Nixa.io

Data Processing Agreement

Last revised: 22nd November 2021 

 

You (“Data User”) are entering into this Data Processing Agreement (hereinafter referred to as “DPA”) with Nixa.io AS (“Data Owner”). When you (individually or the entity that you represent) use our Services or Create an Employer account on the Nixa.io platform (www.app.nixa.io), you are agreeing to follow the terms of this DPA. 

The Data Owner and the Data User are hereinafter referred to as “Party” or the “Parties”.

 

1.0 INTRODUCTION 


1.1 Nixa.io AS (“Data Owner”) is a company registered in Norway with a registered office at Thorvald Meyers Gate 7, 0555 Oslo, TAX ID number 8245417552. Nixa.io is the owner and operator of the Nixa.io website (www.nixa.io) and the Service provided by Nixa.io on the platform (www.app.nixa.io). 

1.2 The Data Owner collects, stores, and processes Personal Data (as defined below under section 2.0). 

1.3 The Data User receives access to Personal Data for the Approved Purpose (as defined below under section 2.0).

1.4 The purpose of this DPA is to secure adequate safeguards with respect to the protection of privacy and to ensure that the use and processing of Personal Data comply with the Partie’s legal obligations. 

1.5 The parties wish to conclude this DPA in order to formalize the terms and conditions that apply to the access and use of Personal Data. Each Party is an independent data controller of Personal Data. 

1.6 The Parties have entered into a collaboration agreement where the Data Owner will provide a limited license to the Personal Data to Data User (the “Collaboration Agreement”) as defined in section 2.0 below. 

1.7 In addition to the main body of this collaboration agreement, the DPA incorporates the following document: 

Annex 1: Description of the Approved Purpose and Data Processing 


1.8 In the event that any provision of this DPA is inconsistent with any term(s) of any other agreement concerning the Data Processing, this DPA shall prevail. 

1.9 The DPA comes into effect from the date that the Data User consents to this Agreement by registering an account on the platform and getting access to the Service. The Agreement is valid until this DPA is terminated or replaced by another DPA. 

 

2.0 DEFINITIONS 


Data Owner: The entity that collects, stores, and shares the Personal Data and acts as an independent data controller

Data User: The entity that accesses or receives Personal Data from the Data Owner for the “Approved purpose” in accordance with the terms of this DPA and the “Agreement” 

Approved Purpose: The purpose and the reason for the processing and use of Personal Data as identified in Annex 1 

Collaboration Agreement: The agreement of sharing certain Personal Data for limited use, entered into between the Parties on the date of registering to use the Service that Nixa.io deliver 

Personal Data: Any information relating to an identified or identifiable natural person (data subject) including any sensitive or special categories of data that is processed under or in connection with this agreement 

Data Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, including also through remote access. May also be referred to as “process” and “processed”. 

Personal Data Breach: Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Agreement Personal Data processed under this Agreement. 

The terms “Controller, “Data Subject”, “Processing”, “Processor”, “Sensitive Personal Data”, and “Special Categories of Data” shall have the same meaning ascribed to them under the General Data Protection Regulations (EU) 2016/679 (also referred to as “GDPR”). 

 

3.0 OWNERSHIP AND RIGHTS 


3.1 This DPA governs the data processing conducted by the Data Owner and the Data User. The Data User shall process the Personal Data only for the Approved Purpose and in accordance with applicable laws, this DPA, and the Agreement. Any processing or use of the Personal Data for any other purpose is strictly forbidden and will be considered a material breach of this DPA and Agreement. 

3.2 The Data Owner retains the formal control and all of the ownership and rights to the Personal Data. The Data User shall have no rights in or to Personal Data other than the non-exclusive, revocable, and time-limited right to access and process the Personal Data for the Approved Purpose. 

 

4.0 OBLIGATIONS

 

4.1 Obligations of the Data Owner 

The Data Owner warrants and undertakes that: 

  1. The Personal Data will be collected, processed, and transferred in accordance with the laws applicable to the Data Owner 
  2. It will respond to inquiries from Data Subjects and the Authorities concerning the data processing of Personal Data by the Data User 

4.2 Obligations of the Data User 

The Data User warrants and undertakes that: 

  1. It will comply with the terms of this DPA and its regulatory obligations as a Data Controller under applicable laws. It understands that the processing of Personal Data entails that it is subject to the GDPR and that it will therefore comply with its rules on the protection with natural persons with the regarding of the processing of personal data and on the free movement of such data, and Directive 95/46/EC. 
  2. It will process and use the Personal Data only for the Approved Purpose defined in Annex 1 and has the legal authority to give the warranties and fulfill the undertakings set out in this DPA 
  3. It will identify to the Data Owner a contact point within its organization authorized to respond to inquiries concerning processing and use of Personal Data and will cooperate in good faith with the Data Owner, the Data Subject, and the Authority concerning all such inquiries within a reasonable time. 
  4. It will process the Personal Data in accordance with the data processing as set forth in the GDPR 
  5. It will assist the Data Owner in responding to inquiries from Data Subjects and the Authority concerning the data processing of Personal Data by the Data User 

 

5.0 GOVERNING LAW AND DISPUTE RESOLUTION


5.1 This DPA shall be governed by and interpreted in accordance with the laws of Norway. Any such dispute, controversy, or claim shall be exclusively resolved by Norwegian Courts. 

