Data Processing Agreement

1. Introduction and Scope

1.1 Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: The organization ("Controller", "you", "your") that has registered on the Informedica platform
• Data Processor: Informedica ("Processor", "we", "us", "our")

1.2 Applicability

This DPA applies when:

• You are an organization using the Informedica platform to manage employee credentials, job postings, or organizational data
• We process personal data on your behalf as a Data Processor
• The processing is subject to the GDPR, Philippine Data Privacy Act, or similar data protection laws

This DPA supplements our Terms of Service and Privacy Policy.

1.3 Definitions

Terms used in this DPA have the meanings given in the GDPR and Philippine Data Privacy Act. Key definitions:

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Data Subject: An identified or identifiable natural person whose personal data is processed
• Sub-processor: A third party engaged by the Processor to process personal data

2. Data Processing Details

2.1 Subject Matter

The subject matter of processing is the provision of the Informedica platform services, including:

• Credential verification management
• Organization member management
• Job posting and applicant management
• Communication facilitation

2.2 Duration

Processing will continue for the duration of your use of the platform, plus any retention period required by law or as specified in our Privacy Policy.

2.3 Nature and Purpose

We process personal data to provide the services requested by you through the platform, including:

• Storage and retrieval of member and applicant information
• Processing credential verification requests
• Facilitating communication between you and platform users
• Generating reports and analytics for your organization

2.4 Types of Personal Data

Categories of personal data processed may include:

• Contact information (name, email, phone number)
• Professional information (credentials, qualifications, employment history)
• Identity documents (uploaded for verification purposes)
• Communication content (messages, notes)
• Usage data (platform interactions related to your organization)

2.5 Categories of Data Subjects

Data subjects may include:

• Your organization's members and employees
• Job applicants applying to your organization
• Individuals requesting credential verification from your organization
• Other platform users interacting with your organization

3. Processor Obligations

3.1 Processing Instructions

We will:

• Process personal data only on your documented instructions, unless required by applicable law
• Inform you if we believe an instruction infringes data protection laws
• Ensure persons authorized to process personal data are bound by confidentiality obligations

3.2 Security Measures

We implement appropriate technical and organizational measures, including:

• Encryption of personal data in transit and at rest
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident response procedures
• Business continuity and disaster recovery plans
• Employee training on data protection

3.3 Sub-processors

We may engage sub-processors to assist in providing the services. Current sub-processors include:

We will:

• Impose data protection obligations on sub-processors equivalent to those in this DPA
• Remain liable for sub-processor compliance
• Notify you of any intended changes to sub-processors, giving you the opportunity to object

3.4 Data Subject Rights

We will assist you in responding to data subject requests by:

• Providing tools to access, export, and delete personal data
• Responding promptly to your requests for assistance
• Notifying you of any requests received directly from data subjects

3.5 Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay (and in any event within 72 hours) of becoming aware of the breach
• Provide information about the nature of the breach, categories of data affected, and remedial measures taken
• Assist you in meeting your breach notification obligations

4. Controller Obligations

As the Controller, you are responsible for:

• Ensuring you have a lawful basis for processing personal data
• Providing appropriate privacy notices to data subjects
• Obtaining necessary consents where required
• Complying with data subject rights requests
• Ensuring instructions to us are lawful
• Notifying relevant supervisory authorities of breaches as required by law

5. International Data Transfers

5.1 Transfer Mechanisms

When personal data is transferred outside the Philippines or EEA, we ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Privacy Framework certifications (where applicable)
• Adequacy decisions recognized by relevant authorities
• Contractual commitments compliant with the Philippine Data Privacy Act

5.2 Supplementary Measures

Where necessary, we implement supplementary measures including:

• Enhanced encryption standards
• Pseudonymization of data
• Access restrictions and monitoring

6. Audit Rights

6.1 Information Provision

Upon reasonable request, we will provide information necessary to demonstrate compliance with this DPA.

6.2 Audits

We will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to:

• Reasonable advance notice (at least 30 days, except in emergencies)
• Confidentiality obligations
• Minimizing disruption to our operations
• Reasonable costs being borne by you

We may satisfy audit requirements through third-party audit reports (such as SOC 2 reports) where available.

7. Data Retention and Deletion

7.1 During the Agreement

We will retain personal data as necessary to provide the services and in accordance with your instructions.

7.2 Upon Termination

Upon termination of your use of the platform:

• We will provide you with the ability to export your data
• Upon your request, we will delete personal data within 30 days, unless retention is required by law
• We will provide written confirmation of deletion upon request

8. Liability

Liability for breaches of this DPA shall be governed by the Terms of Service, subject to applicable data protection laws that may impose additional or different liability standards.

9. GDPR-Specific Provisions

For processing subject to GDPR, the following additional provisions apply:

• This DPA incorporates the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by Commission Implementing Decision (EU) 2021/914
• The competent supervisory authority is determined according to GDPR Article 55 or 56
• Data subjects may enforce this DPA as third-party beneficiaries

10. Philippine Data Privacy Act Provisions

For processing subject to the Philippine Data Privacy Act:

• We are registered with the National Privacy Commission as required
• We maintain appropriate security measures as required by the Act and its implementing rules
• We assist you in complying with your obligations to the NPC

11. Amendments

We may update this DPA to reflect changes in law or our processing activities. We will notify you of material changes. Continued use of the platform after such notice constitutes acceptance of the updated DPA.

12. Contact Information

For questions about this DPA or to exercise your rights under it:

Acceptance

By registering an organization on the Informedica platform and accepting our Terms of Service, you acknowledge that you have read and agree to this Data Processing Agreement on behalf of your organization.

For organizations requiring a signed DPA or custom terms, please contact us at legal@informedica.llc.