EXHIBIT B: Data Processing Addendum (DPA)

1. OBJECTIVE & SCOPE

This DPA is an addendum to the Master Client Agreement (“Agreement”) between Spin Software, Inc. dba Offerdox (“Provider”) and Client. It applies where Provider processes Personal Information (as defined by the CPRA) on behalf of the Client to provide the Service.

2. ROLES OF THE PARTIES

  • Client is the "Business" (or Controller).

  • Provider is the "Service Provider" (or Processor).

  • The Data: Includes candidate names, contact info, resumes, and recruiter notes.

3. DATA PROTECTION COMMITMENTS (CPRA COMPLIANCE)

As a Service Provider, Provider agrees to the following "Section 1798.140" restrictions:

  • No Sale or Sharing: Provider shall not "sell" or "share" Client Data (as those terms are defined by the CPRA).

  • Purpose Limitation: Provider shall not retain, use, or disclose Client Data for any purpose other than the specific business purposes set forth in the Agreement.

  • No Combining Data: Provider shall not combine Client Data with personal information received from other sources, except as permitted by the CPRA (e.g., for system improvements or security).

  • Compliance Certification: Provider certifies that it understands these restrictions and will comply with them.

4. SUB-PROCESSORS

Client grants general authorization for Provider to use sub-processors (e.g., Google Cloud Platform) to provide the Service. Provider shall:

  • Maintain a list of sub-processors (available upon request).

  • Ensure all sub-processors are bound by data protection terms no less restrictive than those in this DPA.

5. DATA SUBJECT RIGHTS

If a Candidate or employee of Client contacts Provider to exercise their rights (e.g., right to delete, right to access) regarding Client Data, Provider shall:

  • Promptly notify Client.

  • Provide reasonable assistance to Client to fulfill the request, taking into account the nature of the processing.

  • Note: Per Section 2.2 of the MCA, Candidate Profiles owned by the Candidate are managed directly by Provider and are excluded from this specific Client-led deletion requirement.

6. AUDIT RIGHTS

At least once per year, Provider shall provide Client with evidence of its security posture (e.g., a SOC 2 report or a summary of its most recent third-party penetration test). Client may request additional information to verify compliance with this DPA.

7. DATA RETURN & DELETION

Upon termination of the Agreement, Provider shall, at Client’s election, delete or return all Client Data within 30 days, unless legal obligations require continued storage.