This Data Processing Agreement (“DPA”) supplements the service agreement ("Agreement") by and between You and any of Your Approved Affiliates (collectively, “Customer”) and Checkr, Inc. ("Checkr"). In the event of any conflict between the Agreement and the terms of this DPA, this DPA shall govern.
1. Definitions. For purposes of this DPA:
a. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any applicable regulations.
b. “Customer Data” means Personal Data provided by Customer for purposes of obtaining Services under the Agreement.
c. “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as that term is defined by the CCPA.
d. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the CCPA, GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection 2020. For the avoidance of doubt, if the parties’ processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
e. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates. Specifically, this refers to Consumers whom Checkr has been engaged by Customer to compile Reports.
f. “EU Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the General Data Protection Regulation or the Swiss Federal Act on Data Protection 2020.
g. “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation.
h. “Personal Data” includes “personal data” as defined by the GDPR, “personal information” as defined by the CCPA, and “personally identifiable information” as defined by other applicable Data Privacy Laws. Personal Data does not include publicly available information excluded from the definition of “Personal Data” under applicable Data Privacy Laws. Further Personal Data does not include data exempted under applicable Data Privacy Laws, including but not limited to CCPA §§1798.145(d)-(f).
i. “Process”, “Processed” and/or “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
j. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
k. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to, Customer Data.
l “Sell,” “Sale,” “Share,” or “Sharing” shall have the meaning set forth in the CCPA.
m. “Services” mean the services provided by Checkr to Customer, as provided in the Agreement.
n. “Standard Contractual Clauses” means the annex found in EU Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, incorporated herein by reference, completed as described in the “Data Transfers” section below.
o. “Subprocessor” means any Checkr affiliate or subcontractor engaged by Checkr for the Processing of Customer Data.
p. “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses.
q. “UK GDPR” means the UK General Data Protection Regulation, amended by the Data Protection Act 2018.
r. "UK Personal Data" means Personal Data the sharing of which pursuant to this Agreement is regulated by the UK GDPR.
2. Scope and Purposes of Processing.Customer agrees to determine the purposes and general means of Checkr’s Processing of Customer Data in accordance with the Agreement. Checkr will Process Customer Data, including Personal Data contained therein, solely for the purposes set forth in the Agreement, including for the purpose of generating a consumer report as defined by 15 U.S.C 1681a(d), and in compliance with applicable law. Customer will not instruct Checkr to Process Customer Data in violation of applicable law. Checkr will inform Customer if, Checkr discovers, in its opinion, an instruction from Customer infringes applicable law.
3. Obligations of the Parties.
a. Compliance with Laws. Each party shall comply with all laws, whether state, federal, local or international, including Data Privacy Laws. Each party shall promptly notify the other party in writing if it is no longer able to meet its obligations under Data Privacy Laws applicable to this DPA.
b. Compliance with Data Controller Obligations. To the extent such party is acting as a Data Controller, each party shall independently fulfill all duties required of Data Controllers under Data Privacy Laws. Checkr is a Data Controller with respect to Personal Data, other than Customer Data, that it Processes in connection with the Services.
c. No joint controllership. Unless otherwise agreed in writing, the parties acknowledge and agree that each is acting independently as a Data Controller with respect of Personal Data and the parties are not joint Controllers as defined in the General Data Protection Regulation and UK GDPR.
d. No CCPA Sale or Sharing. Neither party shall Sell or Share to a third party any Personal Data made available to it by the other party except to the extent such Personal Data or Sale or Sharing thereof is exempted from Data Privacy Laws. The parties agree that for the purposes of the CCPA, Checkr acts as a service provider with regard to the Processing of Customer Data. Customer does not Sell or Share Customer Personal Data to Checkr because Checkr shall only use Customer Personal Data for the purposes specified in the Agreement.
