DATA PROTECTION ADDENDUM
Last Updated June 9, 2025
Indeed Flex, on behalf of itself and its Affiliates (“Flex”) and the counterparty agreeing to this Data Protection Addendum (“Company”/”Controller”) have entered into an agreement for the Agreed Purposes, as amended from time to time, (the “Primary Agreement”). This Data Protection Addendum is intended to comply with the parties’ obligations under Data Privacy Laws with respect to the Processing of Shared Personal Data pursuant to the Primary Agreement. Flex and Company are Individually referred to as a “Party’s” or together as “Parties”. In the event of a conflict between this Data Protection Addendum and the Primary Agreement, this Data Protection Addendum shall prevail.
Definitions:
The following definitions apply to the Data Protection Addendum, unless otherwise specified herein.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Indeed Flex, Inc. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
“Agency Worker” refers to a temporary worker who is employed directly by an Agency (in the US) or engaged by an Employment Business under a contract for services (in the UK). Agency Workers are not employees of Indeed Flex.
“Agency Worker Personal Data” means Personal data of Agency Workers which is processed by the Flex as Data Processor;
“Applicable Data Protection Law” means all laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data applicable to the processing of Shared Personal Data under the Primary Agreement including but not limited to General Data Protection Regulation 2016/679 (“GDPR”), UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) 5) and any US state or federal laws or regulations pertaining to the collection, use, disclosure, security or protection of personal data, or to security breach notification, e.g. California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2020 (when effective); and binding guidance and / or codes of practice issued by a competent supervisory authority under applicable laws (as defined in the GDPR), or the European Data Protection Board;
“ATS Provider” means any company with which you have contracted for an applicant tracking system;
“Business”, “Business Purpose”, “Consumer”, “Personal Information”, “Sell”, and “Service Provider” have the meanings given to them in the CCPA;
“Data Controller” , “Process”, “Data Processor”, and “Supervisory Authority” have the meanings given to them in the Applicable Data Protection Law;
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The Parties acknowledge and Agree that this definition shall adjust as necessary to include data defined as “Personal Information,” “Personally Identifiable Information,” and similar terms under applicable Data Protection Laws;
“Personal Data Breach” means an actual, confirmed breach of Flex’s technical and organization measures used to protect privacy and security of Client Personal Data that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such Client Personal Data transmitted, stored or otherwise processed by Flex under the terms of the Agreement;
“Primary Agreement” means the agreement entered into between Indeed Flex, Inc., on behalf of itself and its Affiliates (“Flex”) and the Controller agreeing to this Data Protection Addendum for the provision of the staffing services;
“Privacy Policy” means the policy, accessible via URL https://hrtechprivacy.com/brands/indeedflex, that outlines how Flex manages, processes and secures personal data which is collected by Flex to provide commercial services;
“Processing” means any operation or set of operations that is performed in relation to Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, restriction, erasure or destruction; and “process” and “processed” shall be construed accordingly;
“Shared Personal Data”: the personal data to be shared between the parties under this agreement.
1. Processing Instructions & Purpose Limitation
1.1. Company acknowledges and agrees that Company is the Data Controller of all Shared Personal Data for the Agreed Purposes and has engaged Flex as a Data Processor to Process Shared Personal Data for the purposes (a) set forth in the Agreement and any other written agreement between the Parties, and (b) instructed by Company in any other documented instructions to Flex. In all cases, irrespective of whether Applicable Data Protection Law applies to Shared Personal Data, Flex will process Shared Personal Data only on Company’s documented instructions and not for any other purpose, unless specifically instructed by Company in writing or otherwise required or authorized by Applicable Data Protection Law.
1.2. For the purpose of this Data Protection Agreement for the supply of services:
(a) The subject matter of Flex’s processing shall be for the purpose of providing the Indeed Flex+ Platform.
(b) The duration of Flex’s processing shall be the applicable term of the Subcontract Agreement for the Supply of Services.
(c) The nature and purpose of the processing are limited to the services Flex performs under the Flex+ Terms as set out in the Subcontract Agreement for the Supply of Services
The categories of Personal Data include any Agency Worker Personal Data uploaded, provided or otherwise made available to Flex by Company.
2. Flex Obligations as Processor
2.1 Confidentiality: Flex will ensure that its employees, agents and sub-processors authorized to process Agency Worker Personal Data have committed themselves to confidentiality.
2.2 Data Subject Requests. Taking into account the nature of the processing and the availability of information to it, Flex shall provide commercially reasonable assistance to Company for the fulfillment of Company’s obligation to respond to a request from an Agency Worker to exercise such individual’s rights under Applicable Data Protection Law.
