Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Career Journey ("Processor," "we," "us," or "our") and you ("Controller," "you," or "your") and governs the processing of personal data by Career Journey on your behalf.

This DPA is designed to comply with the requirements of the General Data Protection Regulation (GDPR) (EU) 2016/679, in particular Article 28, and other applicable data protection laws.

By using our Service, you acknowledge that you are the Controller of personal data you submit, and Career Journey acts as the Processor. This DPA supplements our Privacy Policy and Terms of Service.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined herein have the meanings given to them in the GDPR or the Terms of Service.

• "Controller" means the natural or legal person that determines the purposes and means of the processing of Personal Data. When you use the Service, you are the Controller.
• "Processor" means the natural or legal person that processes Personal Data on behalf of the Controller. Career Journey is the Processor.
• "Sub-processor" means any third-party processor engaged by Career Journey to process Personal Data.
• "Personal Data" means any information relating to an identified or identifiable natural person that you provide to Career Journey through the Service.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 GDPR.

3. Roles and Responsibilities

3.1 Your Role as Controller

As the Controller, you:

• Determine the purposes and means of processing Personal Data through the Service
• Are responsible for ensuring that you have a lawful basis for processing Personal Data
• Are responsible for obtaining any necessary consents from Data Subjects
• Are responsible for ensuring that you provide adequate privacy notices to Data Subjects
• Must ensure that instructions given to Career Journey comply with applicable data protection laws
• Are responsible for responding to Data Subject requests, with our assistance as detailed in Section 7

3.2 Our Role as Processor

As the Processor, Career Journey:

• Processes Personal Data only on your documented instructions (via your use of the Service)
• Ensures that persons authorized to process Personal Data are bound by confidentiality obligations
• Implements appropriate technical and organizational measures to protect Personal Data
• Engages Sub-processors only with your consent and under appropriate contractual safeguards
• Assists you in fulfilling your obligations to respond to Data Subject requests
• Assists you in ensuring compliance with your security, breach notification, and impact assessment obligations
• Deletes or returns Personal Data at the end of the provision of services, unless retention is required by law
• Makes available to you information necessary to demonstrate compliance with this DPA

4. Details of Processing

5. Sub-processors

5.1 Authorization to Use Sub-processors

You provide general authorization for Career Journey to engage Sub-processors to process Personal Data on your behalf. We maintain contracts with all Sub-processors that impose data protection obligations equivalent to those in this DPA.

5.2 Current Sub-processors

Career Journey currently engages the following Sub-processors:

5.3 Notification of Sub-processor Changes

We will notify you of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before authorizing the new Sub-processor to process Personal Data. You may object to the use of a new Sub-processor within 30 days of notification by contacting us at sebi.secasiu@gmail.com.

If you object to a new Sub-processor on reasonable data protection grounds, we will use reasonable efforts to accommodate your objection. If we cannot accommodate your objection, you may terminate the affected Service without penalty.

5.4 Sub-processor Obligations

We ensure that all Sub-processors are subject to written agreements that impose data protection obligations equivalent to those in this DPA, including appropriate technical and organizational security measures and requirements to process Personal Data only on our instructions.

6. Technical and Organizational Security Measures

In accordance with Article 32 GDPR, Career Journey implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1 Technical Measures

6.2 Organizational Measures

We regularly review and update these measures to ensure they remain effective and appropriate to the evolving risk landscape.

7. Assistance with Data Subject Rights

In accordance with Article 28(3)(e) GDPR, Career Journey will assist you in fulfilling your obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR.

7.1 Data Subject Requests

If we receive a request from a Data Subject to exercise their rights, we will promptly notify you and provide you with the request details. Unless otherwise required by law, you are responsible for responding to Data Subject requests.

7.2 Our Assistance

Career Journey provides the following tools and assistance:

• Right of Access: Account settings allow users to view their Personal Data
• Right to Rectification: Account settings enable users to update and correct their information
• Right to Erasure: Account settings include a self-service account and data deletion option
• Right to Data Portability: Upon request, we will provide data in machine-readable format
• Right to Restriction: We can assist in temporarily restricting processing upon your request
• Right to Object: Opt-out mechanisms for email reminders and optional features

For assistance with Data Subject requests, contact us at sebi.secasiu@gmail.com. We will respond within 10 business days.

8. Personal Data Breach Notification

In accordance with Article 33 GDPR, Career Journey will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting your Personal Data.

8.1 Breach Notification Content

Our notification will include, to the extent known:

• The nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The likely consequences of the Personal Data Breach
• The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects
• The name and contact details of our Data Protection Officer or other contact point

8.2 Breach Investigation and Remediation

Upon detecting a Personal Data Breach, we will:

• Immediately initiate our incident response procedures
• Investigate the breach to determine its scope, cause, and impact
• Take appropriate measures to contain and remediate the breach
• Document the breach, including facts, effects, and remedial actions taken
• Cooperate with you in notifying Supervisory Authorities and affected Data Subjects as required by law
• Implement measures to prevent recurrence

9. Audits and Compliance

9.1 Information and Audit Rights

In accordance with Article 28(3)(h) GDPR, Career Journey will make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections.

