Data Processing Agreement

Last Updated: June 26, 2026

This Data Processing Agreement (the “DPA”) is intended to sit alongside the Agreement between the parties — Yardstick’s Master Service Agreement (“MSA”), where one has been executed, and otherwise Yardstick’s Terms of Service (as further defined in Section 1) — and to govern Yardstick’s processing of personal data on behalf of a customer. Yardstick is an applicant tracking system (ATS): customers (“Controllers”) use the platform to carry out their hiring and recruiting activities, including, for example, managing Jobs, applicants, candidate pipelines, interviews, scorecards, hiring decisions, and reporting; AI-assisted content generation; and sourcing and outreach to prospective candidates. The features available may vary by plan and change over time. Customers may operate the platform directly or by directing a coding agent (e.g., Claude Code or Codex) that runs the Yardstick command-line interface (CLI). In doing so, Yardstick (“Processor”) processes personal data about the customer’s candidates, prospects, employees, and hiring-team users on the customer’s behalf.

1. Definitions

For purposes of this DPA:

• “Agreement” means the agreement between the parties under which Yardstick provides the Services — the MSA, where one has been executed between the parties, or otherwise the Terms of Service accepted by the Controller — together with any order forms or other ordering documents under which the Controller is provided the Services.
• “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, which may include the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), and the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA, together with other comparable U.S. state privacy laws as they come into effect.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, and “Sub-processor” have the meanings given in the GDPR (and their equivalents under other Applicable Data Protection Laws, including “business,” “service provider,” and “consumer” under the CCPA/CPRA).
• “Customer Personal Data” means Personal Data that Yardstick processes on the Controller’s behalf under the Agreement, as described in Annex I.
• “Services” means the Yardstick ATS and related services provided under the Agreement.
• “SCCs” means the Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum (“UK Addendum”) issued by the ICO. See Section 8 and Annex IV.

2. Roles of the parties

2.1 Controller and Processor. As between the parties and with respect to Customer Personal Data, the Controller is the controller and Yardstick is the processor. Yardstick processes Customer Personal Data only on behalf of, and in accordance with the documented instructions of, the Controller. This mirrors the controller/processor framing in Yardstick’s Privacy Policy (employer = controller of candidate data; Yardstick = processor) and the Customer Obligations section of the Terms of Service.

2.2 CCPA/CPRA. With respect to Personal Data subject to the CCPA/CPRA, Yardstick acts as a “service provider” and will not (a) sell or share such Personal Data, (b) retain, use, or disclose it for any purpose other than performing the Services or as permitted by the CCPA/CPRA, or (c) combine it with Personal Data from other sources except as permitted by the CCPA/CPRA. The full service-provider certification and restrictions, and the parallel processor terms required by other U.S. state privacy laws, are set out in the US State Privacy Laws Addendum (Annex V).

2.3 Yardstick as controller for limited purposes. Yardstick acts as an independent controller for a limited set of data it processes for its own purposes — for example, account administration, billing, security, and product analytics — as described in its Privacy Policy. This DPA governs only Yardstick’s processing as a processor. Consistent with the Privacy Policy, Yardstick may also create and use aggregated, de-identified, or anonymized data that no longer identifies, and cannot reasonably be used to identify, any individual (and is therefore no longer Personal Data) to operate, evaluate, improve, and develop its products and services. With respect to any such de-identified data, Yardstick will take reasonable measures to ensure the data cannot be associated with an individual, will maintain and use it only in de-identified form, and will not attempt to re-identify it except as reasonably necessary to test that the de-identification is effective.

3. Scope and details of the processing

3.1 The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

3.2 Documented instructions. The Controller’s instructions are set out in this DPA and the Agreement, and include the Controller’s configuration and use of the Services through the platform. Yardstick will process Customer Personal Data only on such documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Yardstick will inform the Controller of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest).

