1. Process Only on Instructions

Process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by law. We will inform the Controller of any legal requirement before processing, unless prohibited by law.

2. Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3. Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 8 of this DPA.

4. Sub-processor Management

Not engage another processor without prior specific or general written authorization of the Controller, as detailed in Section 6 of this DPA.

5. Assistance with Data Subject Rights

Assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to Data Subject requests.

6. Compliance Assistance

Assist the Controller in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations under Data Protection Laws.

7. Data Deletion

At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by applicable law.

8. Audit Support

Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

1. Lawful Basis

Ensure that there is a lawful basis for the processing of Personal Data and that all necessary consents have been obtained from Data Subjects where required.

2. Data Accuracy

Ensure that Personal Data provided to J5Jobs is accurate, complete, and up-to-date.

3. Instructions

Provide documented instructions for the processing of Personal Data that comply with Data Protection Laws.

4. Notification

Promptly notify J5Jobs of any changes to Data Protection Laws that may affect the processing of Personal Data under this DPA.

Current Sub-processors

J5Jobs currently uses the following Sub-processors:

Sub-processor Changes

J5Jobs will notify the Controller at least 30 days before adding or replacing Sub-processors. The Controller may object to such changes within 14 days of notification. If the Controller objects and J5Jobs cannot reasonably accommodate the objection, the Controller may terminate the affected Services.

Sub-processor Agreements

J5Jobs will ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA. J5Jobs remains fully liable for the acts and omissions of its Sub-processors.

Standard Contractual Clauses

Where required, J5Jobs uses the European Commission's Standard Contractual Clauses (SCCs) for transfers to third countries. The applicable SCCs are incorporated by reference into this DPA.

Adequacy Decisions

Where the European Commission or UK authorities have made an adequacy decision for a third country, transfers may be made on that basis.

Supplementary Measures

J5Jobs implements supplementary technical and organizational measures to ensure that Personal Data transferred internationally receives an equivalent level of protection, including encryption in transit and at rest.

Transfer Impact Assessments

J5Jobs conducts transfer impact assessments for transfers to third countries to evaluate the level of protection and implement additional safeguards where necessary.

Encryption

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Encrypted database connections and backups

Access Controls

• Role-based access control (RBAC)
• Multi-factor authentication for administrative access
• Principle of least privilege
• Regular access reviews and revocation

Infrastructure Security

• AWS infrastructure with SOC 2 Type II certification
• Network segmentation and firewalls
• DDoS protection and WAF
• Regular vulnerability scanning and penetration testing

Operational Security

• Security incident response procedures
• Regular security training for personnel
• Background checks for employees with data access
• Secure development lifecycle (SDLC)

Business Continuity

• Automated daily backups with geographic redundancy
• Disaster recovery procedures with defined RTO/RPO
• High availability architecture

Supported Rights

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

Response Process

J5Jobs will promptly notify the Controller of any Data Subject request received directly and will not respond to such requests without the Controller's prior authorization, unless required by law.

Technical Assistance

J5Jobs provides self-service tools for Controllers to export, correct, or delete Personal Data. For complex requests, J5Jobs will provide reasonable assistance within 10 business days.

Notification Timeline

Notify the Controller without undue delay and in any event within 48 hours after becoming aware of a Personal Data breach affecting the Controller's data.

Notification Content

The notification will include, to the extent known:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

Cooperation

J5Jobs will cooperate with the Controller and provide reasonable assistance in investigating the breach, mitigating its effects, and fulfilling the Controller's notification obligations to supervisory authorities and Data Subjects.

Audit Scope

Audits may cover J5Jobs's data processing activities, security measures, and compliance with this DPA and applicable Data Protection Laws.

Audit Process

• 30 days advance written notice required
• Audits conducted during normal business hours
• Auditor must sign confidentiality agreement
• One audit per 12-month period (unless breach occurs)

Third-Party Certifications

J5Jobs maintains SOC 2 Type II certification and will provide audit reports and certifications upon request. These may satisfy audit requirements at the Controller's discretion.

Costs

The Controller bears the costs of audits, except where an audit reveals material non-compliance by J5Jobs, in which case J5Jobs will bear reasonable audit costs.

Data Return

At the Controller's request, J5Jobs will return all Personal Data in a commonly used, machine-readable format (JSON or CSV) within 30 days of termination.

Data Deletion

Unless the Controller requests data return, J5Jobs will delete all Personal Data within 90 days of termination, except where retention is required by applicable law.

Certification

Upon request, J5Jobs will provide written certification of data deletion within 30 days of completing the deletion process.

Survival

The confidentiality obligations and liability provisions of this DPA survive termination for a period of 3 years.