e. Data Subject Requests. For the avoidance of doubt, to the extent the party is a Data Controller, each party shall have an independent obligation to respond to requests received from Data Subjects seeking to exercise their rights under applicable Data Privacy Laws, including, but not limited to, access and deletion requests made pursuant to the Data Privacy Laws. The recipient of the Data Subject request shall be responsible for responding to the Data Subject. If applicable, and to the extent legally permitted, each party shall provide the other party with reasonable cooperation and assistance in relation to the handling of a Data Subject’s request.
f. Disclosures and Consent. Each party shall comply with applicable Laws, including, but not limited to, the FCRA (as applicable) and Data Privacy Laws, to provide legally required notices to Data Subjects regarding the purpose and nature of the Processing of Personal Data in connection with the Services. Customer shall ensure that Data Subjects have provided legally sufficient consent or other appropriate legal basis (including under the GDPR and all other applicable Data Privacy Laws), wherever such consent or other appropriate legal basis is necessary to enable Checkr to perform the Services.
4. Customer Data Processing Requirements. Checkr will:
a. Ensure that the persons it authorizes to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Upon written request of Customer, assist Customer in the fulfillment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights with respect to Customer Data under Data Privacy Laws.
c. Promptly, and in any event within ten days, notify Customer of any third-party or Data Subject requests or complaints regarding the Processing of Customer Data. Customer agrees to, at Checkr’s request, designate to Checkr a single point of contact responsible for receiving and responding to such requests or complaints.
d. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Data.
e. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Customer Data, including complying with any obligation applicable to Checkr under Data Privacy Laws to consult with a regulatory authority in relation to Checkr’s Processing or proposed Processing of Customer Data.
a. Checkr may subcontract the collection or other Processing of Customer Data in compliance with Data Privacy Law to provide the Services. Checkr will impose contractual obligations on the Subprocessor that are at least the same level of protection as those imposed on Checkr under this DPA and will remain liable for its Subprocessors’ performance to the same extent Checkr is liable for its own performance, consistent with the limitations of liability set forth herein.
b. If GDPR is applicable to the Services, Checkr shall notify Customer of any changes made to Subprocessors at least 10 days prior to any such change by sending an email to the email address designated by Customer to receive notifications. Customer may reasonably object to Checkr’s use of a new Subprocessor by notifying Checkr promptly in writing within ten (10) business days after Checkr’s notice is sent pursuant to this DPA. Customer shall explain its reasonable grounds for objection. In the event Customer objects to a Subprocessor, the parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Checkr will, at its sole discretion, either (i) not appoint the Subprocessor; or (ii) in the event that Checkr cannot provide the services without such objected to Subprocessor, then Checkr will permit Customer to terminate the Services. Checkr may replace a Subprocessor if the need for the change is urgent and necessary to provide the Services. In such instance, Checkr shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to this Section.
a. Taking into account the nature of Processing and the information available to Checkr, Checkr shall implement technical and organizational measures, including the measures set forth in Annex II of the Appendix to this DPA, without prejudice to Checkr’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Data.
b. Security Breach. Checkr shall notify Customer promptly of any Security Breach of Customer Data and provide related information to Customer as set forth by Data Privacy Laws. Customer shall notify Checkr promptly of any actual or suspected unauthorized access to Customer’s systems or compromise of Customer’s credentials used to access the Services. Taking into account the nature of Processing and the information available to Checkr, the parties reasonably shall work together to address any such compromise, including taking steps to mitigate the effects of the Security Breach or system compromise and reduce the risk to Data Subjects whose Personal Data in the Customer Data was involved. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations. Nothing shall be construed to require Checkr to violate, or delay compliance with, any legal obligation it may have with respect to a Security Breach or other security incidents generally.
7. Data Transfers.
For transfers of EU Personal Data to Checkr for processing by Checkr in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will use Module 2 of the Standard Contractual Clauses for Controller to Processor transfers, which are incorporated herein by reference. The annexes included in the Appendix to this Agreement shall apply as the annexes of the Standard Contractual Clauses.
