Last Updated: Mar 27, 2025
1. Purpose
This Deeper Signals Privacy Standard (this “Privacy Standard”) stipulates confidentiality, security and privacy and data protection requirements with respect to Personal Information processed by Deeper Signals on behalf of Client. In the event of any conflict between the provisions in this Privacy Standard and the provisions set forth in the Agreement to which this is attached, the provisions of this Privacy Standard shall prevail.
2. Definitions
For the purposes of this Deeper Signals Privacy Standard:
(a) “Agreement" means the Master Services Agreement and any Orders entered pursuant thereto between Deeper Signals and Client.
(b) “Client” means the Client as set forth in the Agreement, all of its direct and indirect subsidiaries and affiliates, and any entity that becomes a direct or indirect subsidiary or affiliate of Client after the effective date of the Agreement, including but not limited to the entities operating in the European Economic Area.
(c) “Personal Information” shall mean any and all information relating to an identified or identifiable individual provided to Deeper Signals by Client or collected by Deeper Signals for Client (an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity). Information can be in any media or format, including computerized or electronic records, as well as paper-based files;
(d) “Sensitive Personal Information” shall mean Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and Personal Information concerning health or sex life, criminal records (or allegations of crimes), financial information (such as bank account number), and Government issued identification numbers (such as Social Security number, Social Insurance number, Passport number, driver's license or national ID number);
(e) “Processing of Personal Information” (or “Processing”) shall mean any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking or dispersed erasure or destruction;
(f) “Processing Purposes” shall mean only for relevant, appropriate, and customary business purposes, such as:
- recruitment and placement;
- administration of compensation and benefit programs;
- performance management and training;
- advancement planning;
- workforce and risk management;
- workplace management;
- outplacement services;
- client and government reporting;
- other legal and expected business-related purposes;
- other specific purposes that Client may define from time to time;
(g) “Services” shall mean any and all services that Client requests the Deeper Signals to perform under the Agreement that involves Processing of Personal Information;
(h) “Deeper Signals Personnel” shall mean employees and agents of Deeper Signals, Deeper Signals affiliates and subcontractors of Deeper and/or affiliates;
(i) “Deeper Signals” shall mean Deeper Signals, Inc., a Delaware corporation or its affiliated entity providing services under the Agreement; and
(j) “Processor” shall mean a natural or legal person, public authority, agency or any other body that processes Personal Information on behalf of Client. For the purposes of this Privacy Standard Deeper Signals is considered a Processor.
3. Deeper Signals Obligations
Deeper Signals shall comply with the following obligations notwithstanding anything to the contrary contained in the Agreement:
(a) Deeper Signals shall process Personal Information only on behalf of Client, for Processing Purposes, and in accordance with Clients’ instructions pursuant to the Agreement with Client and this Deeper Signals Privacy Standard;
(b) Deeper Signals shall promptly inform Client:
- If it cannot comply with this Deeper Signals Privacy Standard. If this occurs, both parties shall use reasonable efforts to remedy the non-compliance. Client shall be entitled to suspend the communication of Personal Information, and to terminate any of Deeper Signals’ further processing of Personal Information;
- Of any request for access to Personal Information received by Deeper Signals from a (purported) data subject or a third party;
- Where permitted by applicable law, of any request for access to Personal Information received by Deeper Signals from any government official (including any court, data protection agency or law enforcement agency);
- Of any other requests with respect to Personal Information received from other third parties, other than those set forth in the Agreement; and
- Of any change in applicable legislation which Deeper Signals believes is likely to have a substantial adverse effect on the warranties and obligations set forth in this Privacy Standard.
Deeper Signals understands that it is not authorized to respond to these requests, unless explicitly authorized by Client or required by Law. In the last case, Deeper Signals will promptly inform Client of such a request and, where legally permitted, prior to such a disclosure;
(c) Any Personal Information collected or accessed by Deeper Signals in the performance of the Services contracted shall be limited to that which is necessary to perform such Services or to fulfill any legal requirements. Deeper Signals shall make their best efforts to keep Personal Information accurate and current;
(d) Deeper Signals shall co-operate with Client in responding to enquiries, complaints, and claims relating to the Processing of Personal Information from any court or governmental official (including but not limited to any data protection agency or law enforcement agency), third parties, or individuals;
(e) Deeper Signals shall co-operate with Client, particularly to comply to its obligations regarding data protection laws, and will communicate all information (including technical information) and documentation necessary; and
(f) If the Services involve the collection of Personal Information directly from individuals, such as through a registration process, intranet portal or webpage, Deeper Signals will provide a mechanism for Client to provide a clear and conspicuous notice. No terms of use, privacy statement or other provisions presented to individuals via a webpage or in any other manner shall alter Deeper Signals’ obligations or rights under this Privacy Standard or the manner in which Deeper Signals may use Personal Information provided Client’s privacy notice is accurate with respect to any description of Deeper Signals’ uses of Personal Information as agreed between the parties.
(g) The Parties agree that between Deeper Signals and Client, that the Client shall be deemed the controller of the Personal Information for purposes of applicable data privacy laws.
