Data Processing Addendum

Criteria Data Processing Addendum

(Including Criteria Corp and Criteria Australia Pty, Ltd.)

Revised: APR 22, 2024

This Data Processing Addendum (“DPA”) reflects the parties’ agreement regarding the processing of Customer’s Personal Information.

In order for the Standard Contractual Clauses of this DPA (“SCC”) to be valid, it must be signed by both the Customer (the Data Controller) and Criteria Corp (the Data Processor).  All processing of Customer Personal Information is subject to the terms of this DPA, however if Customer does not complete and sign this DPA, the SCC will not be valid and it will be assumed that Customer is not using Criteria services with residents of the EU, EEA and the United Kingdom and that it does not intend to do so in the future. 

Click this link to electronically complete and sign the DPA -->


1.1       This DPA is supplemental to the Agreement (comprising the Order and Criteria Terms of Use or other written or electronic agreement) (“Agreement”) separately entered into  between Criteria Corp and its affiliated entity Criteria Australia Pty. Ltd. (“Criteria,” “us” or “we”) and Customer (each, a “Party,” and collectively, the “Parties”) for the provision of the Service and establishes additional responsibilities of the Parties for the Processing of Customer Personal Information in compliance with the Data Protection Laws.  If the entity signing this DPA is not a party to any Agreement, then this DPA is not valid and is not legally binding.   

1.2       This DPA supplements the current Agreement with Customer and will terminate automatically upon termination of the Agreement, unless earlier otherwise terminated pursuant to its terms. Except as amended by this DPA, the Agreement will remain in full force and effect.

1.3       The Customer will act as a single point of contact for its Affiliates with respect to compliance of applicable Data Protection Laws in accordance with this DPA.  If Criteria provides information or notice to the Customer under this DPA, such information or notice will be deemed received by the Customer’s Affiliates.

1.4       This DPA will be effective only if it is executed and submitted to Criteria as described on this page and all items identified as “Required” in the table are completed accurately and in full. If Customer makes any deletions or other revisions to this DPA not otherwise agreed in writing by Criteria, then the revisions will be null and void.

1.5       This DPA consists of:

  • The main body of this DPA.

  • Section B
    • Exhibit 1- Details of the processing of Personal Data.


  • Section C- Standard Contractual Clause Annexes


    • Annex I- Parties

    • Annex II - Criteria’s security technical and organizational measures for Personal Data.

    • Annex III-  Subprocessors.

By executing the DPA, Client is agreeing to all parts of this DPA.

1.6      In the event of any conflict between an Order, the DPA and/or the Agreement, the following order of precedence will apply (in descending order): (1) the DPA, (2) the Agreement, and (3) the Order. No other terms or contract relating to Customer personal information will be valid or enforceable.

1.7     This DPA will control to the extent Criteria is required to Process Personal Information on behalf of Customer. The details of the processing are further described in Annex 1 hereto.

1.8     Any provision of this DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions. The parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and then incorporate such substitute provision into this DPA.


The capitalized terms used in this DPA are defined as follows:

Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with the entity. For purposes of this definition, “control” means direct or indirect ownership or control of more than 50% of the voting interests of the entity;

"Data Controller" or "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.

Data Processor" or "Processor" means the entity which processes Personal Information on behalf of the Controller.

“Data Processing Services” means the Processing of Personal Information for any purpose permitted by applicable Data Protection Laws;

Data Protection Laws” means one or more of the following as may be applicable to the Personal Information processed by Criteria: the Data Protection Act 2018 (UK), General Data Protection Regulation ("GDPR") including (i) where applicable the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and/or (ii) where applicable the EU GDPR as implemented into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); the Swiss Federal Act on Data Protection ("FADP"): U.S. laws and regulations that apply to processing of personal data including, but not limited to, the California Consumer Privacy Act (“CCPA” and subsequent California Privacy Rights Act of 2020 “CPRA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Iowa Consumer Data Protection Act, and the Utah Consumer Privacy Act; the Personal Information Protection and Electronic Documents Act of Canada (“PIPEDA”) and any amendments to such legislation or related regulations, orders or similar statutes as may be enacted from time to time; and such other laws, regulations or statutes related to the processing of personal data that may be enacted in any other country where Criteria processes Customer Personal Information under the Agreement.