3.3 Lawfulness. As stated in the Terms of Service, the Controller is responsible for the lawfulness of the Customer Personal Data and of the Controller’s instructions, including having a valid lawful basis, providing required candidate notices, and obtaining any required consents. Yardstick will inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws; Yardstick has no obligation to actively monitor or audit the Controller’s instructions for such infringements.

3.4 AI-assisted processing. Where the Controller uses AI-assisted features, candidate, role, and customer content is processed (a) to produce requested output (e.g., job descriptions, interview questions, scorecards, interview plans) and (b) to provide AI-assisted evaluation of applications against the Controller’s job-related criteria as decision support for the Controller’s hiring team, using the generative-AI sub-processors identified in Annex III (currently Google Gemini, including for evaluation; Yardstick may also use Anthropic and OpenAI for content generation). Yardstick provides decision support and does not make hiring decisions; it does not automatically reject or screen out candidates, and a human reviewer on the Controller’s hiring team makes those decisions. As between the parties, the Controller — as the party that deploys the Services within its hiring process and makes the hiring decisions — is responsible for the obligations that attach to that role under laws governing automated or AI-assisted decision-making. Yardstick — as the party that develops the AI-assisted features — is responsible for the obligations that attach to its role, and will make available standard documentation describing the features’ intended purpose, capabilities, and known limitations — for example, through its product documentation and help resources — together with configuration options that support human oversight. Nothing in this Section requires either party to assume an obligation that applicable law places on the other. Yardstick does not use Customer Personal Data to train third-party AI models, consistent with the Privacy Policy and Terms.

3.5 AI-assisted development and support. Yardstick’s personnel use AI-assisted software-development tools (Claude Code, provided by Anthropic, and Codex, provided by OpenAI) to build, operate, debug, and support the Services. For troubleshooting, these tools are granted read-only access to production systems and may process Customer Personal Data in that context. These providers are engaged as Sub-processors (see Annex III), are used under terms that disable use of submitted data for model training, and access is limited to what is necessary to resolve the issue.

4. Confidentiality

Yardstick will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and are made aware of the confidential nature of the data. Access is limited to personnel who need it to provide the Services. This is consistent with the confidentiality obligations in the Terms of Service.

5. Security measures

5.1 Yardstick will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects. A description of these measures is set out in Annex II.

5.2 The Controller is responsible for its own configuration and use of the Services (including access management, role assignments, and which data it uploads).

6. Sub-processors

6.1 Authorization. The Controller provides a general authorization for Yardstick to engage Sub-processors to process Customer Personal Data, subject to this Section 6.

6.2 Current Sub-processors. Yardstick’s current Sub-processors are listed in Annex III and are published and maintained on the Sub-processors page at yardstick.team/subprocessors.

6.3 Flow-down. Yardstick will impose on each Sub-processor data-protection obligations that are substantially the same as, and no less protective than, those in this DPA, by written contract, and will remain responsible for each Sub-processor’s performance of its obligations. For the infrastructure and product Sub-processors (including the database, hosting, email, payment, and product-AI providers), these obligations are imposed through each provider’s data processing agreement. With respect to the AI-assisted development tooling identified in Annex III (Claude Code and Codex), which may incidentally and on a read-only basis access Customer Personal Data during development, debugging, and support: such access is limited to what is necessary for those purposes, the data is not used to train the providers’ models (Yardstick maintains the training opt-out on the applicable accounts), and Yardstick remains responsible for this processing and applies its confidentiality, least-privilege, and data-minimization controls to it.

6.4 Change notification. When Yardstick intends to add or replace a Sub-processor, it will give at least thirty (30) days’ advance notice before the new Sub-processor begins processing Customer Personal Data.

Yardstick provides this notice by updating the Sub-processors page and publishing the change to a subscribable feed at that page (or a successor feed) — together, the “channel of record.” Publication to the channel of record satisfies this notice requirement for all customers, and the 30-day period runs from the date of publication. Customers may subscribe to the feed to be alerted to changes.

