“Data Protection Laws” means all applicable laws relating to the Processing of Personal Data and privacy that may exist in any relevant jurisdiction.

“Data Controller” means the legal party that, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Under this DPA, the Data Controller is the Client.

“Data Processor" means the legal party processing Personal Data on behalf of the Controller. Under this DPA, the Data Processor is Rakuna and its affiliates.

"Data Subject" means an identifiable natural person to which the Processing of Personal Data is related.

“Data Processing Agreement” (or “DPA”) refers to this agreement which governs the data processing operations between the Client and Rakuna.

“Personal Data” means any information relating to an identified or identifiable living, natural person (“Data Subject”).

“Personal Data Breach” refers to a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that is transmitted, stored, or otherwise processed.

“Processing” means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means.

“Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of Rakuna.

Scope and Roles: This DPA applies when Rakuna processes Personal Data as part of providing the Service under the MSA to the Client. For the purposes of this DPA, the Client is the Data Controller, and Rakuna is the Data Processor.

Purpose and Duration: Rakuna will process Personal Data to deliver its Software-as-a-Service. The duration of processing will be determined by the MSA.

Types of Personal Data Processed and Data Subjects: Types of Personal Data Processed and Data Subject Groups will be listed in Appendix 1 below.

Instruction for Processing: Rakuna will process Personal Data according to the Client's instructions. If required by applicable Data Protection Laws, Rakuna may process Personal Data beyond the Client's instructions but will inform the Client of the legal requirement before proceeding unless prohibited by law. If the services are modified during the MSA term, involving new or amended data processing, or if the Client’s instructions change, the Client shall notify Rakuna before or at the latest when the new processing begins.

Personnel: Rakuna and those acting under its authority (e.g., personnel, sub-processors, and persons acting under the Sub-processor’s authority) will only process Personal Data to facilitate Rakuna’s software services. Rakuna ensures that all personnel authorized to process Personal Data are bound by a perpetual non-disclosure obligation and receive proper training on their responsibilities under applicable Data Protection Laws. Access to Personal Data processing will be strictly limited to what is necessary to fulfill the MSA.

Return and Deletion of Personal Data: Rakuna will follow the Retention and Deletion term mentioned in the MSA upon termination.

Compliance: Rakuna will comply with any applicable Data Protection laws. Rakuna willl keep itself updated on and comply with any changes in the applicable Data Protection laws. Rakuna will make any necessary changes and amendments to this DPA required under applicable Data Protection legislation.

Authorization: The Client provides general authorization to Rakuna’s use of sub-processors to provide processing activities on Client Data on behalf of the Client. Rakuna maintains the list of current sub-processors on a webpage (https://help.rakuna.co/en/articles/9782985-rakuna-sub-processors). Before updating the Sub-processors list, Rakuna will notify the Client through email and update the page once the change has been implemented.

Subprocessor obligations:

Where Rakuna authorizes a Subprocessor

Subprocessor's objection right. The Client is entitled to object to the engagement of a new Subprocessor. The objection notice shall be given in writing and describe the Client's reasonable grounds for objection. The Client may decide to discontinue using the Service and terminate the agreement by providing written notice at least 60 days.

Personal Data is stored in the US-based data centers provided by Amazon Web Services. The location(s) of the primary processing site of Personal Data will be provided to the Client upon written request.

Rakuna will transfer data to other regions only if necessary to provide the service to the Client or to comply with applicable Data Protection Laws. In this case, Rakuna will ensure that the level of protection of Personal Data guaranteed by applicable Data Protection Laws is not undermined.

Responding to requests: The Client is responsible for responding to Data Subjects' requests for access, correction, deletion, or restriction of that person's Personal Data.

Rakuna's support: If Rakuna receives a request from a Data Subject, Rakuna will promptly redirect the Data Subject to the Client.

Secured Processing: Rakuna commits to implementing and maintaining state-of-the-art data security measures to ensure a high level of protection for Personal Data. This includes continuously reviewing and improving the effectiveness of its security protocols. Rakuna will safeguard Personal Data against destruction, modification, unauthorized dissemination, loss, alteration, and unauthorized access or processing. The security measures will be appropriate to the risks involved, including but not limited to encryption to ensure the ongoing confidentiality, integrity, availability, and resilience of Rakuna's Services and associated systems.

