees that any violation of these confidentiality provisions will cause irreparable injury to the other party entitling the other party to injunctive relief or other equitable relief, in addition to, and not in lieu of, any other remedies such party may be entitled to. The disclosure of Confidential Information will be governed by this Agreement, which supersedes any previous confidentiality or nondisclosure agreement executed by or on behalf of the parties. Any such Confidential Information will be treated as if it were disclosed under this Agreement (and this Agreement were in effect) as of the date of such exchange.
9. WARRANTIES; DISCLAIMERS
9.1 Mutual. Each party represents and warrants to the other party that: (i) it has the full corporate power and authority to enter into the Agreement; (ii) the Agreement constitutes a legal, valid and binding obligation when executed and delivered; and (iii) its performance under this Agreement will comply with applicable Law.
9.2 DISCLAIMER. YOU ACKNOWLEDGE THAT CHECKR OBTAINS THE INFORMATION IN ITS REPORTS FROM THIRD PARTY SOURCES “AS IS”, AND THEREFORE PROVIDES THE INFORMATION TO YOU ON AN “AS IS” AND “AS AVAILABLE” BASIS. CHECKR MAKES NO REPRESENTATION OR WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE, OR IMPLIED WARRANTIES ARISING FROM THE COURSE OF DEALING OR A COURSE OF PERFORMANCE WITH RESPECT TO THE ACCURACY, VALIDITY, OR COMPLETENESS OF ANY REPORTS THAT THE REPORTS WILL MEET YOUR NEEDS, OR WILL BE PROVIDED ON AN UNINTERRUPTED BASIS; CHECKR EXPRESSLY DISCLAIMS ANY AND ALL SUCH REPRESENTATIONS AND WARRANTIES. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, CHECKR EXPRESSLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE AND IMPLIED WARRANTIES ARISING FROM COURSE OF DEALING OR PERFORMANCE. CHECKR AND ITS SUPPLIERS, LICENSORS, PARTNERS AND SERVICE PROVIDERS DO NOT WARRANT THAT THE FUNCTIONALITY AND INFORMATION PROVIDED BY THE PLATFORM WILL BE CORRECT, UNINTERRUPTED OR ERROR-FREE OR THAT DEFECTS WILL BE CORRECTED.
10.1 Indemnification Obligations. Checkr agrees to defend, at its expense, any third party liabilities, damages, losses, judgments, costs, expenses (including reasonable attorneys’ fees), claims, actions, demands and suits (collectively “Claims”) brought against You, and Your directors, officers, and employees and will pay any damages, costs and expenses (including reasonable attorneys’ fees) finally awarded against You by a court of competent jurisdiction, or payable by You pursuant to a settlement agreement to which Checkr agrees in writing, arising out of or relating to: (a) Checkr’s failure to comply with its obligations under Law to Consumers as a consumer reporting agency, but only to the extent such Claims are caused by the gross negligence or willful misconduct of Checkr in the performance of this Agreement; and (b) an allegation that the Checkr API infringes any third-party patent or copyright of the United States. You agree to defend and indemnify Checkr, and its directors, officers and employees from and against any Claims arising out of or relating to: (a) Your breach of any covenants, representations or warranties of this Agreement; (b) Your violation of any Law, including but not limited to the content or method of delivery of any notices, authorizations, disclosures, pre-adverse or adverse action letters, or any other failure to comply with Your obligations under the FCRA; and/or (c) the willful or malicious conduct by You or Your employees.
10.2 Indemnification Procedure. The indemnified party shall: (i) promptly notify the indemnifying party in writing of any losses for which the indemnified party seeks indemnification; (ii) provide reasonable cooperation to the indemnifying party and its legal representatives in the investigation of any matter which is the subject of indemnification; and (iii) permit the indemnifying party to have full control over the defense and settlement of any matter subject to indemnification; provided, however, that the indemnifying party shall not enter into any settlement that affects the indemnified party’s rights or interests without the indemnified party’s prior written consent, which shall not be unreasonably withheld or delayed. The indemnified party shall have the right to participate in the defense at its own expense. To the extent the indemnifying party is relieved of its obligation to defend the indemnified party as a result of the limitation of liability set forth in Section 11, the indemnified party shall have the right to resume control of its own defense.
