CHECKR, INC.
DATA PROTECTION ADDENDUM

Last updated: March 1, 2025

This Data Protection Addendum (“DPA”) supplements the Services Agreement ("Agreement") located at https://checkr.com/legal/customer-agreement by and between You and any of Your Approved Affiliates (collectively, “Customer”) and Checkr, Inc. ("Checkr").  In the event of any conflict between the Agreement and the terms of this DPA, this DPA shall govern.

1. Definitions

California Personal Information” means Personal Data protected under the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (together, “CCPA”).

Business,” “Business Purpose,” “Commercial Purpose,” “Sell,” “Service Provider,” and “Share” have, whether or not capitalized, the same meaning as in the CCPA and similar Data Protection Laws.

Controller” means the entity that determines the purposes and means of processing Personal Data, including a Business under CCPA.

Customer Data” means Personal Data collected by Checkr from Customer, or from a Consumer on Customer’s behalf, and Processed by Checkr as a Processor on behalf of Customer.

Data Privacy Framework” means programs facilitating data transfer between the EU, Switzerland, the UK, and the U.S.

Data Protection Laws” means applicable international, federal, state, and local laws and regulations relating to data protection and privacy relevant to the processing of Personal Data under the Agreement. Depending on the type of Services you receive, such laws might include the CCPA, the General Data Protection Regulation (“GDPR”) in the European Union and European Economic Area, the UK General Data Protection Regulation (“UK GDPR”), the Swiss Data Protection Act (“Swiss DPA”), and the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Data Subject” is the individual to whom Personal Data pertains.

Data Subject Requests” or “DSRs” means any requests made by Data Subjects to exercise their rights under Data Protection Laws regarding their Personal Data, including rights to access, correct, or delete such data.

Exemption” means a specific exception under Data Protection Laws (including the CCPA and other similar laws) that exclude certain processing activities from their coverage. These include (a) Personal Data processed under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), and Driver’s Privacy Protection Act (“DPPA”); and (b) information that is lawfully made available from federal, state, or local government records or that is otherwise considered publicly available under applicable laws.

European Data” means Personal Data subject to European Data Protection Laws.

Instructions” means (a) the actions necessary for Checkr to provide you with Services under the Agreement and to comply with this DPA and (b) additional instructions provided to Checkr in accordance with Section 2(b).

Personal Data” means information (a) processed under this DPA and (b) relating to an identified or identifiable individual, as protected under applicable Data Protection Laws. Personal Data does not include information excluded from the definition of “Personal Data” under applicable Data Protection Laws, including but not limited to CCPA §§1798.145(d)-(f).

Personal Data Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

Processing” means, whether or not capitalized, any operation performed on Personal Data.

Processor” means Checkr when it processes Personal Data on your behalf, including as a Service Provider under CCPA, as specified in this DPA.

Subprocessor” means any third party engaged by Checkr to assist in fulfilling its data processing obligations under the Agreement.

Standard Contractual Clauses” and “UK Addendum” means mechanisms for the transfer of Personal Data in compliance with Data Protection Laws.

2. Customer Responsibilities

a. Scope; Roles. This DPA covers Customer Data to the extent an Exemption does not apply. Under this DPA, when Checkr processes Customer Data to provide you with Services, Checkr is the Processor and Customer is the Controller. Each party must comply with its applicable obligations under Data Protection Laws in its performance under this DPA. You are responsible for ensuring that all Personal Data provided to Checkr has been collected in accordance with Data Protection Laws and that you have all authorizations and consents necessary to provide such Personal Data to Checkr.

b. Controller Instructions. Checkr will process Customer Data in accordance with your Instructions. You may modify Instructions in writing to Checkr, provided that such modifications are consistent with applicable Data Protection Laws and the terms and scope of the Agreement and this DPA. Checkr will inform you if it believes an Instruction from you violates Data Protection Laws or is inconsistent with the Agreement or this DPA. Checkr’s refusal to comply with such an Instruction will not be considered a breach of the Agreement.