Personal Data Breach: Rakuna will promptly notify the Client of any Personal Data Breach upon becoming aware of it. Rakuna will provide reasonable assistance to the Client in preventing, mitigating, and addressing the breach as required by applicable Data Protection Laws. Additionally, Rakuna will take necessary steps to restore or reconstruct any lost, damaged, destroyed, or corrupted Personal Data resulting from the breach.

Point of Contact: Rakuna provides the following email address as a contact point for data protection matters: dpo@rakuna.co.

Audit Rights: Rakuna will provide all necessary information to demonstrate compliance with this DPA and applicable Data Protection Laws and assist the Client with audits. If the Client needs additional information, they may conduct an audit using an independent, qualified third party. Audits must adhere to Rakuna’s reasonable security requirements and not unreasonably disrupt Rakuna’s business operations. The Client must provide at least 14 calendar days' prior written notice before initiating any audit. All costs relating to the audit shall be compensated by the Client.

Unlawfulness Notifications: In case Rakuna determines that its processing of personal data pursuant to this DPA infringes with applicable Data Protection Laws, it will immediately inform the Client thereof.

Liability: Each party’s liability under this DPA is governed by the MSA unless otherwise required by applicable Data Protection Laws.

Conflict: If the Client and Rakuna have additional agreements that conflict with this DPA, the provisions of this DPA regarding the processing of Personal Data will take precedence unless the provision is part of the MSA and intended to supplement this DPA.

Effective Duration: This DPA is in effect until the expiration or termination of the MSA.

Data Deletion and Return: Rakuna shall delete or return all Personal Data (including any copies thereof) to the Client according to the timeline agreed on in the MSA, following the instructions of the Client if available. When returning the Personal Data, Rakuna shall provide the Client with the necessary assistance.

Users' (Recruiters') Data: Processed to provide access to Rakuna's SaaS and other agreed-upon services between Rakuna and the Client.

Candidates' (Prospects') Data: Collected by Recruiters via Rakuna's mobile and web apps with Candidates' authorization or when Candidates submit their information, agreeing to Rakuna's Privacy Policy and Terms. The data is processed as intended for Recruiters' purposes.

The Information Security Management System is well-established and documented in Policies and Guidelines, which are established, managed, continuously improved, and communicated across the staff body to ensure the protection of the Client’s data.

Risks and Threats to the Client's data are continuously monitored and updated to anticipate and devise safeguards according to the current state of the art, ensuring ongoing protection of the Client's data.

Rakuna maintains compliance with applicable laws, regulations, and recognized standards regarding Data Protection within the scope of the MSA with the Client.

Utilizes cloud service providers with ISO27001, and ISO27018 and can provide certification or SOC 2 report for evidence.

All staff having access to the Client's data on a least privilege basis are trained and mandated to comply with Rakuna Policies and Guidelines to safeguard the Client's data.

Where permitted by law, and to the extent available from applicable governmental authorities, AWS will require that each employee undergo a background investigation that is reasonable and appropriate for that employee’s position and level of access.

All staff members are bound to protect Rakuna’s data (including the Client's data) by signing a Non-Disclosure Agreement upon joining the workforce, effective until after their termination or change of employment.

Data Masking and Data Encryption are applied as appropriate for the Client's data in transit and at rest.

Rakuna Database is secured with IAM access control to grant only the necessary permissions to users and resources.

Daily backups are automated, maintained, and tested.

Data Leak Prevention is well-established.

Secured data deletion methods applied.

Transmissions are logged to manage and review.

Access rights are granted based on a combination of Role-Based Access Control and Least Privilege, and are reviewed periodically.

Access rights are reviewed, approved, and documented for management.

Secure Coding is maintained, and the testing environment is separated from the production environment.

Hosting providers which comply with ISO27001, and ISO27018 and can provide certification or SOC 2 report for evidence.

Develop infrastructure according to High Availability Architecture.

Incident Recovery Plan, Business Continuity Plan, and Backup Plan are established and periodically tested.