11. LIMITATION OF LIABILITY
NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, PUNITIVE, SPECIAL, RELIANCE, INCIDENTAL, CONSEQUENTIAL OR SIMILAR DAMAGES (INCLUDING LOSS OF REVENUE OR PROFITS) ARISING OUT OF OR RELATING TO THIS AGREEMENT, INCLUDING THE USE OR INABILITY TO USE THE SERVICE, OR FOR ANY INFORMATION OBTAINED FROM OR THROUGH THE SERVICE, ANY INTERRUPTION, INACCURACY OR ERROR IN THE CONTENT, EVEN IF SUCH PARTY HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
EXCEPT FOR THE INDEMNIFICATION OBLIGATIONS SET FORTH HEREIN (WHICH SHALL BE SUBJECT TO THE LIMITS SET FORTH BELOW), IN NO EVENT WILL EITHER PARTY’S CUMULATIVE AND AGGREGATE LIABILITY AND DAMAGES ARISING OUT OF THIS AGREEMENT EXCEED THE AMOUNTS YOU ACTUALLY PAID DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE DATE OF THE CLAIM. EACH PARTY’S AGGREGATE LIABILITY ARISING FROM THIS AGREEMENT, WHETHER IN CONTRACT OR TORT, WILL NOT EXCEED ONE HUNDRED THOUSAND DOLLARS ($100,000) IN THE AGGREGATE. RECOVERY OF THIS AMOUNT IS YOUR SOLE AND EXCLUSIVE REMEDY HEREUNDER AND THE PARTIES AGREE THAT THE LIMITATIONS AND DISCLAIMERS OF LIABILITY SET FORTH IN THIS SECTION WILL APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE AND REGARDLESS OF THE THEORY OF LIABILITY. THE PARTIES AGREE THAT THE LIMITATIONS AND DISCLAIMERS OF LIABILITY UNDER THIS SECTION CONSTITUTE A FUNDAMENTAL BASIS OF THEIR BARGAIN.
12. TERM; TERMINATION
12.1 Term. This Agreement is effective for one year from the Effective Date unless terminated earlier in accordance with this Agreement (the “Initial Term”).After the Initial Term, this Agreement automatically renews for additional one (1) year periods (each, a “Renewal Term”) until either party terminates with at least 30 days’ notice prior to the expiration of the Initial Term or Renewal Term, or until otherwise terminated per the Agreement. The Initial Term and any applicable Renewal Terms are collectively referred to as the “Term.”
12.2 Suspension. Checkr may suspend or limit Your access to or use of the Platform at any time if: (i) You do not timely pay all Fees due; (ii) in the sole discretion of Checkr such action is necessary to prevent material errors or harm, or to limit Checkr’s liability; or (iii) You attempt to access or use the Platform or Reports in an unauthorized or unlawful manner.
12.3 Termination for Cause.
(a) Either party may terminate this Agreement for a material breach that is not cured within thirty (30) days after written notice (containing the details of such breach) by the non-breaching party, or immediately upon notice of termination in the event of a material breach that by its nature cannot be remedied within thirty (30) days.
(b) Either party may terminate this Agreement immediately upon written notice if (i) the other party files a petition for bankruptcy or is adjudicated as bankrupt; (ii) a petition in bankruptcy is filed against the other party and such petition is not removed or resolved within 60 days; (iii) the other party makes an assignment for the benefit of its creditors or an arrangement for its creditors pursuant to bankruptcy law; (iv) the other party terminates its business operations; (v) a receiver is appointed over all or substantially all of the other party’s assets or business; or (vi) the other party is dissolved or liquidated.