In case of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail. Notwithstanding the foregoing, where the transfers contemplated under this Section 7 result in transfers of UK Personal Data to Checkr for processing by Checkr in a jurisdiction other than in the UK or UK Information Commissioner’s Office-approved countries providing ‘adequate’ data protection, then (a) the Standard Contractual Clauses used for EU Personal Data shall also apply to transfers of UK Personal Data; (b) the UK Addendum shall be deemed executed between Customer and Checkr; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.
a. Reasonable Audits. If GDPR is applicable to the Services, Checkr shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Checkr provide it with documentation, data, and records (“Records”) no more than once annually relating to Checkr’s compliance with this DPA with respect to Customer Data (an “Audit”). To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. Customer shall provide Checkr with fourteen (14) days prior written notice of its intention to conduct an Audit. Customer shall conduct its Audit in a manner that will result in minimal disruption to Checkr’s business operations and shall not be entitled to receive data or information of other clients of Checkr or any other confidential information of Checkr that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Checkr shall take prompt action to correct such non-compliance. Any information that Customer receives under this Section is Confidential Information of Checkr.
b. Limitations. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Checkr’s premises. Customer shall reimburse Checkr for any time expended for an Audit at the Checkr’s then-current reasonable rates, which shall be made available to Customer upon request. Nothing herein will require Checkr to disclose or make available: (a) any data of any other customer of Checkr; (b) access to systems; (c) Checkr’s internal accounting or financial information; (d) any trade secret of Checkr; (e) any information or access that, in Checkr’s reasonable opinion, could (i) compromise the security of Checkr systems or premises; or (ii) cause Checkr to breach its obligations under applicable law or applicable contracts; or (f) any information sought for any reason other than the good faith fulfilment of Customer’s obligations under Applicable Law to audit compliance under this DPA.
9. Return or Destruction**.** Upon termination of the Services or on reasonable written request from Customer’s authorized representative Checkr shall, at the choice of Customer, return or deletesuch Customer Data in accordance with its requirements under applicable Data Privacy Law, unless applicable law prevents Checkr from returning or deleting all or part of the Customer Data. In such case, Checkr agrees to preserve the confidentiality of the Customer Data retained by it that it will only Process such Customer Data in order to comply with applicable law. Notwithstanding the foregoing, this provision will not require Checkr to delete Customer Data from archival and back-up files except as provided by Checkr's internal data deletion practices or as required by applicable law. For avoidance of doubt, Checkr may continue to Process Customer Data that has been anonymized or aggregated in a manner that does not identify individuals.
10. Miscellaneous**.** Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.The provisions of this DPA shall survive the termination or expiration of the Agreement as long as either party continues to Process Personal Data in connection with the Agreement.
ANNEX I: LIST OF PARTIES
Address: As specified in the Agreement.
Contact person’s name, position, and contact details: As specified in the Agreement.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
Name: Checkr, Inc.
Address: 1 Montgomery Street, Suite 2400, San Francisco, CA 94104
Contract person’s name, position, and contact details: Graham Ravdin, DPO, DPO@Checkr.com
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
ANNEX II: DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is transferred
Data subjects include the individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. These individuals may include, without limitation, individuals who are subject to background checks.
Categories of personal data transferred
Customer Data, including data relating to individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. This data may include, for example:
- Personal details, including information that identiﬁes the data subject and their personal characteristics, such as name, address, contact details, and date of birth.
- Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, and driving license details.
- Employment details, including information relating to the employment of the data subject, such as employment and career history.
- Education and training details, including information which relates to the education and any professional training of the data subject.
- Background information, including information relating to criminal activity or sanctions.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- None, based on GDPR Article 9’s definition of “sensitive categories of data.”
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Customer Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the Agreement.
Nature of the processing
The data importer will process Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
Purpose(s) of the data transfer and further processing
The data importer will transfer Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement until deletion in accordance with the provisions of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Competent Supervisory Authority
The supervisory authority of the member state in which the data subjects whose personal data is transferred in order to provide the Services shall act as competent supervisory authority.
ANNEX III: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Data importer will maintain administrative, physical, and technical safeguards for protection of the security,confidentiality and integrity of Customer Data, as described below in Checkr’s Security Whitepaper.