“Data Subject” or “Consumer” means an identified or identifiable natural person as more specifically defined in applicable Data Protections Laws.

“European Economic Area" or "EEA" means the member states of the European Union together with Iceland, Norway, and Liechtenstein.

Personal Information” or “Personal Data” means (i) the personal information relating to an identified or identifiable natural person and/or (ii) the “personal data” (as defined in the GDPR) and described in Exhibit 1 and any other personal data that Criteria Processes on behalf of Customer or Customer's Affiliate in connection with the Services.

"Processing" or "Process" means any operation or set of operations performed upon Personal Information, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, blocking, erasure, or destruction.

“Security Documentation” means the information provided to Customer by Criteria regarding its data security technical and organizational measures attached to the Standard Contractual Clauses as Appendix 2 and as may be updated by Criteria from time to time.

"Security Incident" means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data transmitted, stored or otherwise processed by Criteria that could reasonably require notification under applicable Data Protection Laws, but does not include an unsuccessful attempt or activity that does not compromise the security of Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful logon attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

Services” means the assessment services and any other services as specifically described in the Criteria Order Form which are provided by Criteria to the Customer under the Agreement, including the Data Processing Services;

"Subprocessor" means any third-party Processor engaged by Criteria to assist in fulfilling Criteria’s obligations under the Agreement.

Standard Contractual Clauses” means the annex found in EU Commission Implementing (EU) 2021/914 of June 2021 on standard contractual clauses for the transfer of Personal Data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the European Council completed as described in Section 8 below (“Additional Terms for Transfer of Personal Data from the EEA and the United Kingdom”).

User” means Customer staff, Customer job applicants and other Customer representatives that use the Services; and

Additional terms such as “Business”, “Commercial Purpose”, “Service Provider”, “Sell”, “Share”, “Supervisory Authority”, “Third Party”, and “Verifiable Consumer Requesthave the meanings set forth for such terms in the applicable Data Protection Laws.


3.1    Roles.   As between Criteria and Customer, Customer is the data Controller and Business (collectively “Controller”) for the Personal Data that is provided to Criteria for processing under the Agreement.  Criteria shall process the Personal Data as a data Processor and Service Provider (collectively, “Processor”) on behalf of Customer.  Customer may alternatively be referred to as Controller or Customer and Criteria may be alternatively referred to as Processor or Criteria.

3.2    Instructions for Personal Information.

Customer and Criteria agree and acknowledge that Criteria is authorized to use, retain and disclose Personal Information for the delivery of Services to Customer in accordance with the Agreement, including: (i) disclosures to Subprocessors; (ii) for Criteria’s business purposes and (iii) as authorized by the applicable Data Protection Laws.  Processing  Personal Information outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Criteria on additional instructions for Processing. 

3.3     Other Processing Activities. Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Processor on additional instructions for Processing.

3.4     Customer’s Processing of Personal Data. Customer will, in its use of the Services, comply with applicable Data Protection Laws. For the avoidance of doubt, Customer’s instructions to Criteria for the Processing of Personal Data must comply with the applicable Data Protection Laws. Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

3.5    Required consents. Where required by applicable Data Protection Laws, Customer will be responsible for ensuring that all Data Subjects have given/will give all necessary consents for the lawful Processing of Personal Data by the Processor in accordance with the Agreement.

3.6   Privacy Notices. Customer warrants and represents that:

a.   it has provided all applicable notices to Data Subjects required for the lawful Processing of Personal Data by the Processor in accordance with the Agreement; or

b. in respect of any Personal Data collected by the Processor on behalf of the Customer, it has reviewed and confirmed the notices provided by the Processor to Data Subjects as accurate and sufficient for the lawful Processing of Personal Data by the Processor in accordance with the Agreement.


4.1  Authorized Subprocessors. The Customer agrees that the Processor and Processor’s Affiliates may respectively engage any third parties to fulfill the contractual obligations under the Agreement, including the processing of Personal Data. The Processor shall notify the Customer from time to time of the identity of the Subprocessors it engages, and the respective services the Subprocessors provide. An initial listing of such authorized Subprocessors is summarized in Annex III (as updated from time to time).   

