Skip to main content

Indeed API Data Protection Addendum

Indeed API Data Protection Addendum.

Indeed API Data Protection Addendum

Indeed API Data Protection Addendum

This Data Protection Addendum ("Addendum”) forms part of the Primary Agreement to which it is attached (hereinafter referred together as the “Agreement”) entered into between Indeed and Partner (as defined below) and is effective from the effective date of the Agreement (“Effective Date”). Partner and Indeed are referred to collectively as the "Parties," and individually each as a "Party."

  1. Indeed and Partner are engaged through separate agreements or arrangements with an end Client to provide various services to that Client.

  2. In the course of providing services, the Parties, acting under Client’s written instruction, may process (by accessing) Client personal data (as defined below) available or hosted through a Partner API or Indeed Applications.

  3. The GDPR (as defined below) and other applicable data protection laws require that agreements involving the processing of Personal Data contain certain safeguards. This Addendum is designed to meet these safeguard requirements.

  4. The Parties agree that the processing activities are carried out by the Parties as Processor on behalf of the Client pursuant to each Party’s respective Client Agreement and shall comply with the provisions of this Addendum.

Definitions

Words and expressions used in this Addendum but not defined herein shall have the meanings given to such words and expressions in the GDPR unless otherwise stated herein. Where the Applicable Data Protection Law gives means to such words and expressions that differ from the GDPR, then those meanings in the Applicable Data Protection Law shall apply instead for purposes of compliance with such Applicable Data Protection Law. The following definitions apply to this Addendum unless otherwise specified herein.

“Affiliate” means to any entity that directly or indirectly controls, is controlled by, or is under common control with the Indeed. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Applicable Data Protection Law” means all laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data applicable to the processing of Client Personal Data under the Agreement including but not limited to General Data Protection Regulation 2016/679 (“GDPR”), Federal Data Protection Act of 19 June 1992 (Switzerland), UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), Japanese Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) and any US state or federal laws or regulations pertaining to the collection, use, disclosure, security or protection of personal data, or to security breach notification, e.g. California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2020; the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), and/or the Utah Consumer Privacy Act (the “UCPA”) and binding guidance and / or codes of practice issued by the governments, a competent supervisory authority under applicable laws (as defined in the GDPR), or the European Data Protection Board.

“Business Contact Information” means the names, mailing addresses, email addresses, and phone numbers regarding the other Party’s employees, directors, vendors, agents and customers, maintained by a Party for business purposes as further described below.

“Client” (for the purposes of this Addendum) means the Controller and owner of the Client Personal Data (as defined below).

“Client Agreement” means the individual agreements (including data processing agreements) entered into by a) the Client (or Controller) and Partner (or Processor) and b) Client (or Controller) and Indeed (or Processor) defining each parties respective duties and obligations as Controller and Processor.

“Client Personal Data” means either a) Client-owned or controlled personal data provided by or on behalf of Client to Indeed or an Indeed affiliate or subcontractor for processing through use of Indeed services or b) Client-owned or controlled personal data provided by or on behalf of Client to Partner or Partner affiliate or subcontractor for processing under each Party’s respective Client Agreement. Unless prohibited by Applicable Data Protection Laws, Client Personal Data shall not include information or data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific person.

“Controller, Process (and its derivatives), Processor and Supervisory Authority” have the meanings given to them in the GDPR, except that where Applicable Data Protection Law gives meanings to such words and expressions that differ from the GDPR, then those words and expressions shall have the meanings given to them under Applicable Data Protection Law for purposes of complying with such laws. The term “Processor” includes, without limitation, a “Service Provider” as defined by the CCPA and “business operator handling personal information” as defined by the APPI.

“EU-US Data Privacy Framework (EU-U.S. DPF)” means the EU-U.S. Data Privacy Framework Principles, including the Supplemental Principles and Annex I of the Principles issued by the US Department of Commerce effective July 10, 2023.

“Self certified and participating organization” shall have the same meaning as prescribed under the EU-U.S DPF.

“Indeed” means the Indeed entity/entities/affiliates contracting with the Partner in the context of the Primary Agreement.

“Indeed API” means the Application Programming Interface made available to Partner by Indeed including, without limitation, any updates (as defined in the Agreement).

“Indeed Applications” means any applications developed and provided to Partner by Indeed to communicate or interact with the API, solely for Partner’s use as set forth in the Agreement.

“Partner” means the entity that i) will license the Partner API and its associated tools and documentation for Indeed’s access and use to allow Indeed to build integrations to the Partner API or ii) will be licensed the Indeed API to allow the Partner to build integrations to the Indeed API, as set out in the Agreement .

“Partner API” means the Application Programming Interface made available to Indeed by Partner including, without limitation, any updates (as defined in the Agreement).

“Personal Data” has the meanings given to them in the GDPR. This definition shall adjust as necessary to include data defined as "Personal Information", "Personally Identifiable Information," and similar terms under Applicable Data Protection Laws.

“Personal Data Breach or information Security Incident” means an actual, confirmed breach of a Party’s technical and organization measures used to protect privacy and security of Client Personal Data that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such Client Personal Data transmitted, stored or otherwise processed by a Party under the terms of the Agreement or Client Agreement.

