Data Processing Addendum
Version 2.1 • Effective January 27, 2026
This Data Processing Addendum (including all Schedules attached hereto, the "DPA") is incorporated into, and is subject to the terms and conditions of, the underlying customer agreement or terms of service ("Agreement") between Showspace Inc., a Delaware corporation ("Endorsed") and the entity identified as the customer in the Agreement or the relevant order form entered into with Endorsed ("Customer"). This DPA applies to the extent Endorsed's Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
1. Definitions
1.1. "Controller" means the entity which determines the purposes and means of the Processing of Personal Data. The term "Controller" includes a "business" as defined under the CCPA.
1.2. "Customer Personal Data" means the Personal Data described under Schedule 1 to this DPA.
1.3. "Data Protection Laws" means all applicable laws and regulations, including laws and regulations of: (i) the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom; (ii) the United States (including, but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the "CCPA") and other applicable state privacy laws); and (iii) any other jurisdiction in which the parties operate, in each case, applicable to the Processing of Personal Data under the Agreement and this DPA.
1.4. "Data Subjects" means the individuals identified in Schedule 1 to this DPA.
1.5. "EU SCCs" means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.
1.6. "GDPR" means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA ("EU GDPR") and the EU GDPR as incorporated into the laws of the United Kingdom ("UK GDPR").
1.7. "Personal Data" and "Processing" will each have the meaning given to them in the Data Protection Laws. The term "Personal Data" includes "personal information," "personally identifiable information," and equivalent terms as such terms may be defined by the Data Protection Laws.
1.8. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
1.9. "Processor" means the entity which Processes Personal Data on behalf of the Controller. The term "Processor" includes a "service provider" as that term is defined under the CCPA.
1.10. "Sell" has the meaning given in the Data Protection Laws.
1.11. "Service" means the services provided by Endorsed to Customer pursuant to the Agreement.
1.12. "Share" has the meaning given in the CCPA.
1.13. "Sub-Processor" means another Processor engaged by a Processor to carry out Processing on behalf of a Controller.
1.14. "UK Addendum" means the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner for parties making restricted transfers, which entered into force on 21 March 2022 (collectively, with the EU SCCs, the "SCCs").
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Processing of Customer Personal Data
2.1. Customer is a Controller of Customer Personal Data and Endorsed is a Processor of Customer Personal Data. If Customer is itself acting as a Processor for Customer Personal Data on behalf of a Controller of such data, Endorsed will Process such data as a Sub-Processor to Customer. The details of Endorsed's Processing of Customer Personal Data are described in Schedule 1 to this DPA.
2.2. Endorsed will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer's prior written instructions, including any instructions provided through Customer's use of the Service. Customer hereby instructs Endorsed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. Endorsed shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Endorsed, including by combining Customer Personal Data with Personal Data Endorsed receives from third parties, other than Customer, except as permitted by the Data Protection Laws; or (3) Sell or Share Customer Personal Data. Upon notice to Endorsed, Customer may take reasonable and appropriate steps to remediate Endorsed's use of Customer Personal Data in violation of this DPA.
2.3. Endorsed will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws. If applicable laws preclude Endorsed from complying with Customer's instructions, Endorsed will inform Customer of its inability to comply with the instructions, to the extent permitted by law.
2.4. Each of Customer and Endorsed will comply with their respective obligations under the Data Protection Laws. Endorsed shall notify Customer if it determines that it cannot meet its obligations under the Data Protection Laws. Customer has the right to take reasonable steps to ensure that Endorsed uses Customer Personal Data in a manner consistent with Customer's obligations under Data Protection Laws by exercising Customer's audit rights in Section 10 of this DPA.
3. Cross-Border Transfers of Personal Data
3.1. With respect to Customer Personal Data originating from the European Economic Area ("EEA"), the United Kingdom (the "UK") or Switzerland that is transferred from Customer to Endorsed, the parties agree to comply with the general clauses and with "Module Two" (Controller to Processor) and "Module Three" (Processor to Processor) of the EU SCCs, as applicable, which are incorporated herein by reference, with Customer as the "data exporter" and Endorsed as the "data importer."