In addition, any customer may request to receive these notices by email, and Yardstick will send them to the email address on file for that customer’s account. The customer is responsible for keeping its account email address current; because the channel of record governs, an out-of-date, undeliverable, or unsubscribed email address does not extend, suspend, or invalidate a notice properly published to the channel of record. An Enterprise customer may designate a specific notice contact in its MSA.

The Controller may object on reasonable data-protection grounds within the notice period. If the parties cannot resolve the objection (for example, by Yardstick offering a commercially reasonable alternative), the Controller’s sole remedy is to terminate the affected Services and receive a pro-rata refund of any prepaid, unused fees for those Services.

Where a Sub-processor must be added or replaced on an emergency basis (for example, the Sub-processor ceases operations, materially fails, or a security or continuity issue requires immediate action), Yardstick may make the change immediately and will publish notice to the channel of record — and send any elected email notice — promptly afterward; the Controller’s objection right and sole remedy above continue to apply.

This is consistent with the commitment published on the Sub-processors page.

6.5 Customer-configured integrations. Third-party services that the Controller connects and controls (for example, calendar, messaging, email, or other recruiting/HR systems accessed through the Controller’s own accounts) are not Yardstick Sub-processors. When the Controller enables such an integration, Yardstick exchanges data with that service on the Controller’s behalf and into destinations the Controller controls; the Controller’s use of, and relationship with, that service is governed by the Controller’s own agreement with the relevant provider, and the Controller is the controller with respect to that processing. Vendors Yardstick engages for its own purposes as an independent controller (Section 2.3) — such as its own marketing, billing, and analytics — are likewise not Sub-processors under this DPA.

7. International data transfers

7.1 Yardstick hosts the Services in the United States, and certain Sub-processors may process Customer Personal Data in the United States or other regions, as described in Annex III and in the International Data Transfer section of the Privacy Policy.

7.2 Transfer mechanism. Where Yardstick processes Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties agree that the SCCs (and, for UK data, the UK Addendum; for Swiss data, the applicable Swiss amendments) are incorporated into this DPA and apply to that transfer. The module selections and details are set out in Annex IV.

7.3 In the event of any conflict between the SCCs and this DPA, the SCCs prevail with respect to the transfers they govern.

8. Assistance to the Controller

8.1 Data Subject requests. Taking into account the nature of the processing, Yardstick will provide reasonable assistance (including by appropriate technical and organizational measures, insofar as possible) to enable the Controller to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (e.g., access, rectification, erasure, restriction, portability, objection). If Yardstick receives such a request directly, it will, where permitted, direct the Data Subject to the Controller.

8.2 DPIAs and consultations. Taking into account the nature of processing and the information available to it, Yardstick will provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities under Articles 35–36 GDPR.

8.3 Self-service and fees. Much of the foregoing assistance is available to the Controller directly through the Services’ self-service tools (for example, to access, export, correct, and delete candidate data (a subset of Customer Personal Data)) at no additional charge. Where the Controller requests assistance that goes beyond those tools and is more than trivial, Yardstick may charge a reasonable fee, and will respond within a timeframe that, taking into account the nature of the assistance, allows the Controller to meet its applicable legal deadlines.

9. Personal Data Breach notification

9.1 Yardstick will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notice will be sent by email to the Controller’s designated security or account contact (or, if none is designated, the account administrator).

9.2 The notification will, to the extent known and available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Yardstick will cooperate with the Controller and take reasonable steps to mitigate and remediate.