“Primary Agreement” means the API license agreement between Indeed and Partner governing access to Indeed APIs or Partner APIs.

“Technical and organizational security measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Data Protection Terms

  1. Relationship between the Parties. The Parties to this Addendum acknowledge that they have separate agreements with the Client (who is the Controller) defining their respective duties and obligations as Controller and/or Processor.

  2. Compliance with Laws as Processor:

    2.1. Solely to the extent that any Party to this Addendum Processes (by accessing) Client Personal Data under or in connection with the Agreement or Client Agreement, each such Party acknowledges and agrees to comply with its respective obligations as a Processor under Applicable Data Protection Law.

    2.2. If either Party (in its capacity as Processor) is or becomes aware of:

    2.2.1. any reason that would prevent its compliance with Applicable Data Protection Law; or

    2.2.2. any incident of non-compliance with Applicable Data Protection Law in connection with the Processing of Client Personal Data under this Agreement; or

    2.2.3. determines, in its reasonable business judgment, that a Client processing instruction violates any Applicable Data Protection Law (provided that nothing herein shall require the Parties to provide legal or regulatory advice or monitor Applicable Data Protection Laws as they apply to Client), it shall notify the other Party in the most expedient time possible. In such an event, the Parties will work together in good faith to resolve such event in a timely manner. In no event will either Party be required to perform any activity that violates any Applicable Data Protection Law. If the Client requires that a Party or the Parties to follow a processing instruction despite a Party’s notice to the Client that such instruction may violate an Applicable Data Protection Law, the Party shall in such event be responsible for all liability for all claims and damages arising from any continued processing in accordance with such instruction and may (where legally entitled to) recover those costs directly from the Client. In such an event, the Party that continues with the processing shall indemnify and hold the other Party harmless from and against any and all liabilities, costs, expenses, damages and losses arising out of or in connection with such processing.

  3. Processing Instructions:

    3.1. The Parties acknowledge and agree that each Party is a Processor of Client Personal Data, and have been engaged by the Client as Processor to process Client Personal Data for the purposes:

    3.1.1. set forth in the Client Agreement and any other written agreement between the Parties, including this Addendum;

    3.1.2. directed, actioned, or otherwise specified to the Parties through the use of any services expressly made subject to this Addendum; and

    3.1.3. disclosing such data as instructed by Client in any other documented instructions to either Party.

    3.2. In all cases, irrespective of whether Applicable Data Protection Law applies to Client Personal Data, the Parties will process Client Personal Data only on Client’s documented instructions and not for any other purpose, unless specifically instructed by Client in writing or otherwise required or authorized by Applicable Data Protection Law.

    3.3. In the event that a Party processes (by accessing Client Personal Data that is outside the scope of Client’s documented Instructions), it is agreed that this Party shall be responsible for all liabilities, claims and damages arising from any continued processing and hold the other Party harmless from and against any and all liabilities, costs, expenses, damages and losses. For avoidance of doubt the limitations of liability contained in the Agreement shall not apply in such an event.

    3.4. Where the GDPR applies to processing of Client Personal Data covered by this Addendum:

    3.4.1. The subject matter of the Parties processing shall be the services the Parties are performing under the Client Agreement.

    3.4.2. The duration of the Parties processing shall be the applicable term of the Client Agreement, in addition to the period of time that either Party’s obligations under this Addendum survive termination of the Client Agreement.

    3.4.3. The nature and purpose of the processing are limited to the services the Parties performs under the Client Agreement, including by way of this Addendum.

    3.3.4. The categories of Personal Data include any Client Personal Data as provided by the Client or otherwise make available to Indeed or Partner through use of Indeed’s platforms.

    3.4.5. The Data Subjects include any individuals whose Personal Data Client provides or otherwise makes available to Indeed or Partner as Client Personal Data.

  4. Confidentiality. The Parties personnel, including subcontractors, authorized to process the Client Personal Data shall be subject to confidentiality obligations and/or subject to an appropriate statutory obligation of confidentiality.

  5. Data Subject and Supervisory Authority Requests. Taking into account the nature of the processing and the availability of information to it, the Parties shall provide each other with commercially reasonable assistance to fulfill either Party’s obligation to respond to a request from an individual to exercise such individual's rights under Applicable Data Protection Law including any requests from a competent Supervisory Authority. The Parties will not independently respond to such requests from Client’s data subjects, but will refer them to Client, except where required by Applicable Data Protection Law.

  6. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Parties will implement appropriate technical and organizational security measures to safeguard Client Personal Data.

  7. Information Security Incidents. The Parties shall maintain procedures to detect and respond to Information Security Incidents. If an Information Security Incident occurs which may reasonably compromise the security or privacy of Client Personal Data, the Party will (apart from notifying the Client) if legally permitted and not otherwise prohibited by contract unless required under any Applicable Data Protection Laws also notify the other Party without undue delay. The Parties agree to cooperate with Client (and each other) in investigating the Information Security Incident and provide assistance to Client as required under the contract between the Party and Client, subject to the terms and limitations agreed upon in such contract or required under any Applicable Data Protection Laws.