3. Checkr Obligations

a. Purpose; Compliance with Instructions. Checkr will process Customer Data only for the purposes described in this DPA and in accordance with your Instructions, except to the extent otherwise required by Data Protection Laws.

b. Checkr Security. Checkr will implement and maintain appropriate technical and organizational measures to protect Customer Data from Personal Data Breaches, as described in Annex III of this DPA (“Security Measures”). Checkr may modify or update the Security Measures, provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

c. Confidentiality Obligations of Checkr Personnel. Checkr will ensure that any personnel whom Checkr authorizes to process Customer Data on our behalf is subject to appropriate confidentiality obligations regarding that Customer Data.

d. Personal Data Breaches. Checkr will notify you without undue delay if we become aware of a Personal Data Breach. At your request, Checkr will promptly provide you with reasonable assistance as necessary to address any such Personal Data Breach, including taking steps to mitigate the effects of the Personal Data Breach. Each party is responsible for complying with its incident response obligations under Data Protection Laws.

e. Termination. Upon termination or expiration of the Services and upon written request from Customer, Checkr will delete or return all Customer Data and other data to the extent required by Data Protection Laws; provided, however, that if applicable law prevents us from deleting such data, Checkr will restrict processing of such data to what is necessary under applicable law, including FCRA and other Exemptions. This section does not require Checkr to delete Customer Data from archival and backup files, except as required by Checkr's internal data deletion practices or applicable law. For clarity, Checkr may continue to process information derived from Customer Data for the purpose of improving Checkr's systems and services, provided that the data has been deidentified, anonymized, or aggregated such that the data is no longer considered Personal Data under applicable Data Protection Laws and does not identify Data Subjects or Customer.

f. Data Protection Impact Assessments, Privacy Impact Assessments, and Prior Consultation. To the extent required by Data Protection Laws, Checkr will reasonably assist you with any data protection impact assessments, privacy impact assessments, data protection assessments, and consultations with supervisory authorities or other competent data privacy authorities (these assessments and consultations, an “Impact Assessment”). In performing under this Section 3(f), Check shall only be required to provide information that is (a) in its exclusive possession and control and (b) directly relevant to the Impact Assessment.

g. Audits.

i. Reports. Checkr uses external auditors to verify the adequacy of its Security Measures. This audit will be performed (a) at least annually; (b)  in accordance with ISO 27001 standards and System and SOC2 Type 2; and (c) by independent third-party security professionals at Checkr’s selection and expense. Upon written request, Checkr shall provide you with a copy of the audit report or a summary of the audit report, which shall be considered Checkr’s Confidential Information under the Agreement.

ii. Audit Rights. To the extent required by Data Protection Laws, Checkr will allow for and contribute to additional audits, including inspections, (an “Audit”), subject to the following conditions: (a) the Audit shall be at Customer’s sole expense; (b) the Audit shall be limited to no more than once annually; (c) the Audit shall be conducted by a mutually agreed-upon third-party auditor who shall be bound by obligations of confidentiality no less protective than those contained in the Agreement; (d) Customer must provide Checkr with 60 days prior written notice of  the Audit; (e) the Audit shall be conducted in a manner that will result in minimal disruption to Checkr’s business operations; and (f) Customer shall not be entitled to receive data or information of other clients of Checkr or any other confidential information of Checkr that is not directly relevant to the Audit. If any material noncompliance is identified during the Audit, Checkr will take prompt action to address it. Any information that you receive from the Audit constitutes Checkr’s Confidential Information.

4. DSR Management. Each party is responsible for responding to DSRs to the extent required by Data Protection Laws, subject to any applicable obligations under FCRA or other Exemptions. For example, to comply with Checkr’s dispute resolution obligations under FCRA, Checkr will process and directly respond to DSRs it receives from Data Subjects relating to Checkr’s provision of the Services. To the extent required by Data Protection Laws, each party will reasonably cooperate with the other in handling a Data Subject’s DSR.

5. Subprocessors

a. Subprocessor Engagement. Checkr may subcontract its processing of Customer Data to a Subprocessor to the extent permitted by Data Protection Laws. Checkr’s Subprocessors are listed at https://checkr.com/legal/sub-processor-list. To subscribe to notifications about new Subprocessors engaged by Checkr, send an email to subprocessorupdates@checkr.com and Checkr will notify you of the new Subprocessor at least 10 days prior to transmitting Customer Data to that Subprocessor. During that 10-day period, you may object to the proposed Subprocessor only on reasonable grounds. Once Checkr receives your objection, the parties will work together in good faith to find a solution to address your objection. Failure to object during the 10-day period will be treated as your acceptance of the proposed Subprocessor.

b. Approval; Subprocessor Agreements. Checkr will impose contractual obligations on the Subprocessor that offer at least the same level of protection of Customer Data as those imposed upon Checkr under this DPA. Checkr will remain liable for the Subprocessor’s performance to the same extent Checkr is liable for its own performance under this DPA. 