9.3 Yardstick’s notification is not an acknowledgment of fault or liability.

10. Return and deletion of Customer Personal Data

10.1 Upon termination or expiry of the Services, and at the Controller’s choice, Yardstick will return and/or delete Customer Personal Data as follows. For at least thirty (30) days after termination or expiry, Customer Personal Data remains available on a read-only basis so that the Controller can export it in a commonly used, machine-readable format through the Services’ export tools. Yardstick then retains the data for at least an additional thirty (30) days before deleting it from active systems; during that additional period the Controller may request more time to export, and Yardstick may, at its discretion, restore temporary access to assist. Yardstick will not retain Customer Personal Data longer than necessary to provide the Services or as required by applicable law. Absent a contrary written instruction from the Controller, the export-then-delete lifecycle described above is the default. Upon the Controller’s written request, Yardstick will confirm in writing that deletion has been completed.

10.2 After deletion from active systems, Yardstick may retain Customer Personal Data in routine backups for a limited period until those backups are overwritten or expire on its standard backup cycle, during which the data remains protected by this DPA and is isolated from active processing. The platform may also continue to make closed/archived hiring history available on a read-only basis as described on the pricing page, subject to the Controller’s plan and instructions. An enterprise Controller may instead elect return and/or deletion on the specific timeline set in its MSA.

11. Audits and demonstration of compliance

11.1 Yardstick will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.

11.2 Yardstick will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates (who must not be a competitor of Yardstick and must be bound by confidentiality), subject to reasonable confidentiality, security, scheduling, and scope limitations. Such audits are limited to once per twelve (12) months, on at least thirty (30) days’ prior written notice, except where a further audit is required following a Personal Data Breach or by a supervisory authority. Audits must not unreasonably disrupt Yardstick’s business and must not access other customers’ data or Yardstick confidential information beyond what is necessary. The Controller bears its own costs and the reasonable cost of Yardstick’s time and resources for any on-site audit. Yardstick may satisfy audit requests by providing its then-current third-party certifications or audit reports where available.

12. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except as set out in this Section. Yardstick’s aggregate liability for claims arising out of a Personal Data Breach caused by Yardstick’s breach of its obligations under this DPA is subject to a cap equal to two (2) times the general aggregate liability cap set out in the Agreement (the “Data Protection Liability Cap”). All other liability under this DPA remains subject to the single, combined cap in the Agreement. This Section is without prejudice to the liability provisions of the SCCs, which apply as required as to the transfers and Data Subjects they govern and are not limited by the caps in this Section or in the Agreement. Any further enhanced data-protection liability cap is a matter for the applicable enterprise MSA.

13. Term

This DPA is incorporated by reference into the Terms of Service (so a self-serve customer’s acceptance of the Terms binds this DPA) and is incorporated into or attached as an exhibit to the MSA for enterprise customers. It takes effect on the effective date of the MSA (enterprise) or on acceptance of the Terms of Service (self-serve), and remains in effect for as long as Yardstick processes Customer Personal Data on the Controller’s behalf. Any customer may request a countersigned copy of this DPA for its records. Sections that by their nature should survive termination (including Sections 10–12) survive.

14. Governing law and jurisdiction

Except where Applicable Data Protection Laws or the SCCs require otherwise, this DPA is governed by the law and subject to the jurisdiction specified in the Agreement (currently Washington State; King County, Washington courts). For the transfers the SCCs govern, the EU member-state governing law and supervisory authority selected in Annex IV apply.

15. Order of precedence

In the event of a conflict, the order of precedence is: (1) the SCCs (for the transfers they govern); (2) this DPA; (3) the MSA; (4) the Terms of Service.

Annex I — Description of the processing

A. Parties

• Data exporter / Controller: the Yardstick customer identified in the Agreement (the employer using the ATS). Role: controller of candidate and hiring data.
• Data importer / Processor: Yardstick, Inc., 720 Seneca St, Ste 107, #927, Seattle, WA 98101, USA. Role: processor providing the ATS.

B. Categories of Data Subjects

• Job applicants and candidates of the Controller.
• The Controller’s hiring-team users (e.g., recruiters, hiring managers, interviewers, admins).
• Other individuals whose data the Controller chooses to enter (e.g., references).

