Fairfox AI (Equio ApS)
Nørredamsvej 64
DK-3480 Fredensborg
CVR: 45307581
[Customer Legal Name]
[Customer Address]
[Customer Registration Number]
[Customer Country]
This DPA applies as set out in clause 7.1 of the Agreement. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail. For a full list of controls see our trust center: trust.fairfox.ai
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:
"Customer Personal Data" means any personal data contained in the Customer Materials, including personal data uploaded by the Customer to the Platform that Fairfox Processes on behalf of the Customer or one of its Affiliates for the duration of the Agreement in connection with the Customer's use of and access to the pay equity analytics services. For the avoidance of doubt, Customer Personal Data shall not include any personal data which is anonymised or deidentified whether by the Customer at the time of its supply to Fairfox or anonymised or deidentified by Fairfox after which the identifiable data is destroyed.
"Controller" means "controller" as defined by any applicable Data Protection Laws.
"Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("EU GDPR"), and all other equivalent or similar laws and regulations in any relevant EU member state jurisdiction relating to Personal Data and privacy, as each may be amended, extended or re-enacted from time to time.
"Data Subject" means "data subject" as defined by any applicable Data Protection Laws.
"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
"Personal Data" means "personal data" as defined by any applicable Data Protection Laws.
"Processor" means "processor" as defined by any applicable Data Protection Laws.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
"Standard Contractual Clauses" means the appropriate standard contractual clauses annexed to the Commission Implementing Decision C/2021/3972 or such other clauses as are approved by the European Commission from time to time.
"Subprocessor" means any Processor engaged by Fairfox who agrees to receive from Fairfox Customer Personal Data.
The terms "Process" and "Supervisory Authority" shall have the same meaning as set out in applicable Data Protection Laws.
4.1 In this Agreement Fairfox shall act as a Processor for Customer Personal Data of which the Customer or its Affiliates is a Controller.
4.2 Fairfox will only Process Customer Personal Data in accordance with: a) the Agreement, to the extent necessary to provide the pay equity analytics services to the Customer; and b) the Customer's written instructions, unless Processing is required by European Union or Member State Data Protection Laws to which Fairfox is subject, in which case Fairfox shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data.
4.3 Fairfox shall implement the technical and organisational measures referred to in paragraph 6.1 to protect against unauthorised or unlawful processing and against loss or destruction or damage to the Customer Personal Data.
4.4 The Agreement (subject to any changes to the Services) and this DPA shall be the Customer's instructions to Fairfox in relation to the Processing of Customer Personal Data.
4.5 To the extent that any of the Customer's instructions require Processing of Customer Personal Data in a manner that falls outside the scope of the pay equity analytics services, Fairfox may: a) make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by Fairfox; or b) terminate the Agreement and the Services.
4.6 The Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Data by Fairfox in accordance with this Agreement.
4.7 The Customer warrants that it has obtained and will obtain any necessary consents required under applicable Data Protection Laws for the lawful transfer to and Processing of Customer Personal Data by Fairfox in accordance with this Agreement.
4.8 Data Processing Particulars — the scope, nature and purpose of and the duration of the Processing together with the types of personal data and categories of Data Subject are set out in Schedule 1 (Data Processing Particulars).
5.1 The Customer agrees that Fairfox may from time to time use Subprocessors (including Amazon Web Services) to Process Customer Personal Data, provided it enters into, in accordance with Data Protection Laws, a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data as are imposed on Fairfox.
5.2 Fairfox shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor as if they were the acts and omissions of Fairfox.
5.3 Fairfox shall provide the Customer with notice of any proposed changes to the Subprocessors it uses to Process Customer Personal Data (including any addition or replacement of any Subprocessors).
5.4 If the Customer wishes to object (acting reasonably) on the grounds that sub-processing will or is likely to lead to a breach of Data Protection Laws then it shall provide written notice to Fairfox within seven (7) days of notification. Unless an actual or likely breach of Data Protection Laws is demonstrated Fairfox is under no obligation to accommodate an Objection. If Fairfox is not prepared to change the Services or if the Customer does not accept the proposal within seven (7) days then the Customer may terminate the Agreement by providing not less than thirty (30) days' written notice to Fairfox. No pre-paid Fees shall be refundable if the Agreement is terminated by the Customer in accordance with this paragraph.
6.1 Fairfox shall not transfer or otherwise process the Customer Personal Data outside the EEA unless: a) the recipient, or the country or territory in which it processes or accesses the Customer Personal Data, ensures an adequate level of protection as set out in a decision of the European Commission; or b) the transfer is based on the appropriate module of the Standard Contractual Clauses; or c) the transfer is otherwise lawful under applicable Data Protection Laws.
7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, Fairfox shall at all relevant times implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including any measures listed in Article 32(1) of the EU GDPR. Such measures include those which can be found at trust.fairfox.ai.
7.2 The Customer may, upon reasonable notice, at reasonable times and at its own cost, audit Fairfox's compliance with the Processing of Customer Personal Data under this DPA, provided that: a) such audits are carried out in a manner that does not disrupt Fairfox's business and are not carried out more than annually; b) the Customer reimburses Fairfox any costs incurred in facilitating such audits.
7.3 The Customer acknowledges that in relation to Subprocessors, rights of audit may be subject to additional requirements including the right to tender assurance reports in the first instance.
7.4 Where required under Article 28(3)(h) of the EU GDPR, Fairfox shall immediately notify the Customer in the event that Fairfox believes the Customer's instructions conflict with the requirements of applicable Data Protection Laws.
7.5 If Fairfox or any Subprocessor becomes aware of a Security Incident, Fairfox will (i) notify the Customer promptly and in any event within forty-eight (48) hours, (ii) investigate and provide reasonable assistance to the Customer, and (iii) take steps to remedy any non-compliance with this DPA.
7.6 Fairfox shall treat the Customer Personal Data as the Customer's Confidential Information and shall ensure that any employees or personnel with access have agreed in writing to protect its confidentiality and security.
8.1 Save as required under applicable law, Fairfox shall promptly notify the Customer of any request received from a Data Subject in respect of their personal data included in the Customer Personal Data and shall not respond to the Data Subject directly.
8.2 Fairfox shall provide the Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Platform.
8.3 Fairfox shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority unless otherwise prohibited by law.
9.1 Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Fairfox shall: a) use all reasonable endeavours to assist the Customer for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights; and b) provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority, solely in relation to Processing of Customer Personal Data.
10.1 Fairfox shall, within thirty (30) days of the date of expiry or termination of the Agreement: a) if requested, return a complete copy of all Customer Personal Data by secure file transfer; and b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Fairfox or any Subprocessors.
10.2 Fairfox and its Subprocessors may retain Customer Personal Data to the extent required by applicable law, or as necessary to prosecute or defend any legal claim, provided that such data is retained only to the extent and for such period as required by applicable laws.
Subject matter and duration: Fairfox will process Customer Personal Data for the purpose of providing pay equity analytics services to enable compliance with EU Pay Transparency Directive requirements, for the duration of the Agreement.
Categories of data subjects: Current and former employees of the Customer organization whose data is included in compensation analysis datasets.
Frequency of transfer: As required for service delivery, typically during initial setup and periodic analysis updates as requested by Customer.
Retention period: Customer Personal Data will be retained for the duration of the Agreement and deleted within 30 days of termination, except where retention is required by applicable law.
Any questions regarding our DPA? Feel free to reach out at info@fairfox.ai