(c) Checkr may terminate this Agreement immediately upon written notice if (i) Checkr reasonably believes that You have violated applicable Law in Your use of the Platform or the Reports; or (ii) a material change in existing legal requirements adversely affects this Agreement.
12.4 Termination for Convenience. You may terminate this Agreement on ninety (90) days’ written notice to Checkr for any reason or no reason. In the event of a termination under this Section 12.4, a termination fee in an amount equal to any fees otherwise payable under any outstanding Order, including minimum commitments or other fees that would have otherwise been due during the Term of such Order, shall become due and payable as of the effective date of such termination.
12.5 Outstanding Orders. If applicable, any outstanding Reports pursuant to any Order and Your obligations under this Agreement will survive any termination of this Agreement.
13.1 Governing Law. This Agreement is governed by California Law, excluding its choice of law rules. Each party submits to jurisdiction of the state and federal courts in San Francisco, California.
13.2 Assignment. You may not assign any of Your rights or obligations under this Agreement without the prior written consent of Checkr, provided, however, that an assignment made in connection with a change of control transaction or a sale of all or substantially all of a party’s assets shall not require consent, so long as (1) You promptly notify Checkr of such assignment in writing and (2) do not access the Platform or order any Reports unless and until Checkr has approved a Customer Credential Application for the successor entity. Subject to the foregoing, this Agreement inures to the benefit of and is binding on the parties’ permitted assignees, transferees and successors. Any attempted assignment in violation of this clause is void.
13.4 No Publicity. Neither party will make any announcements or statements to the public concerning the relationship between them or the transactions described herein without the prior written consent of the other party. Neither party will use the other party’s name, trademark or logos without the prior written consent of the other party, provided, however, that Checkr may identify You as a Checkr customer in Checkr’s promotional materials or sales presentations. You may request that Checkr stop doing so by submitting an email to firstname.lastname@example.org at any time.
13.5 Integration. This Agreement reflects the parties’ entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject. Checkr may modify this Agreement in its sole discretion. Checkr will make good faith efforts to give You at least 30 days’ notice of any material and/or detrimental changes to this Agreement, which notice may be provided via email or the Customer Portal.
13.6 Force Majeure. Neither party will be responsible for any failure or delay in its performance under this Agreement due to causes beyond its reasonable control, including, but not limited to, labor disputes, strikes, lockouts, internet or telecommunications failures; shortages of or inability to obtain labor, energy, or supplies; war, terrorism, riot, acts of God or governmental action; acts by hackers or other malicious third parties and problems with the Internet generally, and such performance shall be excused to the extent that it is prevented or delayed by reason of any of the foregoing.
13.7 Miscellaneous. The parties are independent contractors, and this Agreement does not create an agency, partnership or joint venture, or authority to bind the other party. There are no third-party beneficiaries to this Agreement. If any provision is found unenforceable, it and any related provisions will be interpreted to best accomplish the unenforceable provisions essential purpose. Any waiver of a provision of this Agreement will only be valid if provided in writing and applies only to the specific occurrence so waived. Failure to enforce any provision will not constitute a waiver. Nothing in this Agreement will limit a party’s ability to seek equitable relief. Section headings are not to be used in the interpretation hereof. The following Sections survive any expiration or termination of the Agreement: 2.4, 3, 4.1 and 5 to 13.
13.8 Notices. To give compliant notice under this Agreement:
From You to Checkr: Send the written notice via email to email@example.com and simultaneously via postal mail to One Montgomery Street, Suite 2400 San Francisco, CA 94104. Checkr will notify You via the Platform, email or postal mail if it updates either.
From Checkr to You: Checkr will notify You via the Platform, or to the postal or email address You provide in the Customer Portal. You may update that information in the Customer Portal at any time.
DATA PROTECTION ADDENDUM
This Data Protection Addendum (“DPA”) supplements the Agreement by and between You and any of Your Approved Affiliates (collectively, “Customer”) and Checkr. In the event of any conflict between the Agreement and the terms of this DPA, this DPA shall govern.