 4.2  If the Customer (acting reasonably) does not approve of a new Subprocessor, then without prejudice to any right to terminate the Agreement, Customer will notify Criteria in writing within 10 business days after receipt of Criteria’s notice. Criteria will use reasonable efforts to (i) move the Personal Data to another Subprocessor, (ii) recommend a commercially reasonable change to Customer’s use of the affected Services to avoid processing of Personal Data by said new Subprocessor, or (iii) work with the Subprocessor to ensure that any subprocessing is performed in a manner reasonably satisfactory to Customer. Criteria will use all reasonable efforts to address Customer’s concerns within a reasonable timeframe following receipt of Customer’s request.

4.3      Except as set out in clauses 4.1 and 4.2, the Processor shall not permit, allow or otherwise facilitate Subprocessors to Process Personal Data without the prior written consent of Customer and unless Processor enters into a written agreement with the Subprocessor which imposes obligations no less protective than the obligations of this DPA.

4.4      Liability of Subprocessors. The Processor shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor approved by the Customer as if they were the acts and omissions of Processor.  


5.1      Controls for the Protection of Personal Data.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Criteria shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures set out in the Security Documentation.

5.2       Audits.  Upon request by the Customer, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Criteria shall make available to Customer (or Customer's independent, third-party auditor) all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, other applicable Data Protection Laws and/or this DPA specific to Personal Data.  Customer may request an on-site audit of Criteria’s policies, procedures, and controls relevant to the protection of Personal Data, but only to the extent required under applicable Data Protection Laws and up to one time every 12 months. Customer must provide at least 6 weeks’ prior notice to Criteria of a request for such an audit. Customer shall reimburse Criteria for any time expended for any such on-site audit at Criteria’s then-current rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Criteria shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Customer shall be responsible. Customer shall promptly notify Criteria regarding any non-compliance discovered during the course of an audit, and Criteria shall use commercially reasonable efforts to address any confirmed material non-compliance. In the event that Customer requests an audit within thirty (30) days following a confirmed Security Incident, Criteria will waive the applicable audit fees.

5.3       Security Incident Notification. Criteria maintains policies and procedures intended to manage Security Incidents, including detailed escalation procedures as further described in the Security Documentation.  If Criteria or any Subprocessor for Criteria becomes aware of a Security Incident, Criteria will to the extent required and as permitted by law: (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.

5.4       Criteria Employees and Personnel. Criteria shall treat the Personal Data as the Confidential Information of the Customer and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Personal Data.

 5.5    Data Protection Impact Assessment; Prior Consultation

Taking into account the nature of the Processing and the information available to Criteria, Criteria will reasonably assist Customer in conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by Criteria of Customer Personal Data.



6.1       Data Subject Requests

Criteria shall comply with all applicable requirements of the Data Protection Laws. Subject to a detailed written request by Customer and where possible, Criteria shall reasonably assist Customer with responding to Data Subject Requests as required by applicable Data Protection Laws requirements.

6.2       Notice of Requests

Criteria shall promptly notify the Customer of any verified request received by the Criteria from a Consumer or Data Subject of the Customer or authorized representative enforcing available rights in respect of the Personal Information of the Consumer or Data Subject of the Customer. Criteria shall direct such Consumer or Data Subject or authorized representative to contact the Customer.

6.3       Correction and Deletion.  Criteria shall provide Customer with the ability to correct, delete, block, access or copy the Personal Data in accordance with the functionality of the Services.

6.4      Government Disclosure. Criteria shall notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.


7.1       No Disclosure of Personal Information

Except for permitted disclosures to Subprocessors pursuant to similar terms as this DPA, Criteria shall not disclose, release, transfer, make available or otherwise communicate any Personal Information to another business or third party without the prior written consent of the Customer. Notwithstanding the foregoing, nothing in this Agreement shall restrict Criteria’s ability to disclose  Personal Information to comply with applicable laws or as otherwise permitted by the Data Protection Laws.


8.1       All Processing of Personal Data in countries which do not ensure an adequate level of data protection per the European Commission’s decision of 4 June 2021 is on the basis of and subject to the Standard Contractual Clauses. For the purpose of the Standard Contractual Clauses, this DPA and the Agreement are the complete and final instructions of Customer (Data Exporter) to Criteria (Data Importer) for the Processing of Personal Data. The Data Exporter hereby instructs the Data Importer to process Personal Data: (a) in accordance with the Agreement; (b) at the request of Data Exporter, including via the Services; and (c) as initiated by Data Subjects accessing the Services for or at the instruction of Data Exporter.