5.2 In the event of a dispute or claim brought by a Data Subject or the Authority concerning the processing or use of Personal Data against either or both of the Parties, the Parties will inform each other about any such dispute or claims and will cooperate with a view to settling them amicably in a timely fashion 

5.3 The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Authority. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution proceedings developed for data protection purposes. 

 

6.0 TERMINATION 


6.1 In the event that the Data User is in breach of its obligations under this DPA, the Data Owner may temporarily suspend the access to or continued transfer of Personal Data to the Data User until the breach is repaired or remedied to the reasonable satisfaction of Data Owner 

6.2 This DPA can be terminated in the event that: 

  1. The use of or processing of Personal Data by the Data User has been temporarily suspended by the Data Owner for more than one month pursuant to section 6.1 
  2. The Data Owner is unable to suspend the further use of or processing of Personal Data due to such Personal Data having been transferred to Data User, the Data Owner will order the Data User to suspend the further use and processing of Personal Data; or where the Data User does not follow the order of the Data Owner to suspend the processing of Personal Data 
  3. Compliance by the Data User with these clauses would put in breach of its legal or regulatory obligations 
  4. The Data User is in material or persistent breach of any warranties or undertakings given by it under this DPA or the Agreement 
  5. A final decision issued by a competent Court of the Data Owner’s country of establishment or if the Authority rules that there has been a breach of this DPA or the Agreement by the Data User or the Data Owner 

6.3 If any of the events described in a-e occurs, the Data Owner, without prejudice to any other rights which it may have again the Data User, shall be entitled to terminate this DPA and the Agreement, in which case the Authority shall be informed where required. 

6.4 The Parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under this DPA as regards the processing of Personal Data. 

6.5 In the event of termination, the Data User must return all Personal Data and all copies of the Personal Data subject to this DPA to the Data Owner, or, at the Data Owner’s choice destroy all copies of the same and certify to the Data Owner that is has done so, unless the Data User can prove, it is prevented by its National law or local regulatory authorities from destroying or returning all or part of such data, in which event the data will be kept confidential and will not by actively processed for any purpose. 

6.6 The Data User agreed that, if so requested by the Data Owner, it will allow the Data Owner, or an inspection agency selected by the Data Owner and not reasonable objected to by the Data User, access to its establishment to verify that this has been done, with reasonable notice and during business hours. 

 

7.0 AMENDMENTS 


7.1 No amendments to this DPA shall be considered in effect unless it is made in writing and signed by duly authorized representatives of each of the Parties. 



ANNEX 1: Description of the Approved Purpose and Data Processing 

 

The details of the use and the processing of Personal Data are specified in this Annex 1. The Parties agree that Annex 1 may contain confidential business information which they will not disclose to any third party, except as required by law or in response to a competent regulatory or government agency. 

 

1.0 Purpose for which Personal Data is to be processed (“Approved Purpose”) 

Personal Data received from the Data Owner will be processed by the Data User for Recruitment Purposes. The Data Owner is in the business of delivering recruitment services and access to Personal Data is necessary for the Service to be delivered.  

 

2.0 Personal Data to be processed 

The following Personal Data of Data Subjects will be processed: 

  • Personal details (first name, last name, email address, registered address, phone number)
  • Personal information provided by the candidate for a special position or for general professional opportunities, including, but not limited to, CV, references, and other relevant additional information 
  • Personal information provided by the recruiting company including but not limited to assessment test results, interview assessment, background checks, references, and other obtained information from third parties 
  • Demographic information including age, tenure, gender, seniority, work status, place of work (organizational unit and/or country/city) 
  • Technical information such as IP address, time and date of access, browser activities, browser settings, and log-in ID data. This is used solely for security purposes, namely authentication and input control 

 

3.0 Processes and routines for successive deletion of Personal Data 

The Personal Data shall be successively deleted according to instructions from the Data Owner. 

 

4.0 Processing of Personal Data between Application Tracking Systems (“ATS”)

4.1 In the event that a Data User processes or moves data from the Data Owners system, the Data User takes the full responsibility of processing the Personal Data lawfully, and in accordance with the anytime rules and regulations concerning the processing of Personal Data. This includes informing the Data Owner and the Data Subject, and to gather the necessary consent for processing the Personal Data. Furthermore, the Data User takes full responsibility for sending necessary privacy policy information to the Data Subjects where Personal Data is planned to be processed. 


4.2 The Data User is responsible for any unlawful processing of Personal Data in systems that are not specified in the Data Owners Terms of Service (www.nixa.io/termsofservice). 

 

5.0 Technical Contact Point 

5.1 The following person will be the technical contact point from the Data Owner for the purposes of this DPA: 


Kristine Angeltvedt 

Data Protection Officer 

+47 92834046 

kristine@nixa.io 

5.2 Any changes to the above contact details, or to who will function as the Data Owner’s Technical Contact Point, shall be communicated without undue delay to the Data User in writing.