5. Transfer Mechanisms.

a. You acknowledge that, as a necessary part of providing you with Services, Checkr might have to process Customer Data in the United States or other jurisdictions in which Checkr affiliates and Subprocessors have operations. If Checkr transfers European Data to a jurisdiction the European Commission, the Swiss Federal Data Protection and Information Commissioner, or the UK Information Commissioner’s Office has not given an adequacy decision at the time of the transfer, Checkr will comply with (a) the Data Privacy Framework and (b) if necessary, the Standard Contractual Clauses. The Standard Contractual Clauses and the UK Addendum constitute part of this DPA.

b. Standard Contractual Clauses. The Standard Contractual Clauses will apply as follows:

i. Controller-to-Processor Transfers. For European Data to which GDPR applies, the Standard Contractual Clauses apply as follows:

  1. Customer is the “data exporter” and Checkr is the “data importer”;
  2. Module Two applies;
  3. In Clause 7, the optional docking clause applies;
  4. In Clause 9, Option 2 applies and Checkr will notify you of changes to Subprocessors in accordance with this DPA;
  5. In Clause 11, the optional language is deleted;
  6. In Clauses 17, Netherlands law governs disputes arising from or relating to the StandardContractual Clauses;
  7. In Clause 18, the parties will resolve disputes in the Netherlands courts;
  8. The Standard Contractual Clauses’ annexes will be considered completed with the information in this DPA’s Annexes;
  9. The supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and
  10. If the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of that conflict.

ii. Transfers from the UK. For Customer Data to which the UK GDPR applies, the UK Addendum applies as follows:

  1. The Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which constitutes part of the Agreement; 
  2. Tables 1, 2, and 3 of the UK Addendum are completed with the information in this DPA’s Annexes;
  3. Table 4 is completed by selecting “neither party”; 
  4. Any conflict between the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

iii. Transfers from Switzerland. For Customer Data to which the Swiss DPA applies, the Standard Contractual Clauses apply with the following modifications:

  1. References to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; 
  2. References to “EU,” “Union,” and “Member State law” will be interpreted as references to Swiss law; and 
  3. References to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland.”

6. California Personal Information

a. Scope. This Section 7 applies only to the processing of California Personal Information under this DPA.

b. Responsibilities. Neither party will sell to, or share with, a third party any Customer Data made available to it by the other party unless Data Protection Laws do not apply to those Customer Data. You acknowledge that because Checkr will process Customer Data only as a processor under this DPA, your disclosure of Customer Data to Checkr does not constitute a sale or sharing of Customer Data under Data Protection Laws.

c. Compliance. Checkr will (i) comply with obligations applicable to us as a Service Provider under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. Checkr will notify you if we determine that we can no longer meet our obligations as a Service Provider under the CCPA. 

d. Limited Processing. Unless permitted by Data Protection Laws, Checkr must not use, keep, or disclose Customer Data (a) for any purpose other than as specified in Section 3(a); (b) outside the direct business relationship between you and Checkr; (c) for any commercial purpose other than the business purpose specified in this DPA; or (d) combine any Customer Data with Personal Data that Checkr receives from or on behalf of a third party or collect from our own interactions with individuals.

7. Miscellaneous.

a. Survival. This DPA’s provisions will continue after this DPA or the Agreement expires or is terminated if Checkr continues to process Customer Data in connection with the Agreement or as permitted under Data Privacy Laws.

b. Conflicts. If this DPA conflicts with the Agreement at any given time during the Term, the DPA will prevail over the Agreement only to the extent of the conflict.

c. Modifications. Checkr may update these terms at any time. We will post any changes on this webpage and update the “Last Updated” date at the beginning of this DPA to reflect the date of those changes. We recommend that you review this webpage periodically to stay informed of any changes. 

APPENDIX

ANNEX I: LIST OF PARTIES

Data exporter(s):

Name: Customer

Address: As specified in the Agreement.