8.2       The Standard Contractual Clauses are hereby deemed completed as follows: (i) the Data Exporter is the Customer, and the Data Exporter’s contact information is set forth in the Order Form (ii) the Data Importer is Criteria Corp, and Criteria’s contact information is set forth in the Order Form ; (iii) Appendices 1 and 2 and 3 of the Standard Contractual Clauses are set forth below. By entering into this DPA, the parties are deemed to be signing the Standard Contractual Clauses.

8.3 UK Transfers.   In relation to Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

8.4  Swiss Transfers. In relation to Personal Data that is subject to the Swiss FADP, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".


9.1      Determination under CPRA. Criteria shall notify Customer if it determines that it cannot meet its obligations under the CPRA.  

9.2     Remediation.   Additionally, upon receiving written notice from Customer that Criteria has Processed Customer Personal Data without authorization, Criteria will stop and remediate such Processing.

      9.3    Acknowledgment    Criteria agrees and acknowledges that it is prohibited from: (i) selling or sharing Personal Information to another business or third party without the prior written consent of Customer; (ii) retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the Personal Data other than as permitted by the Agreement.

9.4   Certification.   Criteria understands and certifies that it will comply with the prohibitions outlined in Section 9.3.

10          ASSISTANCE

10.1       Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, the Processor shall provide the Customer with any information or assistance reasonably requested by the Customer for the purpose of complying with any of the Customer's obligations under applicable Data Protection Laws, including:

a. reasonable endeavors to assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR and other applicable Data Protection Laws; and

b. providing reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Personal Data and taking into account the information available to Processor.

10.2       The Customer shall (at its own cost) provide assistance requested by Criteria in relation to the fulfilment of the Criteria obligation to cooperate with the relevant Supervisory Authority under applicable Data Protection Laws. Notwithstanding any other provision of this DPA or the Agreement, Criteria shall be entitled to respond to and provide all relevant information in respect of requests or orders issued by such supervisory authority.


11.1       Deletion of data. Subject to 11.2 below, Processor shall, following written request from Customer and within 90 (ninety) days:

  1.  make available to Customer a complete copy of all Personal Data by secure transfer in such a format as notified by Customer to Processor; and
  2. delete and use all reasonable efforts to procure the deletion of all other copies of Personal Data Processed by Processor or any Subprocessors, according to instructions under section 11.2.
  3. If no written instructions are provided, Criteria will store and delete Personal Data in accordance with its then current data retention policies including the deletion of Personal Data that is no longer necessary to carry out any of the purposes under this this DPA in accordance with applicable Data Protection Laws. Upon deletion of Personal Data in accordance with this Section 11, Processor shall not be required to provide a copy of the Personal Data to Customer.

11.2      Processor and its Subprocessors may retain Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Provider shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.


IN WITNESS WHEREOF, the parties have caused this Data Processing Addendum to be duly executed, incorporating the DPA Information Summary from the first page. Each party warrants and represents that its respective signatories whose signatures appear below are on the date of signature duly authorized. 




Criteria Corp

Authorized Signature


Authorized Signature



David Sherman



Chief Operating Officer





Exhibit 1



Subject Matter of Processing

Use and access of the web-based, platform pre- employment assessment services (“Service”) in accordance with the Agreement

Duration of Processing

The Term, as defined in the Criteria Agreement, subject to paragraphs 11.1 and 11.2 of the DPA

Nature and Purpose of Processing Types of Personal Data

Provision of the Service

Types of Personal Data

  • Personal Data of Staff that use the Service:
    • First and last name
    • Title
    • Position
    • Employer
    • Physical business address
    • Email
    • usage information
    • image
    • likeness
    • voice data
    • video
  • Personal Data of Applicants that use the Service:
    • First and last name
    • Email
    • Location
    • IP address
    • operating system type and version
    • unique device ID
    • browser and browser language
    • domain and other operating systems or platform
    • image
    • likeness
    • voice data
    • video
  • any other Personal Data which Customer, its Affiliates or users enter into the Service, including information gathered during video interviews

Categories of Data Subjects

  • Users authorized or requested by Customer (data exporter) or an Affiliate to use the Service, consisting of:
    • Employees, independent contractors, agents, or other contact persons of Customer (data exporter) and its Affiliates (“Customer Staff”); and
    • Job applicants of Customer (data exporter) or an Affiliate (“Customer Applicants”)

Obligations and rights of the Customer

The obligations and rights of the Customer are as set out in this DPA.