C. Categories of Personal Data

• Candidate data: name, contact details (email, phone, address), résumé/CV and application materials, work and education history, job preferences, interview responses, scorecards, evaluations, notes, and hiring-stage/status data.
• Hiring-team user data: name, work email, profile details, authentication identifiers, and activity within the platform.
• Communications metadata: transactional notification recipients and content.
• Billing data: billing contact details and limited payment information (full card data is handled by the payment Sub-processor; Yardstick stores only the last four digits).

D. Special categories of Personal Data

Not intentionally collected by Yardstick, and the Services are not designed or intended to be used to collect special-category or sensitive data — including demographic/EEO, background, or disability/accommodation data — except through any feature Yardstick may expressly provide for that purpose. The Controller agrees not to use the Services to intentionally collect special-category data outside of any such feature. The Controller may incidentally submit special-category data (e.g., contained in a résumé or interview response); Yardstick processes any such data only to provide the Services, on the Controller’s documented instructions and responsibility, and does not represent special handling for it.

E. Nature and purpose of processing

Hosting, storing, and transmitting the data to provide the Services, including, for example, applicant tracking; candidate pipeline management; application review; interview scheduling and coordination; scorecards and evaluations; sourcing and outreach to prospective candidates; reporting/analytics; AI-assisted content generation; transactional and outbound communications; billing; security; support; and related functionality Yardstick may offer from time to time.

F. Frequency of processing

Continuous, for the duration of the Services.

G. Duration of processing

For the term of the Agreement/Services, plus the return/deletion lifecycle in Section 10 (a read-only export window of at least 30 days, then at least 30 additional days’ retention before deletion from active systems) and subsequent backup age-out on the standard cycle.

H. Sub-processor processing

As described in Annex III.

Annex II — Technical and organizational security measures

• Encryption. Customer Personal Data is encrypted at rest using AES-256 and in transit using TLS. At-rest encryption — including for regularly scheduled database backups — is provided by default through Yardstick’s primary database Sub-processor (Supabase); data to and from the Services is protected with TLS/HTTPS.
• Access control. Role-based, least-privilege access to production and other critical systems, limited to personnel who need it. Yardstick personnel are required to use multi-factor authentication (MFA) — directly or through single sign-on with a multi-factor identity provider — to access the critical systems where Customer Data resides (for example, the database, hosting, source-control, and workspace-administration systems). For end users of the Services, Yardstick offers single sign-on via Google and Microsoft and optional end-user multi-factor authentication.
• Logging. Platform-level audit logging for the systems that process Customer Data, provided through the database and hosting Sub-processors, with logs reviewed as appropriate.
• Resilience and backup. Automated daily database backups, encrypted at rest with AES-256, with point-in-time recovery available where supported by the database Sub-processor (Supabase).
• Secure development and vulnerability management. Automated database security linting (Supabase Security Advisor) and AI-assisted security review of code changes are performed as part of the development process. Yardstick will perform or commission third-party penetration testing where reasonably required (for example, at an Enterprise customer’s request).
• Sub-processor security. Customer Data is hosted on the infrastructure of established Sub-processors with independently certified security programs — Supabase (primary database) holds a SOC 2 Type 2 attestation and is ISO 27001 certified, and Vercel (hosting and CDN) holds a SOC 2 Type 2 attestation and is ISO 27001:2022 certified (and is certified under the EU-U.S. Data Privacy Framework). Yardstick relies on and inherits these controls and reviews each infrastructure Sub-processor’s terms before use.
• Personnel. All personnel with access to Customer Data are bound by written confidentiality obligations (see Section 4), and access is granted on a need-to-know basis.
• Certifications/attestations. Yardstick does not currently hold its own SOC 2 or equivalent certification; it relies on the certified infrastructure Sub-processors described above (see Section 11 regarding audits).

Annex III — Sub-processors

This annex mirrors the published Sub-processors page (yardstick.team/subprocessors) as of 2026-06-23.