1. Definitions. For purposes of this DPA:
a. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any applicable regulations.
b. “Customer Data” means Personal Data provided by Customer for purposes of obtaining Services under the Agreement.
c. “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as that term is defined by the CCPA.
d. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the CCPA, GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection 2020. For the avoidance of doubt, if the parties’ processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
e. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates. Specifically, this refers to Consumers whom Checkr has been engaged by Customer to compile Reports.
f. “EU Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the General Data Protection Regulation or the Swiss Federal Act on Data Protection 2020.
g. “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation.
h. “Personal Data” includes “personal data” as defined by the GDPR, “personal information” as defined by the CCPA, and “personally identifiable information” as defined by other applicable Data Privacy Laws. Personal Data does not include publicly available information excluded from the definition of “Personal Data” under applicable Data Privacy Laws. Further Personal Data does not include data exempted under applicable Data Privacy Laws, including but not limited to CCPA §§1798.145(d)-(f).
i. “Process”, “Processed” and/or “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
j. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
k. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to, Customer Data.
l “Sell,” “Sale,” “Share,” or “Sharing” shall have the meaning set forth in the CCPA.
m. “Services” mean the services provided by Checkr to Customer, as provided in the Agreement.
n. “Standard Contractual Clauses” means the annex found in EU Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, incorporated herein by reference, completed as described in the “Data Transfers” section below.
o. “Subprocessor” means any Checkr affiliate or subcontractor engaged by Checkr for the Processing of Customer Data.
p. “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses.
q. “UK GDPR” means the UK General Data Protection Regulation, amended by the Data Protection Act 2018.
r. “UK Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the UK GDPR.
2. Scope and Purposes of Processing.Customer agrees to determine the purposes and general means of Checkr’s Processing of Customer Data in accordance with the Agreement. Checkr will Process Customer Data, including Personal Data contained therein, solely for the purposes set forth in the Agreement, including for the purpose of generating a consumer report as defined by 15 U.S.C 1681a(d), and in compliance with applicable law. Customer will not instruct Checkr to Process Customer Data in violation of applicable law. Checkr will inform Customer if, Checkr discovers, in its opinion, an instruction from Customer infringes applicable law.
3. Obligations of the Parties.
a. Compliance with Laws. Each party shall comply with all laws, whether state, federal, local or international, including Data Privacy Laws. Each party shall promptly notify the other party in writing if it is no longer able to meet its obligations under Data Privacy Laws applicable to this DPA.
b. Compliance with Data Controller Obligations. To the extent such party is acting as a Data Controller, each party shall independently fulfill all duties required of Data Controllers under Data Privacy Laws. Checkr is a Data Controller with respect to Personal Data, other than Customer Data, that it Processes in connection with the Services.
c. No joint controllership. Unless otherwise agreed in writing, the parties acknowledge and agree that each is acting independently as a Data Controller with respect of Personal Data and the parties are not joint Controllers as defined in the General Data Protection Regulation and UK GDPR.
d. No CCPA Sale or Sharing. Neither party shall Sell or Share to a third party any Personal Data made available to it by the other party except to the extent such Personal Data or Sale or Sharing thereof is exempted from Data Privacy Laws. The parties agree that for the purposes of the CCPA, Checkr acts as a service provider with regard to the Processing of Customer Data. Customer does not Sell or Share Customer Personal Data to Checkr because Checkr shall only use Customer Personal Data for the purposes specified in the Agreement.
e. Data Subject Requests. For the avoidance of doubt, to the extent the party is a Data Controller, each party shall have an independent obligation to respond to requests received from Data Subjects seeking to exercise their rights under applicable Data Privacy Laws, including, but not limited to, access and deletion requests made pursuant to the Data Privacy Laws. The recipient of the Data Subject request shall be responsible for responding to the Data Subject. If applicable, and to the extent legally permitted, each party shall provide the other party with reasonable cooperation and assistance in relation to the handling of a Data Subject’s request.
f. Disclosures and Consent. Each party shall comply with applicable Laws, including, but not limited to, the FCRA (as applicable) and Data Privacy Laws, to provide legally required notices to Data Subjects regarding the purpose and nature of the Processing of Personal Data in connection with the Services. Customer shall ensure that Data Subjects have provided legally sufficient consent or other appropriate legal basis (including under the GDPR and all other applicable Data Privacy Laws), wherever such consent or other appropriate legal basis is necessary to enable Checkr to perform the Services.