Annex 1


      1. PARTIES:

Data exporter(s): 

The Customer whose identity and address are set forth in the Order Form

Data importer(s): 

Criteria Corp

750 N. San Vicente Blvd.

Suite 1500

East Tower

West Hollywood, CA  90069


 Subject Matter and Details of the Data Processing

Data exporter

The Data Exporter is the legal entity that has executed these Standard Contractual Clauses and that has purchased the Service.

Data importer

The Data Importer is Criteria Corp, a web-based pre-employment assessment provider which Processes Personal Data for the purpose of providing the Service to the data exporter.

Data subjects

The personal data transferred concern the following categories of data subjects:

Data exporter may submit Personal Data to Criteria, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Users of the Service as the data exporter authorizes, including:

 Staff of data exporter, including employees, independent contractors, and agents of data exporter or its affiliates

 Job applicants of the data exporter


Categories of data

The personal data transferred concern the following categories of data (please specify):

Data exporter may submit Personal Data to Criteria, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Personal Data of staff:

 First and last name




 Physical business address


 usage information





 any other Personal Data the Customer, its Affiliates and/or staff submit in the course of their use of the Service

  • Personal Data of job applicants:

 First and last name



 IP address

 operating system type and version

 unique device ID

 browser and browser language

 domain and other operating systems or platform





  • or such other categories Personal Data which Customer, its Affiliates or users enter into the Service, including information gathered during video interviews


Criteria Corp will make additional technical information available to Customer upon request, such as details available in its Privacy Policy:

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):


Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

(i) Processing in accordance with the Agreement and applicable Order(s);

(ii) Processing initiated by Users in their use of the Services;

(iii) Processing to comply with other documented reasonable instructions provided by User (e.g., via email or support tickets) where such instructions are consistent with the terms of the Agreement.

Categories of data subjects whose personal data is transferred

Purpose(s) of the data transfer and further processing

  • To provide the service as set forth in the Agreement and applicable Order between the parties

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  •  For the period of time as set forth in the agreement between the parties


For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

  • Please see Annex III



The Office of the Data Protection Commissioner in Ireland

21 Fitzwilliam Square South, Dublin 2 DO2 RD28, Ireland




Unless otherwise specified, any reference to a “Clause” under this Section D is a reference to the relevant Clause in the SCCs.

1. Docking clause. The optional Clause 7 does apply.

2. Instructions. The Documented Instructions under Clause 3 of this DPA are deemed to be the instructions by Customer for the purpose of Clause 8.1 for Module 2- Controller to Processor.

3. Sub-processors. For Module 2, Controller to Processor, Option 2 under Clause 9 (a) applies. Customer acknowledges and expressly agrees that pursuant to Clause 9(a), information about Criteria’s Sub-processors is given as described in Clause 4 of this DPA and that Criteria may engage new Sub-processors as described in Clause 4 of this DPA. Where Criteria enters into the SCC’s with a Sub-processor, Customer hereby grants Criteria authority to provide a general authorisation on Customer's behalf for the engagement of sub-processors by the Sub-processor, as well as decision making and approval authority for the addition or replacement of any such sub-processors.

4. Certification of deletion. Parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 shall be provided by Criteria to Customer upon Customer’s written request.

5. Redress. In Clause 11, the optional language does apply.

6. Notifications to Data Subjects. For the purposes of Clause 15(1)(a), Criteria shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.

7. Governing law. For the purpose of Clause 17, the governing law shall be that governing the Agreement, as designated thereunder. If the Agreement is not governed by an EU Member State law that allows for third-party beneficiary rights, the SCC’s shall be governed by the laws of Ireland.