Processing regions below mirror the published Sub-processors page. Regions confirmed June 2026: Vercel iad1 (Washington, D.C.); Supabase AWS us-east-2; Resend United States; Stripe US/Global (Stripe, Inc.; the Stripe account country is the US with no data-residency or localization arrangement, so the default US/Global processing applies). Yardstick is on paid API tiers for its AI providers, which contractually exclude training on customer data.

Provider terms (privacy policies and DPAs) are linked on the Sub-processors page.

Annex IV — Standard Contractual Clauses details

IV.0 Incorporation of the operative Standard Contractual Clauses

The operative text of the EU Standard Contractual Clauses is the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (OJ L 199, 7.6.2021, p. 31), as corrected and as in force (the “Clauses”). Official source (ELI): eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

The full operative text of Clauses 1 through 18 (Sections I–IV), as officially published, is incorporated into this DPA by reference and applies in full, as completed by the module selections, options, time periods, and Annex entries set out in this Annex IV. The parties agree to be bound by the Clauses as published; consistent with Clause 2, the Clauses are not modified, and the only choices the parties make are those the Clauses expressly leave to them, which are made in this Annex IV. Where this DPA reproduces, summarizes, or cross-references any part of the Clauses, the officially published text of the Clauses governs in the event of any conflict (subject to the order of precedence in Section 15, under which the Clauses rank first).

For the UK, the ICO International Data Transfer Addendum to the EU SCCs (version B1.0), issued under s.119A of the UK Data Protection Act 2018 and in force from 21 March 2022, is likewise incorporated by reference and completed by the Table 1–4 entries in IV.5. Official source: ico.org.uk. For Switzerland, the Clauses apply with the FDPIC-recognized amendments set out in IV.6.

The selections, options, and completed Annexes that configure this incorporated text are set out in IV.1–IV.6 below.

IV.1 EU SCCs (Commission Implementing Decision (EU) 2021/914)

• Modules: Module Two (Controller → Processor) for the Controller-to-Yardstick transfer and Module Three (Processor → Processor) for onward transfers to Sub-processors.
• Clause 7 (docking clause): INCLUDED.
• Clause 9 (use of sub-processors): Option 2 — General written authorization. Time period for prior notice of sub-processor changes: thirty (30) days, as set out in Section 6.4 of this DPA.
• Clause 11 (independent dispute resolution / redress): the optional independent-redress language is NOT opted in.
• Clause 17 (governing law): the law of Ireland.
• Clause 18 (choice of forum and jurisdiction): the courts of Ireland.

IV.2 SCC Annex I — Parties and description of transfer

SCC Annex I.A — List of parties

SCC Annex I.B — Description of transfer (cross-references DPA Annex I of this DPA)

• Categories of data subjects: as in DPA Annex I, Section B (Categories of Data Subjects) (job applicants/candidates; the Controller’s hiring-team users; other individuals the Controller chooses to enter).
• Categories of personal data: as in DPA Annex I, Section C (Categories of Personal Data) (candidate data; hiring-team user data; communications metadata; billing data).
• Special-category data: as in DPA Annex I, Section D (Special categories of Personal Data) — not solicited or intentionally collected; any incidental occurrence (e.g., within a résumé or interview response) is processed only to provide the Services on the Controller’s documented instructions and is protected by the same technical and organizational measures that apply to all Customer Personal Data (encryption, role-based least-privilege access control, and access restriction — see Annex II).
• Frequency of the transfer: continuous, for the duration of the Services (DPA Annex I, Section F).
• Nature and purpose of the processing: as in DPA Annex I, Section E (Nature and purpose of processing).
• Duration of processing / retention: for the term of the Agreement/Services plus the return/deletion lifecycle in Section 10 (DPA Annex I, Section G).
• Onward transfers to (sub-)processors: the Sub-processors in Annex III, for the purposes, data, and durations stated there.