2.3 DPIAs and Prior Consultation. Taking into account the nature of the processing and the availability of information to it, Indeed Flex shall provide commercially reasonable assistance to Company for the fulfilment of Company’s obligation to carry out a Data Protection Impact Assessment and Prior Consultation requests in accordance with Applicable Data Protection Law.
2.4 Security: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Indeed Flex will implement appropriate technical and organisational security measures to safeguard Shared Personal Data. Indeed Flex shall notify Company without undue delay after becoming aware of a Personal Data Breach and taking into account the nature of processing and the information available to Indeed Flex, provide commercially reasonable assistance to Company in connection with any obligation Company may have to notify and communicate with individuals, regulators, or other third-parties under Applicable Data Protection Law.
2.5 Subprocessors. Company hereby grants general authority to authorise Indeed Flex to engage its Affiliates and any third-parties approved by Indeed Flex to act as Subprocessors to Indeed Flex under this Agreement (the “Subprocessors”), including as to new or replacement Subprocessors. Notwithstanding this general authorisation, Indeed Flex will notify Company of any intended changes to its Subprocessors and give Company a reasonable opportunity, which shall not exceed ten (10) days, to object on commercially reasonable grounds to any such changes. Indeed Flex agrees that it will enter into a written contract with each such Subprocessor that includes terms equivalent to those set out in this Agreement, and remains fully liable to Company for the performance of each such Subprocessor’s obligations thereunder.
2.6 Transfers. To the extent that Applicable Data Protection Law applies to the processing of Shared Personal Data, Flex agrees that it will not transfer Agency Worker Personal Data out of the EEA, or the United Kingdom, to a country that has not been identified by the European Commission or a Supervisory Authority under Data Protection Law as a country that provides an adequate level of data protection except where Flex has ensured appropriate safeguards are in place, such as the Standard Contractual Clauses approved by the European Commission unless otherwise required by applicable law.
2.7 Compliance. Indeed Flex shall make available to Company information reasonably necessary to demonstrate compliance with the obligations in this Data Protection Addendum and Applicable Data Protection Law. Indeed Flex shall reasonably cooperate with Company’s inquiries but shall not be required to allow on-site audits unless legally required by a competent authority. For the avoidance of doubt any costs associated with this requirement shall be borne entirely by Company.
2.8 Notice. In the event that Flex is required by Applicable Data Protection Law to process Agency Worker Personal Data for any other purpose or in any other manner, Flex shall notify Company of that legal requirement before undertaking such processing, unless that law prohibits such notification on important grounds of public interest. Flex also agrees to notify Company without undue delay if, in Flex’s opinion, an instruction infringes Applicable Data Protection Law.
2.9 Termination. On termination or expiry of the Primary Agreement, upon written request of Company, Flex shall destroy all copies of Shared Personal Data received and/or processed by it under the Primary Agreement unless otherwise required by applicable law.
2.10 Costs. Company shall be responsible for any and all reasonable costs arising from Flex’s provision of assistance in accordance with Sections 2.2, 2.3 and 2.7 of this Data Protection Addendum.
2.11 Survival. Flex acknowledges and agrees that its obligations under this Data Protection Addendum, for whatever reason, shall continue until such time as Flex returns or destroys all copies of User Personal Data in accordance with this Data Protection Addendum.
3. Conflict
In the event of an express conflict between the terms of this Data Protection Addendum and the terms of the Primary Agreement or any other written agreement between the parties, the terms of this Data Protection Addendum shall govern solely to the extent of the conflict as necessary to comply with Applicable Data Protection Law.
4. California Consumer Privacy Act
To the extent that the Shared Personal Data includes Personal Data of Consumers and is subject to the CCPA, the following additional terms apply to Flex’s Processing of such Shared Personal Data:
4.1 Service Provider: The Parties acknowledge and agree that Company is a Business and Flex is acting as a Service Provider to Company for purposes of all Processing of Shared Personal Data.
4.2 Restrictions: Flex further acknowledges and agrees that it shall not (a) Sell such Shared Personal Data, or (b) retain, use, or disclose such Shared Personal Data (i) for any purpose other than for the specific Business Purpose of performing the Services or (ii) outside of the direct business relationship established by the Primary Agreement, except in all cases as otherwise required by applicable law or permitted by the CCPA.
4.3 Certification: Flex certifies that it understands and will comply with this Data Protection Addendum.