Fairfox AI (Equio ApS)
Nørredamsvej 64
DK-3480 Fredensborg
CVR: 45307581
[Customer Legal Name]
[Customer Address]
[Customer Registration Number]
[Customer Country]
This DPA applies as set out in clause 7.1 of the Agreement. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail. For a full list of controls see our trust center: trust.fairfox.ai
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:
"Customer Personal Data" means any personal data contained in the Customer Materials, including personal data uploaded by the Customer to the Platform that Fairfox Processes on behalf of the Customer or one of its Affiliates for the duration of the Agreement in connection with the Customer's use of and access to the pay equity analytics services. For the avoidance of doubt, Customer Personal Data shall not include any personal data which is anonymised or deidentified whether by the Customer at the time of its supply to Fairfox or anonymised or deidentified by Fairfox after which the identifiable data is destroyed.
"Controller" means "controller" as defined by any applicable Data Protection Laws.
"Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("EU GDPR"), and all other equivalent or similar laws and regulations in any relevant EU member state jurisdiction relating to Personal Data and privacy, as each may be amended, extended or re-enacted from time to time.
"Data Subject" means "data subject" as defined by any applicable Data Protection Laws.
"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
"Personal Data" means "personal data" as defined by any applicable Data Protection Laws.
"Processor" means "processor" as defined by any applicable Data Protection Laws.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
"Standard Contractual Clauses" means the appropriate standard contractual clauses annexed to the Commission Implementing Decision C/2021/3972 or such other clauses as are approved by the European Commission from time to time.
"Subprocessor" means any Processor engaged by Fairfox who agrees to receive from Fairfox Customer Personal Data.
The terms "Process" and "Supervisory Authority" shall have the same meaning as set out in applicable Data Protection Laws.
4.1 In this Agreement Fairfox shall act as a Processor for Customer Personal Data of which the Customer or its Affiliates is a Controller.
4.2 Fairfox will only Process Customer Personal Data in accordance with: a) the Agreement, to the extent necessary to provide the pay equity analytics services to the Customer; and b) the Customer's written instructions, unless Processing is required by European Union or Member State Data Protection Laws to which Fairfox is subject, in which case Fairfox shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data.
4.3 Fairfox shall implement the technical and organisational measures referred to in paragraph 7.1 and published on the Fairfox trust center (trust.fairfox.ai) to protect against unauthorised or unlawful processing and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
4.4 The Agreement (subject to any changes to the Services) and this DPA shall be the Customer's instructions to Fairfox in relation to the Processing of Customer Personal Data.
4.5 To the extent that any of the Customer's instructions require Processing of Customer Personal Data in a manner that falls outside the scope of the pay equity analytics services, Fairfox may: a) make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by Fairfox; or b) terminate the Agreement and the Services.
4.6 The Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Data by Fairfox in accordance with this Agreement.
4.7 The Customer warrants that it has obtained and will obtain any necessary consents required under applicable Data Protection Laws for the lawful transfer to and Processing of Customer Personal Data by Fairfox in accordance with this Agreement.
4.8 Data Processing Particulars — the scope, nature and purpose of and the duration of the Processing together with the types of personal data and categories of Data Subjects are set out in Schedule 1 (Data Processing Particulars). Approved Subprocessors, including processing locations, storage locations, the country in which Processing takes place and the country from which Customer Personal Data may be accessed, are set out in the table in clause 5.
Fairfox uses the following subprocessor
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL One Burlington Plaza, Burlington Road, Dublin 4, D04 RH96, Ireland |
Cloud hosting of Fairfox solution. | EU (Ireland) | N/A (EU) |
5.1 The Customer authorises Fairfox to engage the Subprocessors listed in the table in clause 5 above to Process Customer Personal Data. For each approved Subprocessor, the table shall identify:
Fairfox shall ensure that each Subprocessor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA, to the extent applicable to the services performed by that Subprocessor.
5.2 Fairfox shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor as if they were the acts and omissions of Fairfox.
5.3 Fairfox shall provide the Customer with at least thirty (30) days' prior written notice of any proposed addition, replacement or other material change relating to a Subprocessor used to Process Customer Personal Data. Such notice shall include the information necessary to assess the proposed change, including the identity of the proposed Subprocessor, the services to be provided, the processing location(s), and any applicable transfer mechanism where Processing or access takes place outside the EEA.
5.4 The Customer may object to a proposed Subprocessor on reasonable data protection grounds by written notice to Fairfox within thirty (30) days of receipt of the notice referred to in clause 5.3. Fairfox shall not appoint the proposed Subprocessor until the objection period has expired and, where an objection has been raised, until the parties have discussed the objection in good faith.
If the Customer raises a reasonable objection, Fairfox shall use reasonable efforts to make available a commercially reasonable alternative, or to modify the affected part of the Services to avoid the use of the proposed Subprocessor. If no such alternative is reasonably available, the Customer may terminate only the affected part of the Services on written notice without penalty and shall be entitled to a pro rata refund of any prepaid fees relating to the terminated portion of the Services.