4. Customer Data Processing Requirements. Checkr will:
a. Ensure that the persons it authorizes to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Upon written request of Customer, assist Customer in the fulfillment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights with respect to Customer Data under Data Privacy Laws.
c. Promptly, and in any event within ten days, notify Customer of any third-party or Data Subject requests or complaints regarding the Processing of Customer Data. Customer agrees to, at Checkr’s request, designate to Checkr a single point of contact responsible for receiving and responding to such requests or complaints.
d. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Data.
e. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Customer Data, including complying with any obligation applicable to Checkr under Data Privacy Laws to consult with a regulatory authority in relation to Checkr’s Processing or proposed Processing of Customer Data.
a. Checkr may subcontract the collection or other Processing of Customer Data in compliance with Data Privacy Law to provide the Services. Checkr will impose contractual obligations on the Subprocessor that are at least the same level of protection as those imposed on Checkr under this DPA and will remain liable for its Subprocessors’ performance to the same extent Checkr is liable for its own performance, consistent with the limitations of liability set forth herein.
b. If GDPR is applicable to the Services, Checkr shall notify Customer of any changes made to Subprocessors at least 10 days prior to any such change by sending an email to the email address designated by Customer to receive notifications. Customer may reasonably object to Checkr’s use of a new Subprocessor by notifying Checkr promptly in writing within ten (10) business days after Checkr’s notice is sent pursuant to this DPA. Customer shall explain its reasonable grounds for objection. In the event Customer objects to a Subprocessor, the parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Checkr will, at its sole discretion, either (i) not appoint the Subprocessor; or (ii) in the event that Checkr cannot provide the services without such objected to Subprocessor, then Checkr will permit Customer to terminate the Services. Checkr may replace a Subprocessor if the need for the change is urgent and necessary to provide the Services. In such instance, Checkr shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to this Section.
a. Taking into account the nature of Processing and the information available to Checkr, Checkr shall implement technical and organizational measures, including the measures set forth in Annex II of the Appendix to this DPA, without prejudice to Checkr’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Data.
b. Security Breach. Checkr shall notify Customer promptly of any Security Breach of Customer Data and provide related information to Customer as set forth by Data Privacy Laws. Customer shall notify Checkr promptly of any actual or suspected unauthorized access to Customer’s systems or compromise of Customer’s credentials used to access the Services. Taking into account the nature of Processing and the information available to Checkr, the parties reasonably shall work together to address any such compromise, including taking steps to mitigate the effects of the Security Breach or system compromise and reduce the risk to Data Subjects whose Personal Data in the Customer Data was involved. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations. Nothing shall be construed to require Checkr to violate, or delay compliance with, any legal obligation it may have with respect to a Security Breach or other security incidents generally.
7. Data Transfers.
For transfers of EU Personal Data to Checkr for processing by Checkr in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will use Module 2 of the Standard Contractual Clauses for Controller to Processor transfers, which are incorporated herein by reference. The annexes included in the Appendix to this Agreement shall apply as the annexes of the Standard Contractual Clauses.