3.2. For purposes of the EU SCCs the parties agree that:
3.2.1. The optional docking clause 7 of the EU SCCs will not apply.
3.2.2. In clause 9 of the EU SCCs, option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.2 of this DPA.
3.2.3. The optional language in clause 11 of the EU SCCs will not apply.
3.2.4. In clause 17 of the EU SCCs, option 1 applies and the EU SCCs shall be governed by the laws of Ireland.
3.2.5. In clause 18(b) of the EU SCCs, the parties agree to submit to the jurisdiction of the courts of Ireland.
3.2.6. In Annex I, Section A (List of Parties) of the EU SCCs, (i) the Customer is the data exporter and Endorsed is the data importer and their identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in this DPA or as otherwise communicated by each party to the other party; (ii) Customer is a Controller (under "Module Two" of the EU SCCs) or Processor (under "Module Three" of the EU SCCs), and Endorsed is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Service pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party's signature of Annex I, Section A, as of the effective date of this DPA.
3.2.7. In Annex I, Section B (Description of Transfer) of the EU SCCs: (i) Schedule 1 to this DPA describes Endorsed's Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Service); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Endorsed uses the Sub-Processors described in Section 5.2 of this DPA to support the provision of the Service.
3.2.8. In Annex I, Section C (Competent Supervisory Authority) of the EU SCCs, the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Endorsed.
3.2.9. In Annex II of the EU SCCs, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described on Schedule 2.
3.3. If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection ("FADP"), the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the FADP; (iii) the term "Member State" in the EU SCCs will not prevent Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the 'GDPR' in the EU SCCs will be understood as references to the FADP.
3.4. With respect to transfers from Customer to Endorsed of Customer Personal Data originating from the UK, the parties agree that the UK Addendum will complement the EU SCCs to the extent required under Data Protection Law. The UK Addendum is incorporated herein by reference. The parties agree that the UK Addendum is completed as follows:
3.4.1. For the purpose of Part 1 of the UK Addendum:
3.4.2. Table 1 (Parties): the start date is the effective date of the Agreement, the exporter is the Customer and the importer is Endorsed, the table is deemed to be completed with the information set out in Section 3.2 of this DPA, and by signing this DPA, parties are deemed to have signed the UK Addendum.
3.4.3. Table 2 (Selected SCCs, Modules and Selected Clauses): the "Approved EU SCCs" which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 3.2 of this DPA.
3.4.4. Table 3 (Appendix Information): the information requested in Annex 1 is provided in Sections 3.2.6 and 3.2.7 of this DPA; the security measures requested in Annex 2 are described in Schedule 2 to this DPA; the list of Sub-Processors is available as described in Section 5.2 of this DPA.
3.4.5. Table 4: both the data importer and the data exporter may end the UK Addendum as set out in section 19 of the UK Addendum.
3.4.6. The competent supervisory authority for data transfers in connection with the UK Addendum will be the Information Commissioner's Office.
4. Confidentiality and Security
4.1. Endorsed will require Endorsed's personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.
4.2. Endorsed will implement commercially reasonable technical and organisational measures, as further described in Schedule 2 to this DPA, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
4.3. To the extent required by Data Protection Laws, Endorsed will provide Customer with reasonable assistance as necessary for the fulfilment of Customer's obligations under Data Protection Laws to maintain the security of Customer Personal Data.
5. Sub-Processing
5.1. Customer hereby authorizes Endorsed to appoint (and permit each Sub-Processor appointed in accordance with this Section 5 to appoint) Sub-Processors in accordance with this Section 5.
5.2. The Sub-Processors appointed by Endorsed as at the date of this DPA are set out at Schedule 3 ("Sub-Processors List"). Endorsed will inform Customer of any intended changes concerning the addition or replacement of any appointed Sub-Processors (a "New Sub-Processor") at least ten (10) days in advance, along with reasonably detailed information about such New Sub-Processor by sending email notification.
5.3. Customer will have an opportunity to object in writing to the appointment of a New Sub-Processor within ten (10) business days after receipt of notice of a New Sub-Processor in accordance with Section 5.2, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-Processor's ability to comply with substantially similar obligations to those set out in this DPA. If Customer does not so object, the engagement of the New Sub-Processor shall be deemed accepted by Customer. If Customer notifies Endorsed in writing of any objections to the proposed appointment, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within thirty (30) business days from the date of Endorsed's receipt of Customer's written objection, the parties may terminate the Agreement and this DPA.
5.4. Endorsed will enter into an agreement with each Sub-Processor that imposes on the Sub-Processor, in substance, the same obligations that apply to Endorsed under this DPA. Where any of its Sub-Processors fails to fulfil its data protection obligations, Endorsed will be liable to Customer for the performance of its Sub-Processors' obligations.