SCC Annex I.C — Competent supervisory authority

The competent supervisory authority is identified in accordance with the SCCs and the EDPB’s guidance on completing Annex I.C:

• where the data exporter is established in an EEA member state, the supervisory authority of that member state;
• where the data exporter is not established in the EEA but has appointed a representative pursuant to Article 27 GDPR, the supervisory authority of the member state in which that representative is established;
• where the data exporter is not established in the EEA and is not required to appoint (and has not appointed) an Article 27 representative, the supervisory authority of the member state in which the data subjects whose Personal Data is transferred under these Clauses are located.

Where the foregoing does not resolve to a single competent supervisory authority, the Irish Data Protection Commission (DPC) applies as the residual default, consistent with the Clause 17 governing law.

IV.3 SCC Annex II — Technical and organizational measures

The technical and organizational measures the data importer has implemented are those described in Annex II of this DPA (encryption; access control, including least-privilege/role-based access and MFA on internal access; logging reviewed as appropriate; resilience and backup; secure development and vulnerability management; sub-processor security; personnel; and certifications/attestations), incorporated here by reference.

IV.4 SCC Annex III — List of sub-processors (Module Three)

The list of authorized sub-processors is set out in Annex III of this DPA and on the Sub-processors page (yardstick.team/subprocessors), incorporated here by reference. General authorization and the 30-day change-notice mechanism apply per Section 6.4 and Clause 9 Option 2 above.

IV.5 UK transfers

The ICO International Data Transfer Addendum (version B1.0) is attached to and modifies the EU SCCs for transfers subject to the UK GDPR.

• Table 1 (Parties): as in SCC Annex I.A above.
• Table 2 (Selected SCCs, modules and clauses): the EU SCCs as configured in IV.1 above (Modules Two and Three; Clause 7 in; Clause 9 Option 2 / 30 days; Clause 11 not opted in).
• Table 3 (Appendix information): Annexes I–III as completed above.
• Table 4 (Ending the Addendum): the data importer (Yardstick) only may end the Addendum if the Approved Addendum changes.

IV.6 Swiss transfers

For transfers subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply with the FDPIC-recognized amendments: references to the GDPR are read as references to the FADP where applicable; the competent authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC); and the term “member state” is read so that data subjects in Switzerland may enforce their rights in Switzerland.

Annex V — US State Privacy Laws Addendum

Where this addendum and the body of the DPA address the same obligation, the body’s operative terms govern and this addendum supplies the statute-specific certifications and labels.

V.1 Scope and order of application

This addendum applies to Yardstick’s processing of Personal Data that is subject to a US State Privacy Law, and supplements the DPA. “US State Privacy Laws” means, as applicable, the California Consumer Privacy Act as amended by the CPRA and its implementing regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut Data Privacy Act (“CTDPA”); and the Texas Data Privacy and Security Act (“TDPSA”); together with other comparable US state privacy laws that come into effect. Terms such as “business,” “service provider,” “contractor,” “controller,” “processor,” “consumer,” “personal information,” “process,” “sell,” and “share” have the meanings given in the applicable US State Privacy Law.

V.2 Roles

• Under the CCPA, the Controller is a business (or itself a service provider/contractor acting on a business’s behalf) and Yardstick is a service provider processing Personal Data on the Controller’s behalf pursuant to the DPA and the Agreement.
• Under the VCDPA, CPA, CTDPA, and TDPSA, the Controller is the controller and Yardstick is the processor.

