This Data Processing Agreement between you and RECRAM INC (“Company”, “we” or “us”) governs the specifics of data processing in connection with your use of both the platform accessible through the domain name http://www.recram.com and the RecRam application (collectively, the “Site”) and the services we may offer through the Site from time to time.

Please note that the terms ‘data controller’, ‘data processor’, ‘data subject’, ‘personal data’, ‘processing’ shall have the meaning set out in the GDPR or other applicable European data protection laws. ‘GDPR’ shall be understood as: (i) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; (ii) the UK European Union (Withdrawal) Act 2018 and the GDPR forming part of UK law under section 3 of the UK Data Protection Act 2018 (together, the “UK Data Protection Laws”); (iii) any future laws that may amend or supplement them in the future.

For clarification purposes, under this Data Processing Agreement (i) the processing of the data set out herein will take place for as long as there is a service contract between you and us or until you decide to terminate such contract (ii) the nature and purposes of the processing will be the collection, recording, organization, hosting and deletion of the data, as well as making it available to you upon your request; and (iii) the types of personal data and categories of data subjects likely to be used in our product are first name, last name, e-mail address, telephone number, other identifying information of employees, candidates, prospects and customers.

1. Data processing

We will process all personal data to which we may have access due to the provision of the Services in accordance with documented instructions provided by you from time to time. If a Union or Member State law to which we are subject requires us to process personal data, including the international transfer of personal data, we will inform you of that legal requirement before processing, unless that law prohibits such information on important public interest grounds.

If we have reasonable grounds to believe that a documented instruction given by you violates the GDPR or other applicable EU data protection law or regulation, we will put such instruction on hold and notify you immediately. You shall have the right to order us to carry out such instruction notwithstanding any concerns raised by us, so long as you reconfirm your instruction in writing, at your sole risk and without liability or responsibility to you for any loss.

For the purposes of this Data Processing Agreement, a ‘documented instruction’ shall be understood to include, without limitation: (i) any instruction transmitted by you through any durable medium, such as a letter or email; (ii) any instruction sent electronically by you when using the software provided as part of the Services (i.e., using the interface portion of the software and the features available through it); you; or (iii) the terms of the Data Processing Agreement.

For clarification purposes and given your position as a data controller, you warrant and represent that you will fulfill your obligations under applicable privacy laws, such as informing data subjects (e.g. respondents to forms, etc.) and obtaining their consent (where applicable) in a timely and adequate manner. This enumeration is for illustration purposes only, in the sense that you will generally need to fulfill the obligations to which you are subject under the GDPR, such as ensuring that the processing meets the requirements of the GDPR, you have the right and obligation to decide on the purpose and means of such processing, or to ensure that there is a lawful basis for the processing.

2. Confidentiality obligation

We will ensure that all employees authorized to process personal data are committed to confidentiality or are under an appropriate legal obligation of confidentiality.

3. Subprocessors

In the event that we intend to replace one sub-processor with another or contract with new sub-processors to provide you with the Services, you will have the right to reasonably object to such change within a non-extendable period of fifteen (15) calendar days (i.e. any objection based on potential or actual failure by the sub-processor to be appointed to meet the legal requirements set by the GDPR) and, if you exercise this right, we will have the right to terminate early the specified contractual relationship for the provision of the Services.

We will enter into written agreements with all sub-processors involved in the provision of the Services, including the assurances and guarantees required by the GDPR, in particular in relation to the implementation of the security measures required by the GDPR, and will be responsible for any actions of our sub-processors.

4. Rights of data subjects

We will assist you with appropriate technical and organizational measures to the extent possible, taking into account the nature of the processing, to fulfill your obligation to respond to data subject requests to exercise their rights as set out in Part III of the GDPR. For the avoidance of doubt, we will send you any request that data subjects may send directly to us, together with all relevant information, if any, so that you can formally contact and respond to data subjects.

5. Security measures

We apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as these measures are described in more detail in Annex II. Taking into account the nature of the processing and the information available to us, we will reasonably assist you to comply with the security obligations set out in Article 32 of the GDPR.

6. Assistance and data breaches

In addition to the duty set out in Section 5 above, we will also provide assistance in complying with the obligations set out in Articles 32 to 36 of the GDPR, if applicable, depending on the nature of the processing and the information provided to us.

With regard to data breaches, we will notify you without delay when we become aware of a personal data breach affecting personal data and in any event within the time periods set out under the GDPR. We will provide you with sufficient information to allow it to fulfill its obligations to notify or inform competent authorities or data subjects. We will reasonably cooperate with you and take reasonable commercial steps as directed by you to assist in the investigation, mitigation and remediation of each such data breach.

7. Termination

Unless Union or Member State law requires retention of personal data, you will decide whether you want us to delete or return personal data. For this purpose, you agree that deletion of the account provided as part of the Services will always result in the deletion of personal data and that a request for deletion of the account will be understood as a request for deletion of data under this Section 7.

8. Audit rights

We will provide you with information necessary to demonstrate our compliance with the obligations set out in these Terms and Conditions of Service. You agree that the obligation to provide information demonstrating compliance with these Terms and Conditions of Service may be satisfied by our providing you with copies of audit reports and/or certificates performed by us, such as ISO27001 or SOC2 certificates.

9. International transfer of personal data

If you are not subject to the GDPR or are not located in the European Economic Area, or if the transfer cannot lawfully be carried out in compliance with the GDPR, you and we enter into Standard Contractual Clauses, module 4, as a mechanism to ensure adequate protection of personal data transferred outside the European Economic Area.

If you are located in the United Kingdom, the Parties declare that a transfer of data from the United Kingdom to Turkey and the United States or from Turkey and the United States to the United Kingdom shall not be construed as an international transfer of personal data, having regard to the adequacy decisions taken in this regard.

Data Exporter: RECRAM YAZILIM ANONİM ŞİRKETİ, Gebze/Kocaeli/Türkiye.
Data Importer: You defined when creating an account with RECRAM.