Checkr was built with an emphasis on security, compliance and privacy. We work behind the scenes to protect your data with a secure, distributed infrastructure with multiple layers of protection. Administrators are empowered with control and visibility features to help effectively manage the security of your information. This paper will explain the ways Checkr creates a platform for offering its SaaS products, covering topics like information security, physical security and operational security. The policies, procedures and technologies described in this paper are detailed as of the time of authorship. Some of the specifics may change over time as we regularly innovate with new features and products.
We’re committed to being transparent about our security practices and helping you understand our approach.
Checkr has established a ISMS (Information Security Management System) based on the ISO 27001:2013 Information Security Standard because it is one of the most recognized frameworks worldwide. Checkr’s ISMS covers the following security categories; Governance, Risk Management, Information Security policies, HR Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations Security, Network Security, Product Security, Third-Party Security, Incident Response, Business Continuity/Disaster Recovery, Continuous Monitoring, Vulnerability Management and Compliance.
Checkr’s ISMS (information security management system) follows a top-down approach and is driven by our ISMS Steering Committee comprised of cross functional department heads. The executive team meets at least bi-annually to discuss the current posture of the program including the scope, vision, information security policy, risks, internal and external audit non-conformities, corrective actions, etc. Tasks are delegated to information owners and custodians to maintain and continually improve the ISMS.
People are every company’s greatest asset and biggest weakness. The people creating Checkr products are important and therefore processes have been implemented to ensure we are hiring the right people. All Checkr employees prior to employment must go through a background screen that consist of a SSN trace, Sex Offender Search, Global Watchlist Search, National and Federal Criminal Search, Federal Civil Search, County Criminal Searches, Employment Verification and Education Verification. Once cleared, employees are required to sign and acknowledge company terms and conditions, non-disclosure agreements, policies and procedures.
CHECKR SECURITY WHITEPAPER
Checkr has implemented a security awareness program which requires all Checkr employees to attend a security training during onboarding week and are required to pass a test afterwards. Checkr provides continuous education campaigns through various communication channels regularly.
Checkr has established a risk management program to demonstrate our commitment to information security. We leverage ISO 27005 Risk Management framework to prioritize risks identified. Checkr identifies all critical tangible and intangible assets to our business and assess the assets against potential threats and vulnerabilities. We incorporate a business impact analysis (BIA) for all assets. Assets within and outside of Checkr’s risk appetite are mitigated and managed so we can protect privacy and Checkr’s Confidentiality, Integrity and Availability (CIA) of the asset. Risk assessments are conducted at least annually and/or when major changes occur to the scope of the business.
The concept of access control touches all three of the fundamental components of information security: Confidentiality, Integrity, Availability. It is a key component in preserving Confidentiality and Integrity by limiting access to Checkr’s information. Checkr assures that access is granted to only to those personnel with a valid business reason and justification. Availability ties to access control by restricting access to those personnel with “need to know” and limiting user privileges. For ease of understanding, Checkr follows a Role Based Access Control (RBAC) model for user access provisioning / de-provisioning. Checkr leverages a world class identity management multi-factor authentication solution for employees to access information systems. User and privileged user access is reviewed on a continual basis. Prior to a Checkr employee separating from the organization, all access is revoked.
The mission of Checkr’s product security is to enable the product teams to build solutions that are best in class when it comes to security. Checkr teams must perform security checks to ensure we create secure products at each stage of development: requirements, design, implementation and deployment. Checkr engineers continuously perform security checks such as regular penetration test by independent third parties, internal security reviews, internal and external security audits and regularly conducted threat models. All patching and deployments into production must go in accordance to our formal Change Management process. Checkr works with a world class bug bounty firm that helps Checkr triage and recreate all vulnerabilities found. Our bug bounty program provides an incentive for ethical hackers to responsibly disclose software bugs. This outside evaluation provides Checkr an independent view point of our applications to help keep users safe.