V.3 CCPA/CPRA service-provider certification and restrictions

Yardstick receives the Personal Data from the Controller for the limited and specified purpose of performing the Services (the “Business Purposes”). The Business Purposes for which the Controller discloses Personal Data to Yardstick are the provision of the Services to the Controller, namely: applicant tracking and candidate pipeline management; receiving, reviewing, and evaluating applications; interview scheduling and coordination; creating scorecards and evaluations; sourcing and outreach to prospective candidates; reporting and analytics on the Controller’s hiring activity; AI-assisted generation of hiring-related content; transactional and outbound communications on the Controller’s behalf; billing and account administration; and security, support, and maintenance for the foregoing. Yardstick will not retain, use, or disclose the Personal Data for any purpose that is not one of these specified Business Purposes except as permitted by the CCPA. With respect to Personal Data processed under the CCPA, Yardstick certifies that it understands the restrictions in this Section V.3 and Section 2.2 of the DPA and will comply with them, and specifically that it will:

1. (a) not sell the Personal Data and not share it for cross-context behavioral advertising, as “sell” and “share” are defined in the CCPA;
2. (b) not retain, use, or disclose the Personal Data for any purpose other than the Business Purposes specified in the DPA/Agreement, including not retaining, using, or disclosing it for a commercial purpose other than those Business Purposes, except as otherwise permitted by the CCPA;
3. (c) not retain, use, or disclose the Personal Data outside the direct business relationship between Yardstick and the Controller, except as permitted by the CCPA;
4. (d) not combine the Personal Data with personal information that Yardstick receives from or on behalf of another person, or collects from its own interaction with the consumer, except as permitted by the CCPA for a service provider (Cal. Civ. Code § 1798.140(ag)(1)(D) and CCPA regs § 7050(b));
5. (e) provide the same level of privacy protection as required of businesses by the CCPA;
6. (f) notify the Controller if Yardstick makes a determination that it can no longer meet its obligations under the CCPA, after which the Controller may take reasonable and appropriate steps under (g);
7. (g) permit the Controller to take reasonable and appropriate steps to (i) ensure that Yardstick uses the Personal Data in a manner consistent with the Controller’s obligations under the CCPA and (ii) stop and remediate any unauthorized use of the Personal Data; and
8. (h) enable the Controller to comply with consumer requests under the CCPA (e.g., access, deletion, correction, and opt-out), including by deleting or enabling the Controller to delete Personal Data as described in Section 8 and Section 10 of the DPA.

V.4 Processor terms — Virginia, Colorado, Connecticut, Texas

For Personal Data subject to the VCDPA, CPA, CTDPA, or TDPSA, the parties’ processing is governed by documented instructions reflecting the nature, purpose, type of data, duration, and data subjects described in Annex I. As processor, Yardstick will:

1. (a) process the Personal Data only on the Controller’s documented instructions (Section 3);
2. (b) ensure each person processing the Personal Data is subject to a duty of confidentiality (Section 4);
3. (c) at the Controller’s direction, delete or return all Personal Data at the end of the provision of the Services, unless retention is required by law (Section 10);
4. (d) make available to the Controller, on reasonable request, the information reasonably necessary to demonstrate compliance with its obligations (Section 11);
5. (e) allow for, and cooperate with, reasonable assessments and audits by the Controller or the Controller’s designated assessor, or arrange for a qualified and independent assessor to conduct an assessment of Yardstick’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure, and make the assessment report available to the Controller on request (Section 11);
6. (f) engage sub-processors only after providing the Controller an opportunity to object and pursuant to a written contract that requires the sub-processor to meet the obligations of a processor with respect to the Personal Data (Section 6); and
7. (g) taking into account the nature of the processing and the information available to Yardstick, assist the Controller by appropriate technical and organizational measures, insofar as reasonably practicable, in (i) responding to consumer rights requests, (ii) meeting the Controller’s obligations regarding the security of processing and the notification of breaches involving Personal Data, and (iii) conducting data protection assessments where required (Sections 8 and 9).

V.5 De-identified data

Where Yardstick processes de-identified data, it will comply with the applicable US State Privacy Law’s de-identification requirements, consistent with the de-identification safe-harbor commitments in Section 2.3 of the DPA (reasonable measures against re-association, maintaining and using the data only in de-identified form, and no attempt to re-identify except as reasonably necessary to test that the de-identification is effective).