6. Data Subject Rights
Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data ("Requests"). If Endorsed receives any Requests during the term of the Agreement, Endorsed will advise the Data Subject to submit the request directly to Customer. Endorsed will provide Customer with reasonable assistance to permit Customer to respond to Requests.
7. Personal Data Breaches
Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Endorsed will (i) promptly take measures designed to remediate the Personal Data Breach, and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer. Customer may request that Endorsed reasonably assist Customer's efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Endorsed's notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Endorsed of any fault or liability with respect to the Personal Data Breach.
8. Data Protection Impact Assessment; Prior Consultation
Customer may request reasonable assistance from Endorsed in connection with conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and the data protection impact assessment or consultation relate to the Processing by Endorsed of Customer Personal Data.
9. Deletion of Customer Personal Data
Customer instructs Endorsed to delete Customer Personal Data within ninety (90) days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in the SCCs, if applicable, shall be provided only upon Customer's written request. Notwithstanding the foregoing, Endorsed may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Endorsed maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
10. Audits
10.1. Customer may audit Endorsed's compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Endorsed suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Endorsed's compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Endorsed will contribute to such audits by providing Customer or Customer's regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit.
10.2. To request an audit, Customer must submit a detailed proposed audit plan to support@endorsed.com at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Endorsed will review the proposed audit plan and provide Customer with any concerns or questions (for example, Endorsed may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Endorsed confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date. Nothing in this Section 10 shall require Endorsed to breach any duties of confidentiality.
10.3. Endorsed may object to third party auditors that are, in Endorsed's reasonable opinion, not suitably qualified or independent, a competitor of Endorsed, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve Endorsed's auditor objection after negotiating in good faith.
10.4. If the requested audit scope is addressed in an SSAE 18/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Endorsed's systems that Process Customer Personal Data ("Audit Reports") within twelve (12) months of Customer's audit request and Endorsed confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.
10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Endorsed's health and safety or other relevant policies. The audit may not unreasonably interfere with Endorsed business activities.
10.6. Any audits are at Customer's expense and Customer will promptly disclose to Endorsed any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.
10.7. The parties agree that the audits described in the SCCs, if applicable, shall be performed in accordance with this Section 10.
11. Liability
11.1. Each party's liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
11.2. Customer acknowledges that Endorsed is reliant on Customer for direction as to the extent to which Endorsed is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, Endorsed will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Endorsed in compliance with Customer's instructions or (b) from Customer's failure to comply with its obligations under the Data Protection Laws.
12. General Provisions
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the SCCs, the SCCs will prevail.
Customer:
By: _____________________
Name: _____________________
Title: _____________________
Endorsed:
By: _____________________
Name: _____________________
Title: _____________________
SCHEDULE 1
Details of Processing
1. Categories of Data Subjects. This DPA applies to the Processing of Customer Personal Data relating to:
- Customer's employees, contractors, and other authorized users of the Service ("Admin Users")
- Individuals who are candidates or otherwise applied for one or more job opportunities with Customer and are having their data processed by the Services ("Candidates")
2. Types of Personal Data. The extent of the Customer Personal Data Processed by Endorsed is determined and controlled by the Customer in its sole discretion and includes: (a) names, email addresses, and any other Personal Data that may be transmitted through the Service by Admin Users; and (b) basic identifying and contact information, professional and employment-related data (e.g., resumes, work history, skills, education), recruiting and evaluation data (e.g., screening results, rankings, assessments), and limited technical/usage data associated with candidate records of Candidates.
Endorsed does not require access to and Customer will not provide to Endorsed any "special categories" of personal data as defined under Article 9 of GDPR.
3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Endorsed is the provision of the Service to the Customer. Customer Personal Data will be subject to those Processing activities which Endorsed needs to perform in order to provide the Service pursuant to the Agreement.
4. Purpose of the Processing. Customer Personal Data will be Processed by Endorsed for purposes of providing the Service as set out in the Agreement.
5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.