Checkr is dedicated to monitoring and responding to security incidents (physical, cyber, etc.) in a timely manner. Checkr has developed an incident response policy to help prepare our dedicated IRT (incident response team). On at least an annual basis, Checkr works with an independent cybersecurity firm to recreate real life scenarios and test the effectiveness of our program. Checkr models our incident response lifecycle based on the NIST 800-61 Computer Security Incident Handling Guide and it is divides the process into four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery and Post-Incident Activity.
Data in transit
All in bound HTTPS traffic goes through a cloud-based security platform that provides multiple layers of DDoS protection. All inbound connections use TLS 1.2, are encrypted and authenticated using AES-256 encryption. All of our database servers require SSL encrypted connections.
Data at rest
Our database instances, backups and read replicas are encrypted at rest using the industry standard AES-256 algorithm. This provides an additional layer of data protection by securing our data from unauthorized access to the underlying storage. For file storage, we use Amazon S3 buckets, which allows us to encrypt files with server-side encryption.
CLOUD & NETWORK INFRASTRUCTURE SECURITY
Direct access to infrastructure, networks and data is minimized to the greatest extent possible. Where possible, control planes are used to manage services running in production, to reduce direct access to host infrastructure, networks and data. Direct access to production resources is restricted to employees requiring access and requires approval, strong multifactor authentication and access via a bastion host.
Checkr’s production environment, where all customer data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC). Production and non-production networks are segregated. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.
Checkr has created a vulnerability management program to identify, respond and triage vulnerabilities against the Checkr platform. Checkr approaches continuous monitoring through the development of proactive and detective capabilities. Through the ongoing awareness of vulnerabilities, incidents and threats, Checkr is poised to respond and mitigate accordingly.
Checkr leverages AWS data centers for all production systems and customer data. AWS follows industry best practices and complies with an array of compliance standards. Refer to AWS SOC reports here: https://aws.amazon.com/compliance/soc-faqs/
Checkr is located at 1 Montgomery St. Suite 2000 San Francisco, CA 94104 The building where Checkr’s suite is located in are managed by security personnel 24x7 365 days a year. All Checkr entry points are locked and secure at all times and require an electronic key card access to enter. Visitors are required to check in with the building receptionist before being allowed elevator access to Checkr’s suite followed by being greeted by our receptionist. CCTV’s, fire detection systems and other safeguards are in place to maintain a restrict and secure environment.
BUSINESS CONTINUITY PLAN / DISASTER RECOVERY PLAN
Checkr maintains a formal BCP/DRP that is regularly reviewed and updated by executive management at least annually
Checkr tests elements of its BCP/DRP at least annually. Post mortems are documented and reviewed with management to address issues and strengthen weak areas.
Review and approval of the BCP/DRP
As part of our ISMS program, the BCP/DRP is reviewed at least annually by management.
Checkr performs regular backups of Checkr account information, call records, call recordings and other critical data using Amazon S3 cloud storage solution. All backups are encrypted in transit and at rest using industry standard encryption. AWS (Amazon Web Services) spans across multiple geographic regions and availability zones. Checkr backup files are stored redundantly across multiple availability zones to create a fully backed-up and restorable environment.
All third-parties used by Checkr are assessed thoroughly by going through a vendor risk assessment and analyzed by our security team. Once the third-party is validated and meet Checkr’s security requirements, Checkr will periodically review security controls and SLA agreements. Checkr ensures that data is returned and/or deleted at the end of a vendor relationship.
Checkr complies with applicable legal, industry and regulatory requirements as well as industry best practices.
ISO 27001 (Information Security)
Checkr is ISO/IEC 27001:2013 certified.
NAPBS (National Association of Professional Background Screeners)
Checkr is NAPBS accredited.
SOC 2 type II
Checkr is SOC 2 compliant (Security, Availability, Confidentiality).
ANNEX IV: LIST OF SUB-PROCESSORS
The data importer has the data exporter’s general authorisation for the engagement of sub-processors, which are included on the following list: https://checkr.com/sub-processor-list.