In case of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail. Notwithstanding the foregoing, where the transfers contemplated under this Section 7 result in transfers of UK Personal Data to Checkr for processing by Checkr in a jurisdiction other than in the UK or UK Information Commissioner’s Office-approved countries providing ‘adequate’ data protection, then (a) the Standard Contractual Clauses used for EU Personal Data shall also apply to transfers of UK Personal Data; (b) the UK Addendum shall be deemed executed between Customer and Checkr; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.
a. Reasonable Audits. If GDPR is applicable to the Services, Checkr shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Checkr provide it with documentation, data, and records (“Records”) no more than once annually relating to Checkr’s compliance with this DPA with respect to Customer Data (an “Audit”). To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. Customer shall provide Checkr with fourteen (14) days prior written notice of its intention to conduct an Audit. Customer shall conduct its Audit in a manner that will result in minimal disruption to Checkr’s business operations and shall not be entitled to receive data or information of other clients of Checkr or any other confidential information of Checkr that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Checkr shall take prompt action to correct such non-compliance. Any information that Customer receives under this Section is Confidential Information of Checkr.
b. Limitations. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Checkr’s premises. Customer shall reimburse Checkr for any time expended for an Audit at the Checkr’s then-current reasonable rates, which shall be made available to Customer upon request. Nothing herein will require Checkr to disclose or make available: (a) any data of any other customer of Checkr; (b) access to systems; (c) Checkr’s internal accounting or financial information; (d) any trade secret of Checkr; (e) any information or access that, in Checkr’s reasonable opinion, could (i) compromise the security of Checkr systems or premises; or (ii) cause Checkr to breach its obligations under applicable law or applicable contracts; or (f) any information sought for any reason other than the good faith fulfilment of Customer’s obligations under Applicable Law to audit compliance under this DPA.
9. Return or Destruction. Upon termination of the Services or on reasonable written request from Customer’s authorized representative Checkr shall, at the choice of Customer, return or deletesuch Customer Data in accordance with its requirements under applicable Data Privacy Law, unless applicable law prevents Checkr from returning or deleting all or part of the Customer Data. In such case, Checkr agrees to preserve the confidentiality of the Customer Data retained by it that it will only Process such Customer Data in order to comply with applicable law. Notwithstanding the foregoing, this provision will not require Checkr to delete Customer Data from archival and back-up files except as provided by Checkr’s internal data deletion practices or as required by applicable law. For avoidance of doubt, Checkr may continue to Process Customer Data that has been anonymized or aggregated in a manner that does not identify individuals.
10. Miscellaneous. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.The provisions of this DPA shall survive the termination or expiration of the Agreement as long as either party continues to Process Personal Data in connection with the Agreement.
ANNEX I: LIST OF PARTIES
Address: As specified in the Agreement.
Contact person’s name, position, and contact details: As specified in the Agreement.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
Name: Checkr, Inc.
Address: 1 Montgomery Street, Suite 2400, San Francisco, CA 94104
Contract person’s name, position, and contact details: Graham Ravdin, DPO, DPO@Checkr.com
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
ANNEX II: DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is transferred
Data subjects include the individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. These individuals may include, without limitation, individuals who are subject to background checks.
Categories of personal data transferred
Customer Data, including data relating to individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. This data may include, for example:
- Personal details, including information that identiﬁes the data subject and their personal characteristics, such as name, address, contact details, and date of birth.
- Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, and driving license details.
- Employment details, including information relating to the employment of the data subject, such as employment and career history.
- Education and training details, including information which relates to the education and any professional training of the data subject.
- Background information, including information relating to criminal activity or sanctions.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- None, based on GDPR Article 9’s definition of “sensitive categories of data.”
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Customer Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the Agreement.
Nature of the processing
The data importer will process Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
Purpose(s) of the data transfer and further processing
The data importer will transfer Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement until deletion in accordance with the provisions of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Competent Supervisory Authority
The supervisory authority of the member state in which the data subjects whose personal data is transferred in order to provide the Services shall act as competent supervisory authority.
ANNEX III: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Data importer will maintain administrative, physical, and technical safeguards for protection of the security,confidentiality and integrity of Customer Data, as described below in Checkr’s Security Whitepaper.