8. Choice of forum and jurisdiction. For the purpose of Clause 18(b), the competent courts shall be those identified in the Agreement. If the Agreement does not designate the courts of an EU Member State as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the SCCs, the Parties agree that the competent courts under Clause 18(b) shall be those of Ireland.






1. Policies & Procedures. Processor maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:

a. secure any personal data Processed by Processor against accidental or unlawful loss, access or disclosure;

b. identify reasonably foreseeable and internal risks to security and unauthorized access to the personal data Processed by Processor; and

c. minimize security risks, including through risk assessment and regular testing.

Processor’s policies and procedures require, among other things, (i) establishing appropriate levels of security for personal data, (ii) employees and Subprocessors who process personal data on behalf of Processor to read and comply with Processor’s confidentiality terms and Processor’s Cyber Security Policies which are NIST CSF v.1.1 compliant, and

(iii) Subprocessors who may have access to personal data are required to execute data protection agreements that meets or exceeds Processor’s standard DPA.

2. Certifications.

SOC/ISO27001. Processor uses Amazon Web Services (“AWS”) as its hosting Criteria. AWS provides third party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports, including SOC and ISO27001, directly under NDA via the following website

NIST Certification. Processor’s corporate office is NIST CSF v1.1 self-certified.

3. Monitoring & Management. Processor will, and will use reasonable efforts to procure that its Subprocessors, conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.

Security areas covered in Processor’s Cyber Security Policies include:


• Acceptable Use Policy

• Asset Management Policy

• Backup and Recovery Policy

• Change Management Policy

• Confidential Data Policy

• Data Classification Policy

• Data Retention and Disposal Policy

• Encryption Policy

• Incident Response Policy

• Malware Protection Policy

• Mobile Device Policy

• Network Access and Authentication Policy

• Network Security Policy

• Password Policy

• Patch Management Policy

• Personnel Security Policy

• Physical Security Policy

• Privacy Policy

• Remote Access Policy

• Risk Management Policy

• Secure Development Lifecycle Policy

• Secure Workspace Policy


4. Security

Processor will, and will use reasonable efforts to procure that its Subprocessors, periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

Processor contracts annually with two industry respected cyber security companies for both manual and automated vulnerability assessments and penetration testing of its applications. Processor’s penetration testing provider conducts regular penetration testing providing a comprehensive and fully detailed report with all findings (critical, high, medium, and low) as well as remediation procedures for Processor’s immediate action.

5. Data Encryption. Processor uses industry-standard encryption products to protect personal data and communications Processed by Processor during transmissions between a Controller and Processor, including management of public keys. All data in transit between Controller and Processor is encrypted using HTTPS/TLS. Data at rest is stored in a unique non-readable binary format and subject to AES 256- bit full disk encryption.

6. Backup and Restoration. All onsite data is held on redundant encrypted SAN using industry standard encryption technology. Data is also streamed in near real-time to an offsite backup and disaster recovery center via IPSec tunnel. Backed up data is stored using industry standard encryption technology. In the event that data needs to be restored, the onsite SAN backups would be used first.

7. Disaster Recovery. Disaster recovery plans are in place and tested at least once per year. Processor utilizes disaster recovery facilities that are geographically remote from their primary data centers, along with the required hardware, software, and Internet connectivity. In the event production capabilities at the primary data centers were rendered unavailable, the disaster recovery hosting facilities would be enabled and brought online. As personal data is already streamed and held at these same facilities, recovery time would be minimized.

8. Updates. Processor may change these Technical and Organizational Measures at any time without notice by keeping a comparable or better level of security. During the term of the Service, individual measures described in this Appendix 2 may be replaced with new measures that serve the same purpose without materially diminishing the overall security of the Processor’s Service.


Annex III 


Criteria maintains a dedicated infrastructure to support our cloud-based Software as a Service (SaaS) and we entrust some aspects of data processing to carefully cybersecurity-vetted service providers that assist in providing our SaaS.  This list of subprocessors is approved by customer to subprocess data on behalf of Criteria, in accordance with our Data Processing Agreement. 

These subprocessors may host, store, process, and/or access non-public customer data (i.e., job candidate PII and customer confidential information) and are material to the Criteria SaaS delivery as they are necessary for the provision of the Criteria product. 

Criteria Subprocessor List
Criteria-Subprocessors.pdf (