  8. Subprocessors. The Parties acknowledge that it shall adhere to any sub-processing conditions it may have under the agreement with the Client such as entering into a written contract with each such Subprocessor and that remaining fully liable for the performance of each such Subprocessor’s obligations thereunder.

  9. Transfers.

    9.1. To the extent that the GDPR applies to the processing of Client Personal Data, the Parties agree that they will not transfer Client Personal Data out of the EEA to a country that has not been identified by the European Commission or a Supervisory Authority under the GDPR as a country that provides an adequate level of data protection except where the Party requiring to undertake the transfer has ensured appropriate safeguards are in place, such as the Standard Contractual Clauses approved by the European Commission unless otherwise required by applicable law.

    9.2. To the extent that the UK Data Protection Act applies, to the processing of Client Personal Data, the Parties agree that they will not transfer Client Personal Data out of the United Kingdom (UK) to a country that has not been identified as a country that provides an adequate level of data protection except where the Party requiring to undertake the transfer has ensured appropriate safeguards are in place, such as the UK Standard Contractual Clauses as amended from time to time by the Information’s Commissioner Office (the “UK SCCs”) unless otherwise required by applicable law.

    9.3. Transfers of EEA/Swiss/UK Data to the US

    9.3.1. Where Personal Data is transferred to the US, transfer from a participating organization as defined under the EU-U.S Data Privacy Framework program (EU-U.S DPF which are detailed here: https://www.dataprivacyframework.gov/), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF), shall only take place if the Parties provides for the same level of protection as is available under the EU-U.S. DPF or offers an equivalent independent recourse mechanism.

    9.3.2. Where the Party is not a participating organization as defined under the EU-U.S Data Privacy Framework program, the transfer of Personal Data from the EU/UK/Switzerland to the US shall be done or in accordance with a valid legal mechanism such as the appropriate EU SCC and/or UK Addendum, or a UK International Data Transfer Agreement.

  10. Compliance. The Parties shall at all times remain compliant with Applicable Data Protection laws to which they are subject as it relates to the services and where required the Parties shall make available to each other information reasonably necessary to demonstrate compliance with its respective obligations as Processors.

  11. Notice. In the event that a Party is required by Applicable Data Protection Law to process Client Personal Data for any other purpose or in any other manner, such Party shall notify the Client of that legal requirement before undertaking such processing, unless the Applicable Data Protection Law prohibits such notification on important grounds of public interest.

  12. Termination. Following expiration or termination of the provision of services relating to the processing of Client Personal Data, or at Client’s request, the Parties shall (and shall require that its sub-processors) promptly and securely delete (or return to Client) all Client Personal Data (including existing copies), unless otherwise required or permitted by applicable laws.

  13. Costs. Each Party shall be responsible for any and all reasonable costs arising from its provision of assistance in accordance with this Addendum.

  14. California Consumer Privacy Act. To the extent that Client Personal Data includes Personal Data of Consumers and is subject to the CCPA, the following additional terms apply to the Processing of such Client Personal Data:

    14.1. The Parties acknowledge and agree that Partner and Indeed both are acting as Service Partners to the Client for purposes of all Processing of such Client Personal Data.

    14.2. The Parties further acknowledges and agrees that it shall (a) not Sell or share such Client Personal Data (as defined by CCPA), (b) not retain, use, or disclose such Client Personal Data for any purpose other than for the Business Purpose(s) specified in accordance with the Agreement, unless permitted by law (c) not retain, use of disclose such Client Personal Data outside of the direct business relationship established by the Agreement and Client Agreement except in all cases as otherwise required by applicable law or permitted by the CCPA ; (d) provide the same level of privacy protection required of such Client by the applicable obligations under CCPA for Client Personal Data ; (e) notify the Client if it can no longer meet its obligations under the CCPA and will work with the Client to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Data.

  15. Business Contact Information. Each Party consents to the other Party using its Business Contact Information for contract management, payment processing, service offering, and business development purposes, including business development with partners, and such other purposes as set out in the using party’s Privacy policy (copies of which shall be made available upon request). For such purposes, and notwithstanding anything else set forth in the Addendum with respect to Client Personal Data in general, each Party shall be considered a controller with respect to the other Party’s Business Contact Information and shall be entitled to transfer such information to any country where such Party’s global organization operates.

  16. Governing Terms. In the event of an express conflict between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum shall govern solely to the extent of the conflict as necessary to comply with Applicable Data Protection Law. All other terms and conditions within the Agreement remain unchanged and in full force and effect.

  17. Changes in Laws. In the event of (i) any newly enacted Applicable Data Protection Law, (ii) any change to an existing Applicable Data Protection Law (including generally-accepted interpretations thereof), (iii) any interpretation of a new or existing Applicable Data Protection Law by Client, or (iv) any material new or emerging cybersecurity threat, which individually or collectively requires a change in the manner by which the Parties are delivering the services to the Client, the parties shall agree upon how the services will be impacted and shall make equitable adjustments to the terms of the Agreement and the services in accordance with the agreed change control procedures.

On this page

  • Indeed API Data Protection Addendum
    • Definitions
    • Data Protection Terms