6.1 Fairfox shall not transfer, permit access to, or otherwise process the Customer Personal Data outside the EEA unless: a) the recipient, or the country or territory in which it processes or accesses the Customer Personal Data, ensures an adequate level of protection as set out in a decision of the European Commission; or b) the transfer is governed by the appropriate module of the Standard Contractual Clauses together with any supplementary measures required under applicable Data Protection Laws; or c) the transfer is otherwise lawful under applicable Data Protection Laws.
Fairfox shall ensure that all transfers or access outside the EEA are identified in Schedule 1 and/or the table in clause 5, including the relevant destination country, recipient category and transfer mechanism relied upon. Upon request, Fairfox shall provide the Customer with a copy of the relevant transfer mechanism documentation, including the applicable Standard Contractual Clauses, subject to redaction of information reasonably considered confidential. Fairfox shall also provide reasonable information regarding the supplementary technical, organisational and contractual measures applied in connection with such transfer. If Fairfox determines that it can no longer comply with the transfer mechanism relied upon, it shall promptly notify the Customer and suspend the relevant transfer unless and until compliance can be restored or another lawful transfer mechanism is implemented.
7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, Fairfox shall at all relevant times implement, maintain and document appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures shall include, at a minimum and to the extent relevant to the Services:
The technical and organisational measures applicable as at the Effective Date are published on the Fairfox trust center (trust.fairfox.ai), which forms an integral part of this DPA. Fairfox shall review and update such measures on an ongoing basis and at least annually. Fairfox shall not materially reduce the overall level of protection afforded to Customer Personal Data during the term of the Agreement without giving prior written notice to the Customer.
7.2 Fairfox shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, including, where relevant, up-to-date information regarding technical and organisational measures, subprocessor engagements, transfer mechanisms, retention and deletion practices, and available third-party audit reports or certifications.
The Customer may, upon reasonable notice, audit Fairfox's compliance with the Processing of Customer Personal Data under this DPA and applicable Data Protection Laws. Audits shall be conducted during normal business hours and in a manner reasonably designed to avoid unnecessary disruption to Fairfox's business.
Ordinary audits may be carried out no more than once annually, provided, however, that the Customer may carry out additional audits where reasonably required due to:
Each party shall bear its own internal costs in connection with audits, provided that where an audit reveals a material breach of this DPA or applicable Data Protection Laws, Fairfox shall reimburse the Customer's reasonable, documented external audit costs.
7.3 In relation to Subprocessors, Fairfox shall, upon request, make available to the Customer the audit reports, certifications and other compliance documentation obtained by Fairfox from such Subprocessors, to the extent reasonably sufficient to demonstrate compliance with this DPA and applicable Data Protection Laws.
Where such documentation is not reasonably sufficient in light of the relevant risk, Fairfox shall provide reasonable assistance to the Customer in obtaining additional information from the relevant Subprocessor and, where available under Fairfox's agreement with that Subprocessor, in facilitating audit or inspection rights in relation to that Subprocessor.
7.4 Where required under Article 28(3)(h) of the EU GDPR, Fairfox shall immediately notify the Customer in the event that Fairfox believes the Customer's instructions conflict with the requirements of applicable Data Protection Laws.
7.5 If Fairfox or any Subprocessor becomes aware of a Security Incident, Fairfox will (i) notify the Customer promptly and in any event within forty-eight (48) hours, (ii) investigate and provide reasonable assistance to the Customer, and (iii) take steps to remedy any non-compliance with this DPA.
7.6 Fairfox shall treat the Customer Personal Data as the Customer's Confidential Information and shall ensure that any employees or personnel with access have agreed in writing to protect its confidentiality and security.
8.1 Save as required under applicable law, Fairfox shall promptly notify the Customer of any request received from a Data Subject in respect of their personal data included in the Customer Personal Data and shall not respond to the Data Subject directly.
8.2 Fairfox shall provide the Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Platform.
8.3 Fairfox shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority unless otherwise prohibited by law.
9.1 Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Fairfox shall: a) use all reasonable endeavours to assist the Customer for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights; and b) provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority, solely in relation to Processing of Customer Personal Data.
10.1 Fairfox shall, within thirty (30) days of the date of expiry or termination of the Agreement: a) if requested, return a complete copy of all Customer Personal Data by secure file transfer; and b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Fairfox or any Subprocessors.
10.2 Fairfox and its Subprocessors may retain Customer Personal Data to the extent required by applicable law, or as necessary to prosecute or defend any legal claim, provided that such data is retained only to the extent and for such period as required by applicable laws.
Subject matter and duration: Fairfox will process Customer Personal Data for the purpose of providing pay equity analytics services to enable compliance with EU Pay Transparency Directive requirements, for the duration of the Agreement.
Categories of data subjects: Current and former employees of the Customer organization whose data is included in compensation analysis datasets.
Frequency of transfer: As required for service delivery, typically during initial setup and periodic analysis updates as requested by Customer.
Retention period: Customer Personal Data will be retained for the duration of the Agreement and deleted within 30 days of termination, except where retention is required by applicable law.
Any questions regarding our DPA? Feel free to reach out at info@fairfox.ai