Checkr was built with an emphasis on security, compliance and privacy. We work behind the scenes to protect your data with a secure, distributed infrastructure with multiple layers of protection. Administrators are empowered with control and visibility features to help effectively manage the security of your information. This paper will explain the ways Checkr creates a platform for offering its SaaS products, covering topics like information security, physical security and operational security. The policies, procedures and technologies described in this paper are detailed as of the time of authorship. Some of the specifics may change over time as we regularly innovate with new features and products.
We’re committed to being transparent about our security practices and helping you understand our approach.
Checkr has established a ISMS (Information Security Management System) based on the ISO 27001:2013 Information Security Standard because it is one of the most recognized frameworks worldwide. Checkr’s ISMS covers the following security categories; Governance, Risk Management, Information Security policies, HR Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations Security, Network Security, Product Security, Third-Party Security, Incident Response, Business Continuity/Disaster Recovery, Continuous Monitoring, Vulnerability Management and Compliance.
Checkr’s ISMS (information security management system) follows a top-down approach and is driven by our ISMS Steering Committee comprised of cross functional department heads. The executive team meets at least bi-annually to discuss the current posture of the program including the scope, vision, information security policy, risks, internal and external audit non-conformities, corrective actions, etc. Tasks are delegated to information owners and custodians to maintain and continually improve the ISMS.
People are every company’s greatest asset and biggest weakness. The people creating Checkr products are important and therefore processes have been implemented to ensure we are hiring the right people. All Checkr employees prior to employment must go through a background screen that consist of a SSN trace, Sex Offender Search, Global Watchlist Search, National and Federal Criminal Search, Federal Civil Search, County Criminal Searches, Employment Verification and Education Verification. Once cleared, employees are required to sign and acknowledge company terms and conditions, non-disclosure agreements, policies and procedures.
CHECKR SECURITY WHITEPAPER
Checkr has implemented a security awareness program which requires all Checkr employees to attend a security training during onboarding week and are required to pass a test afterwards. Checkr provides continuous education campaigns through various communication channels regularly.
Checkr has established a risk management program to demonstrate our commitment to information security. We leverage ISO 27005 Risk Management framework to prioritize risks identified. Checkr identifies all critical tangible and intangible assets to our business and assess the assets against potential threats and vulnerabilities. We incorporate a business impact analysis (BIA) for all assets. Assets within and outside of Checkr’s risk appetite are mitigated and managed so we can protect privacy and Checkr’s Confidentiality, Integrity and Availability (CIA) of the asset. Risk assessments are conducted at least annually and/or when major changes occur to the scope of the business.
The concept of access control touches all three of the fundamental components of information security: Confidentiality, Integrity, Availability. It is a key component in preserving Confidentiality and Integrity by limiting access to Checkr’s information. Checkr assures that access is granted to only to those personnel with a valid business reason and justification. Availability ties to access control by restricting access to those personnel with “need to know” and limiting user privileges. For ease of understanding, Checkr follows a Role Based Access Control (RBAC) model for user access provisioning / de-provisioning. Checkr leverages a world class identity management multi-factor authentication solution for employees to access information systems. User and privileged user access is reviewed on a continual basis. Prior to a Checkr employee separating from the organization, all access is revoked.
The mission of Checkr’s product security is to enable the product teams to build solutions that are best in class when it comes to security. Checkr teams must perform security checks to ensure we create secure products at each stage of development: requirements, design, implementation and deployment. Checkr engineers continuously perform security checks such as regular penetration test by independent third parties, internal security reviews, internal and external security audits and regularly conducted threat models. All patching and deployments into production must go in accordance to our formal Change Management process. Checkr works with a world class bug bounty firm that helps Checkr triage and recreate all vulnerabilities found. Our bug bounty program provides an incentive for ethical hackers to responsibly disclose software bugs. This outside evaluation provides Checkr an independent view point of our applications to help keep users safe.