SCHEDULE 2
Security Measures
| Technical and Organizational Security Measure | Details |
|---|---|
| Measures of pseudonymization and encryption of personal data | Endorsed has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Endorsed uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Endorsed ensures ongoing confidentiality, integrity, and availability through data encryption both in transit and at rest, regular database backups, and cryptographic controls with key management processes. Additionally, the implementation of secure and privacy-by-design principles, commercially reasonable practices by third parties, and a strict review process for third-party vendors contribute to the resilience of processing systems and services. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Daily, weekly and monthly backups of production datastores are taken. Measures include conducting an annual disaster recovery test, including a test of backup restoration processes, as well as ensuring data is regularly backed up and encrypted both in transit and at rest. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Endorsed measures and verifies compliance with its policies through ongoing monitoring, and both internal and external audits. All significant changes affecting information security are tested, reviewed, and approved prior to production deployment, and security functionality is tested at defined periods during the development life cycle. |
| Measures for user identification and authorization | Endorsed supports Single Sign-On (SSO) through Google Accounts, mandates Multi-Factor Authentication (MFA) for production system access, and requires all personnel to have unique user identifiers. Users must register with complete and truthful data, choose strong passwords, and keep their login credentials confidential. |
| Measures for the protection of data during transmission | Data transmitted to and from Endorsed is protected by encryption in transit, following industry best practices such as NIST SP 800-57 and using strong ciphers. Additionally, API connections with clients' Applicant Tracking Systems (ATS) are securely stored within our Supabase-hosted database in the United States. |
| Measures for the protection of data during storage | Data is encrypted both in transit and at rest, with regular database backups conducted to ensure data resilience and availability for recovery. Personal data is encrypted using robust cryptography when stored. |
| Measures for ensuring physical security of locations at which personal data are processed | Physical security measures for locations processing personal data include preventing unauthorized access, misuse, theft, environmental threats, and other security threats, in accordance with the Physical Security Policy and GDPR Compliance Policy requirements. |
| Measures for ensuring events logging | Our production company infrastructure is configured to produce detailed logs, including user log-in and log-out, CRUD operations, security settings changes, and administrator access to customer data. These logs are stored for at least 90 days, and logging and auditing functionality is ensured for system functions and information access. |
| Measures for ensuring system configuration, including default configuration | To ensure system configuration, unnecessary default accounts must be removed or disabled and vendor default passwords changed before making a system available on the network. Configuration and hardening standards for servers and VMs are implemented for production systems to enhance system security. |
| Measures for internal IT and IT security governance and management | Senior Management at Endorsed approves capital expenditures for ISP and ISMS, oversees the execution of information security and privacy risk management, and aligns security policies with strategic objectives. Endorsed measures and verifies compliance through ongoing monitoring, and both internal and external audits, with policies reviewed annually. |
| Measures for certification/assurance of processes and products | Endorsed is fully compliant with SOC2 Type II, GDPR and CCPA, while working towards compliance with ISO regulations. Endorsed can expedite certification processes as required. Endorsed measures and verifies compliance through ongoing monitoring and both internal and external audits, with policies being reviewed at a minimum annually. |
| Measures for ensuring data minimization | Endorsed's Customers unilaterally determine what data they route through the Services. As such, Endorsed operates on a shared responsibility model. |
| Measures for ensuring data quality | Endorsed has a multi-tiered approach for ensuring data quality. These measures include: (i) database schema validation rules which execute against data before it is saved to our database, (ii) a schema-first API design and strong typing to enforce a strict contract between official clients and API resolvers. Endorsed applies these measures across the board, both to ensure the quality of any Usage Data that Endorsed collects and to ensure that the Endorsed Platform is operating within expected parameters. Endorsed ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data is presented or exported. |
| Measures for ensuring limited data retention | Data shall be retained as long as necessary for use, regulatory, or contractual obligations, and disposed of or archived when no longer needed. The data retention requirements are reviewed annually, and legal counsel may stipulate retention for specific cases. |
| Measures for ensuring accountability | Endorsed measures and verifies compliance with its policies through ongoing monitoring, internal and external audits, with policies being reviewed annually. Furthermore, violations should be reported to the designated Security PM, and management monitors training completion to ensure compliance. |
| Measures for allowing data portability and ensuring erasure | Users can request data portability to receive or transfer their data in a structured, commonly-used, and machine-readable format. Data erasure is facilitated through contacting support@endorsed.com, and devices with damaged storage are subjected to certified data destruction via an E-Waste service. |
| Technical and organizational measures of sub-processors | Sub-processors must implement commercially reasonable practices and procedures for operations security, including technical testing, protection against malicious software, network protection and management, technical vulnerability management, logging and monitoring, incident response, and business continuity planning. Secure development programs and adherence to GDPR and CCPA regulatory requirements are also mandatory. |
SCHEDULE 3
Sub-Processors
A listing of Endorsed's Sub-Processors may be found at: https://trust.endorsed.ai/.
Copyright 2026 Endorsed. All Rights Reserved.