Contact person’s name, position, and contact details: As specified in the Agreement.

Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.

Signature and accession date: As specified in the Agreement.

Role: Controller.

Data importer(s):

Name: Checkr, Inc.

Address: 1 Montgomery Street, Suite 2400, San Francisco, CA 94104

Contract person’s name, position, and contact details: Brandon Konecny, DPO, DPO@Checkr.com

Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.

Signature and accession date: As specified in the Agreement.

Role: Processor.

ANNEX II: DESCRIPTION OF THE PROCESSING

Categories of data subjects whose personal data is transferred

Data subjects include the individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. These individuals may include, without limitation, individuals who are subject to background checks.

Categories of personal data transferred

Customer Data, including data relating to individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. This data may include, for example:

  • Personal details, including information that identifies the data subject and their personal characteristics, such as name, address, contact details, and date of birth.
  • Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, and driving license details.
  • Employment details, including information relating to the employment of the data subject, such as employment and career history.
  • Education and training details, including information which relates to the education and any professional training of the data subject.
  • Background information, including information relating to criminal activity or sanctions.
  • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
  • None, based on GDPR Article 9’s definition of “sensitive categories of data.”

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Customer Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the Agreement.

Nature of the processing

The data importer will process Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.

Purpose(s) of the data transfer and further processing

The data importer will transfer Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement until deletion in accordance with the provisions of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As above.

Competent Supervisory Authority

The supervisory authority of the member state in which the data subjects whose personal data is transferred in order to provide the Services shall act as competent supervisory authority.

ANNEX III: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, as described below.

Organizational Security

Checkr has established a robust security governance framework that delineates roles and responsibilities pertaining to data protection. The organization undertakes periodic reviews to maintain this framework in alignment with evolving security standards and regulatory requirements.

Information Security Policies

Checkr's information security policies are documented, available to employees, and subject to annual review and updates to ensure ongoing efficacy and compliance.

Access Management

Access to Checkr systems and data is managed using a role-based architecture coupled with multi-factor authentication (MFA).

Data Encryption

Data is protected using advanced encryption methodologies. Sensitive information is encrypted in transit using TLS 1.2 or higher and at rest with AES-256 encryption standards, ensuring data integrity and confidentiality throughout its lifecycle.

Network Security

Check deployed comprehensive network security measures, including firewalls, intrusion detection systems (IDS), and segmented networks to safeguard data against unauthorized access and threats.

Physical Security

Offices and data centers are equipped with extensive physical security controls, including but not limited to 24/7 surveillance, access control systems, and security personnel, ensuring restricted physical access to authorized personnel only.

Application Security

Secure software development lifecycle (SDLC) practices are implemented, including regular code reviews and vulnerability assessments, ensuring security of Checkr products.

Incident Response

Checkr maintains a documented incident response plan, which is regularly tested and updated. Any security incidents are promptly addressed in accordance with predefined escalation procedures to mitigate impact and notify affected parties where necessary.

Vendor and Third-Party Management

Third-party vendors undergo risk assessments to ensure they meet security standards as part of the procurement process. The most critical vendors are subjects for additional annual reviews. 

Training and Awareness

Employees receive annual information security training to maintain a high level of security competency and vigilance against potential threats.

Business Continuity and Disaster Recovery

Checkr business continuity and disaster recovery plans are documented, periodically tested, and updated annually to ensure operational resilience and readiness in the face of disruptive incidents.

Compliance and Audits

Checkr complies with recognized security frameworks and standards, as demonstrated by annual SOC 2 Type II audit and ISO 27001 certification, evaluated by independent auditors.

Direct access to infrastructure, networks and data is minimized to the greatest extent possible. Where  possible, control planes are used to manage services running in production, to reduce direct access to host  infrastructure, networks and data. Direct access to production resources is restricted to employees requiring  access and requires approval, strong multifactor authentication and access via a bastion host.

Checkr’s production environment, where all customer data and customer-facing applications sit, is a logically  isolated Virtual Private Cloud (VPC). Production and non-production networks are segregated. All network  access between production hosts is restricted using firewalls to only allow authorized services to interact in  the production network.

ANNEX IV: LIST OF SUB-PROCESSORS

The data importer has the data exporter’s general authorisation for the engagement of sub-processors, which are included on the following list: https://checkr.com/sub-processor-list.