9.2 Audit Procedures

You may conduct audits of our data processing activities, subject to the following conditions:

• Audit requests must be submitted in writing with reasonable advance notice (at least 30 days)
• Audits may be conducted no more than once per year, unless required by a Supervisory Authority or in response to a Personal Data Breach
• Audits must be conducted during normal business hours and in a manner that does not unreasonably interfere with our operations
• You may use an independent third-party auditor bound by confidentiality obligations
• Reasonable costs associated with audits may be charged

9.3 Alternative Compliance Verification

As an alternative to on-site audits, we will provide you with documentation of our security measures, data processing activities, and compliance with data protection requirements.

10. International Data Transfers

10.1 Transfers Outside the EEA

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our Sub-processors are located.

10.2 Transfer Mechanisms

For transfers to countries not subject to an adequacy decision by the European Commission, we implement appropriate safeguards as required by Chapter V of the GDPR:

• Standard Contractual Clauses: We use the European Commission's Standard Contractual Clauses (2021/914) for transfers to third countries
• Supplementary Measures: We implement additional technical, organizational, and contractual measures as recommended by the European Data Protection Board (EDPB), including:
  • Strong encryption of data in transit and at rest
  • Pseudonymization where appropriate
  • Contractual prohibitions on government access without legal basis
  • Transparency and notification obligations
• Transfer Impact Assessments: We have conducted transfer impact assessments for all Sub-processors in third countries

10.3 Sub-processor Compliance

All Sub-processors involved in international data transfers are required to comply with the same transfer mechanisms and supplementary measures.

11. Deletion and Return of Personal Data

11.1 End of Service

Upon termination or expiration of the Terms of Service, or upon your request, Career Journey will:

• Delete all Personal Data in our possession or control, including from our Sub-processors
• Or, at your choice, return the Personal Data to you in a commonly used, machine-readable format

11.2 Timeline

Deletion or return will be completed within 30 days of termination or your request, unless a longer period is required by applicable law.

11.3 Exceptions

We may retain Personal Data to the extent required by applicable law or regulation, including:

• Tax and accounting obligations (typically 6-10 years)
• Legal claims and disputes
• Regulatory requirements

Retained data will be securely stored and isolated, and processed only for the limited purposes required by law.

11.4 Certification of Deletion

Upon request, we will provide written certification that Personal Data has been deleted in accordance with this section.

12. Liability and Indemnification

12.1 Liability Under GDPR

In accordance with Article 82 GDPR, each party shall be liable for damages caused by processing that infringes the GDPR. Career Journey shall be liable for damages caused by processing only where we have not complied with obligations specifically directed to Processors under the GDPR or where we have acted outside or contrary to your lawful instructions.

12.2 Allocation of Liability

Where both parties are involved in the same processing that causes damage, each party shall be held liable for the entire damage. However, where a party has paid full compensation, that party shall be entitled to claim back from the other party that part of the compensation corresponding to their degree of responsibility for the damage.

12.3 Limitation of Liability

Except as expressly provided in this DPA, the limitations of liability set forth in the Terms of Service apply to this DPA. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law.

13. Term and Termination

13.1 Term

This DPA comes into effect on the date you first use the Service and remains in effect until the termination of the Terms of Service or until all Personal Data has been deleted or returned in accordance with Section 11.

13.2 Termination

Either party may terminate this DPA:

• If the other party materially breaches this DPA and fails to remedy the breach within 30 days of written notice
• If required by a Supervisory Authority
• If continuation of the DPA would violate applicable law

13.3 Effect of Termination

Upon termination of this DPA, the provisions regarding data deletion (Section 11), confidentiality, liability (Section 12), and governing law (Section 15) shall survive.

14. Changes to This DPA

We may update this DPA from time to time to reflect changes in our data processing practices, legal requirements, or Sub-processors. Material changes will be notified to you at least 30 days in advance via:

• Email to your registered email address
• Prominent notice in the Service
• Update to the "Last Updated" date at the top of this DPA

Your continued use of the Service after the notice period constitutes acceptance of the updated DPA. If you do not agree to the changes, you may terminate your use of the Service.

15. Governing Law and Jurisdiction

This DPA shall be governed by the same law that governs the Terms of Service. Any disputes arising from or relating to this DPA shall be subject to the jurisdiction specified in the Terms of Service.

This DPA does not affect Data Subjects' rights under the GDPR or other applicable data protection laws.

16. Contact Information

For questions, concerns, or requests related to this DPA or data processing activities, please contact: