Last Updated on 07/02/2024
This Data Processing Agreement is an integral part of Aspect’s Terms of Service.
1.1 In this Agreement:
"Agreement" means this data processing agreement including any Schedules, and any amendments to this Agreement agreed in writing between the Parties from time to time;
“Controller”, “Data Subject”, “Personal Data”,“Process” and “Processor” shall have the meanings given to them in the GDPR;
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including any national, federal, state, provincial, and local laws and regulations governing the use and disclosure of personal information, including the California Consumer Privacy Act 2018, the UK GDPR, the Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR);
“Terms of Service” or "ToS" means the legally binding agreement governing the use of the Services entered into between the parties on or about the date of this Agreement;
“Standard Contractual Clauses” or “SCC” means the standard contractual clauses for international transfers annexed to the European Commission's Implementing Decision decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable; and
"Schedule" means any schedule attached to the main body of this Agreement.
2.1 This Agreement is part of Aspect’s Terms of Service (ToS)
2.2 Any capitalized terms that are:
used in this Agreement;
defined in the ToS; and
not defined in this Agreement,
shall in this Agreement have the meanings given to them in the ToS.
2.3 If there is a conflict between this Agreement and the ToS, then the ToS shall take precedence.
3.1 This Agreement shall come into force upon the Commencement Date and shall continue until all processing of Personal Data under the ToS has completed.
4.1 The Parties acknowledge and agree that for the purposes of the Data Protection Laws the Customer is the Controller and Aspect is the Processor in respect of all Personal Data Processed by Aspect in connection with the Services.
5. Data protection
5.1 Both Parties shall comply with the Data Protection Laws with respect to the Processing of Personal Data.
5.2 The Customer shall provide the Data Subjects with all necessary information and shall obtain all necessary consents to ensure that Aspect can lawfully Process their Personal Data for the purposes of performing the Services.
5.3 The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of Data Subjects are set out in Schedule 1 to this Agreement.
5.4 Aspect shall only Process the Personal Data for the purposes of the Services and on the documented instructions of the Customer.
5.5 Aspect shall promptly inform the Customer if, in the opinion of Aspect, an instruction of the Customer relating to the Processing of the Personal Data infringes the Data Protection Laws.
5.6 Notwithstanding any other provision of this Agreement, Aspect may process the Personal Data if and to the extent that Aspect is required to do so by law. In such a case, Aspect shall inform the Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.7 Aspect shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality obligations no less stringent than set forth in the Agreement or are under an appropriate statutory obligation of confidentiality no less stringent as set forth in the Agreement.
5.8 Aspect must at all times implement industry standard technical and organizational measures against unauthorized or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Schedule 1 and the following (as appropriate):
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
5.9 Aspect must not engage any third party to Process the Personal Data (Sub-Processor) without the prior specific written authorisation of the Customer. In the case of a written authorisation, Aspect shall inform the Customer at least 30 days in advance of any intended changes concerning the addition or replacement of any Sub-Processor, and if the Customer (acting reasonably) objects to any such changes before their implementation, then Aspect shall take account of the Customer’s objections before proceeding with the change.
5.10 Aspect shall ensure that each Sub-Processor is bound by contractual terms that are at least as protective as those set out in this Agreement. When a Sub-Processor already includes Standard Contractual Clauses within its own Data Processing Agreement, Aspect will review and ensure that these clauses are consistent with and satisfy the requirements of the Data Protection Laws applicable to the data transfers in question. Aspect will validate and document its reliance on the Sub-Processor's SCCs and confirm that they are congruent with the obligations under this Agreement. In cases where the Sub-Processor's SCCs are used, Aspect shall not be required to enter into separate SCCs with the Sub-Processor, provided that the existing clauses offer equivalent data protection as if Aspect had entered into SCCs directly with the Sub-Processor.
If the Sub-Processor's Data Processing Agreement already includes Standard Contractual Clauses, Aspect will review and confirm that these clauses are appropriate and meet the requirements of the Data Protection Laws relevant to the data transfer. Aspect will document its acceptance of the Sub-Processor's SCCs and ensure that they align with the obligations under this Agreement. In the event that a Sub-Processor fails to fulfil any of its data protection obligations as stipulated by their SCCs or this Agreement, Aspect shall remain directly liable to the Customer for the performance of the Sub-Processor's obligations.
5.11 As at the Commencement Date, Aspect is hereby authorised by the Customer to engage, as Sub-Processors with respect to Personal Data, the third parties identified in Paragraph 6 of Schedule 1 (Data processing information).
5.12 Aspect shall take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer’s obligation to respond to requests exercising a Data Subject's rights under the Data Protection Laws.
5.13 Aspect shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws.
5.14 Aspect must notify the Customer of any Personal Data breach affecting the Personal Data without undue delay and, in any case, not later than 48 hours after Aspect becomes aware of the breach.
5.15 Aspect shall make available to the Customer all information necessary to demonstrate the compliance of Aspect with its obligations under this Agreement.
5.16 Aspect shall, at the choice of the Customer, delete or return all of the Personal Data to the Customer after the provision of Services relating to the Processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data. Upon termination of this Agreement, Aspect commits to either fully delete or anonymize all Customer's Personal Data in its possession or control, according to the Customer’s preference, no later than 30 days after the date of termination. This includes all Personal Data held by Aspect's subprocessors. Aspect shall confirm the deletion or anonymization of the data in writing to the Customer. This obligation is subject to any legal requirements that may require the storage of data beyond the termination of the Agreement. In such cases, Aspect will only retain the minimum amount of data necessary to comply with the legal obligation and will ensure the continued protection of the data as per the standards outlined in this Agreement
5.17 Aspect shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of Aspect’s processing of Personal Data with the Data Protection Laws and this Clause 5.
5.18 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to Processing of Personal Data carried out under this Agreement, then the parties shall use all reasonable endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.
5.19 Data Retention Policy: During the term of this Agreement, Aspect will retain the Personal Data processed on behalf of the Customer no longer than is necessary for the purposes for which it was collected or as required by applicable laws. Aspect commits to the following retention practices:
During Agreement Execution: Aspect will regularly review the Personal Data it processes to ensure that it is not kept longer than necessary. Data retention periods are determined based on the purpose of data processing, legal and regulatory requirements, and the necessity of data in providing the agreed Services. Specific retention periods for different categories of Personal Data are detailed in Schedule 1 (Data Processing Information).
Upon Termination: As stipulated in Section 5.16, upon termination of this Agreement, Aspect shall, according to the Customer's preference, delete or anonymize all Customer's Personal Data within 30 days, unless a longer retention period is mandated by applicable law. In cases where Aspect is required by law to retain some form of the data, it will ensure that the data is used only for those necessary legal purposes and remains protected under the terms of this Agreement.
Aspect will document its data retention and deletion policies and provide these to the Customer upon request, ensuring transparency and compliance with Data Protection Laws.
6. Cross-border transfers of Personal Data
6.1 Aspect shall ensure that any transfer of the Customer’s Personal Data outside of the European Economic Area (EEA) and the United Kingdom to a country without an adequacy decision shall only occur through mechanisms deemed acceptable under the Data Protection Legislation, such as the Standard Contractual Clauses included within a Sub-Processor's Data Processing Agreement that Aspect has reviewed and confirmed to meet the requirements of the Data Protection Laws.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
1. Categories of data subject
The employees of the Customer, the job candidates of the Customer.
2. Types of Personal Data
Names of employees and job candidates of the Customer, email addresses of the job candidates and employees of the Customer, video and voice of employees and job candidates of the Customer.
3. Subject-Matter, Nature and Purposes of processing
Assessing and evaluating interview technique of the employees of the Customer, aiding in the decision making process on the job candidates of the Customer.
4. Duration of processing
For the duration of this Contract plus a reasonable period of time afterwards to allow for the return or deletion of the Personal Data.
5. Security measures for Personal Data
Preventing Unauthorized Product Access
Authentication: Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Aspect’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the roles associated with each user.
Preventing Unauthorized Product Use
Aspect implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Static code analysis: Security reviews of code stored in Aspect’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Limitations of Privilege & Authorization Requirements
Product access: A subset of Aspect’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
In-transit: Aspect makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on Aspect’s products. Aspect’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Aspect has implemented technologies to ensure that stored data is encrypted at rest.
Detection: Aspect designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Aspect’s personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Aspect maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Aspect will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Aspect becomes aware of unlawful access to Customer data stored within its products, Aspect will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Aspect is taking to resolve the incident; and 3) provide status updates to the Customer contact, as reasonably requested by Customer. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Aspect selects, which may include via email or telephone.
6. Sub-processors of Personal Data
6.1 General Consent: The Customer grants Aspect general authorization to engage third-party Sub-processors already equipped with Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) that are compliant with Data Protection Legislation. Aspect will conduct a review to confirm that the subprocessor’s DPA and SCCs are not only present but also fully aligned with the specific data protection requirements and obligations of Aspect's services to the Customer.
For each subprocessor, Aspect will document the review process, ensuring that the subprocessor’s commitments via their DPA and SCCs provide a level of data protection and security that meets or exceeds the standards required by Aspect and its Customers. This process is designed to streamline compliance efforts while maintaining high data protection standards.
Aspect will maintain a list of engaged Sub-processors and make this list available to the Customer upon request. Should there be a need to engage a new subprocessor or amend the data processing activities with an existing subprocessor, Aspect will update its review to include these changes, ensuring ongoing compliance with Data Protection Legislation. Aspect will also notify the client of any changes on the sub processors list in advance.
6.2 Current Sub-processor List: Customer acknowledges and agrees that Aspect may engage its current Sub-processors listed in the chart below.
|Lawful transfer mechanism
|Application hosting and data storage
|Event store and stream processing
|Standard Contractual Clauses
|Automated interview transcription
|Interview transcriptions in languages other than English
|Standard Contractual Clauses
|Email notifications to interviewers.
|Standard Contractual Clauses
|DPA + Standard Contractual Clauses