Checkr is dedicated to monitoring and responding to security incidents (physical, cyber, etc.) in a timely manner. Checkr has developed an incident response policy to help prepare our dedicated IRT (incident response team). On at least an annual basis, Checkr works with an independent cybersecurity firm to recreate real life scenarios and test the effectiveness of our program. Checkr models our incident response lifecycle based on the NIST 800-61 Computer Security Incident Handling Guide and it is divides the process into four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery and Post-Incident Activity.
Data in transit
All in bound HTTPS traffic goes through a cloud-based security platform that provides multiple layers of DDoS protection. All inbound connections use TLS 1.2, are encrypted and authenticated using AES-256 encryption. All of our database servers require SSL encrypted connections.
Data at rest
Our database instances, backups and read replicas are encrypted at rest using the industry standard AES-256 algorithm. This provides an additional layer of data protection by securing our data from unauthorized access to the underlying storage. For file storage, we use Amazon S3 buckets, which allows us to encrypt files with server-side encryption.
CLOUD & NETWORK INFRASTRUCTURE SECURITY
Direct access to infrastructure, networks and data is minimized to the greatest extent possible. Where possible, control planes are used to manage services running in production, to reduce direct access to host infrastructure, networks and data. Direct access to production resources is restricted to employees requiring access and requires approval, strong multifactor authentication and access via a bastion host.
Checkr’s production environment, where all customer data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC). Production and non-production networks are segregated. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.
Checkr has created a vulnerability management program to identify, respond and triage vulnerabilities against the Checkr platform. Checkr approaches continuous monitoring through the development of proactive and detective capabilities. Through the ongoing awareness of vulnerabilities, incidents and threats, Checkr is poised to respond and mitigate accordingly.
Checkr leverages AWS data centers for all production systems and customer data. AWS follows industry best practices and complies with an array of compliance standards. Refer to AWS SOC reports here: https://aws.amazon.com/compliance/soc-faqs/
Checkr is located at 1 Montgomery St. Suite 2000 San Francisco, CA 94104 The building where Checkr’s suite is located in are managed by security personnel 24×7 365 days a year. All Checkr entry points are locked and secure at all times and require an electronic key card access to enter. Visitors are required to check in with the building receptionist before being allowed elevator access to Checkr’s suite followed by being greeted by our receptionist. CCTV’s, fire detection systems and other safeguards are in place to maintain a restrict and secure environment.
BUSINESS CONTINUITY PLAN / DISASTER RECOVERY PLAN
Checkr maintains a formal BCP/DRP that is regularly reviewed and updated by executive management at least annually
Checkr tests elements of its BCP/DRP at least annually. Post mortems are documented and reviewed with management to address issues and strengthen weak areas.
Review and approval of the BCP/DRP
As part of our ISMS program, the BCP/DRP is reviewed at least annually by management.
Checkr performs regular backups of Checkr account information, call records, call recordings and other critical data using Amazon S3 cloud storage solution. All backups are encrypted in transit and at rest using industry standard encryption. AWS (Amazon Web Services) spans across multiple geographic regions and availability zones. Checkr backup files are stored redundantly across multiple availability zones to create a fully backed-up and restorable environment.
All third-parties used by Checkr are assessed thoroughly by going through a vendor risk assessment and analyzed by our security team. Once the third-party is validated and meet Checkr’s security requirements, Checkr will periodically review security controls and SLA agreements. Checkr ensures that data is returned and/or deleted at the end of a vendor relationship.
Checkr complies with applicable legal, industry and regulatory requirements as well as industry best practices.
ISO 27001 (Information Security)
Checkr is ISO/IEC 27001:2013 certified.
NAPBS (National Association of Professional Background Screeners)
Checkr is NAPBS accredited.
SOC 2 type II
Checkr is SOC 2 compliant (Security, Availability, Confidentiality).
ANNEX IV: LIST OF SUB-PROCESSORS
The data importer has the data exporter’s general authorisation for the engagement of sub-processors, which are included on the following list: https://checkr.com/sub-processor-list.