4. Confidentiality Obligations
(a) Deeper Signals shall maintain all Personal Information confidential. Deeper Signals shall not disclose, transmit, or otherwise make the Personal Information available to third parties unless Client has been provided notice of such disclosure, transmission, or making available in advance. Contractors specifically authorized under the Agreement shall be authorized to access Personal Information under this Privacy Standard to the extent such subcontractors need access to perform their services. Deeper Signals shall require subcontractors to comply with terms at least as protective as the conditions set forth in this Privacy Standard. Deeper Signals shall be responsible for any failure of such subcontractors to comply with all terms and conditions regarding Personal Information set forth in this Privacy Standard.
(b) When Deeper Signals ceases to perform Services for Client, Deeper Signals shall, upon Client’s request, return all Personal Information or destroy such information in a manner which renders it unreadable, non-reconstructible, and undecipherable through any means and so certify to Client. If legislation applying to Deeper Signals does not permit the destruction of whole or part of the Personal Information transferred, Deeper Signals warrants that it shall ensure the continued confidentiality and security of the Personal Information and shall not actively process the Personal Information transferred after termination of the relationship. Deeper Signals shall promptly inform Client of such legal obligations.
(c) Deeper Signals shall make the Personal Information available only to its employees who have a need to access the Personal Information in order to perform the Services. Deeper Signals shall require its employees and contractors having access to Personal Information to adhere to relevant confidentiality and security requirements set out in the agreement with Client and this Deeper Signals Privacy Standard. Deeper Signals’ employees may handle Personal Information only if they are bound by legally enforceable and sound confidentiality obligations. Deeper Signals shall be responsible for any failure of such employees to comply with all terms and conditions regarding Personal Information set forth in the Privacy Standard. Upon request, Deeper Signals shall provide to Client a list of categories of employees (described by function and/or title) who may access Sensitive Personal Information.
5. Information Security Obligations
Deeper Signals shall comply with the following Security Obligations notwithstanding any to the contrary contained in the Agreement:
(a) Deeper Signals shall implement the administrative, physical, operational, technical and organizational measures necessary to protect Personal Information against accidental or unlawful destruction, alteration, unauthorized disclosure or access. If the Processing involves the transmission of Personal Information over a network, Deeper Signals shall have implemented appropriate supplementary measures aimed at protecting Personal Information against interception and/or manipulation during and after transit.
(b) In the event that Deeper Signals becomes aware of (or reasonably suspects) that any Personal Information has been compromised in any manner, Deeper Signals shall without undue delay and in any event within three (3) business days notify Client and provide all requested information about the event. For purposes of this obligation, “compromise” should be read most liberally to include (without limitation): (i) any unauthorized access to Personal Information, (ii) any inadvertent disclosure of Personal Information to any third party, (iii) any known or suspected misuse of Personal Information by any person (even if such person was authorized to access the Personal Information), (iv) any suspected use of Personal Information by any person outside of the scope of that person’s authority (even if such use does not result in harm to the individual data subject), and (v) any known or suspected loss, alteration or destruction of Personal Information other than as required (or permitted) by the Services.
6. Personal Information Transferred From the EEA and Other Countries With Data Transfer Restrictions
(a) Personal Information owned by Client located in the EEA, Switzerland, Argentina, Hong Kong, Canada or other jurisdictions that restrict the transfer of Personal Information (“Protected Jurisdictions” and “Protected Personal Information”) shall only be transferred to or accessed by Deeper Signals under the following conditions:
- Deeper Signals is located in the Protected Jurisdictions; or
- Deeper Signals is located outside the Protected Jurisdictions and has obtained Client’s prior written authorization. Such authorization shall not release Deeper Signals of its obligations set forth in this Privacy Standard.
In all other cases, Deeper Signals shall execute the Standard Contractual Clauses (SCCs) adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and take all necessary measures to comply with applicable data protection laws and regulations; and
(b) Deeper Signals shall not access or transfer Protected Personal Information across borders unless:
- such transfer or access remains within the Protected Jurisdictions;
- Deeper Signals has obtained Client’s prior written authorization to such transfer (which does not release Deeper Signals of any its obligations set forth in this Agreement);
- Deeper Signals has executed the Standard Contractual Clauses (SCCs) adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, permitting such transfer of and/or access to Protected Personal Information, and Deeper Signals has taken all required action to effectively implement the requirements set forth by such clauses and by applicable data protection laws and/or regulations.
7. Audit
At Client’s request, which shall be limited to only one (1) requests per year or in the event Client can reasonably demonstrate with sufficient evidence that there may be a potential material breach by Deeper Signal of this Privacy Standard, Deeper Signals shall permit Client (or an independent inspection of Deeper Signals designated by Client) to audit whether Deeper Signals has fulfilled his obligations set forth in this Privacy Standard and has implemented the necessary measures to protect the confidentiality and the security of the Personal Information. Deeper Signals shall reasonably co-operate with any such audit. Audits shall be effective to allow Client to assess compliance with this Deeper Signals Privacy Standard, without adversely affecting Deeper Signals’ business secrets, security rules, the integrity of personal or confidential information processed or owned by Deeper Signals or otherwise violating the terms of the Agreement. In the event that any such audit reveals material gaps or weaknesses in Deeper Signals’ program, Client shall be entitled to suspend transmission of Personal Information to Deeper Signals and suspend Deeper Signals’ Processing of such Personal Information until such issues are resolved to the reasonable satisfaction of Client.
8. Compliance with Laws
Deeper Signals shall comply with all requirements set forth by any applicable data protection, privacy, information security laws and regulations to which Deeper Signals is subject.
