Metaview Global Limited
Data Processing Agreement
Last Updated on 03/11/2023
This Data Processing Agreement is an integral part of Metaview’s Terms of Service.
1.1 In this Agreement:
"Agreement" means this data processing agreement including any Schedules, and any amendments to this Agreement agreed in writing between the Parties from time to time;
“Controller”, “Data Subject”, “Personal Data”,“Process” and “Processor” shall have the meanings given to them in the GDPR;
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including any national, federal, state, provincial, and local laws and regulations governing the use and disclosure of personal information, including the California Consumer Privacy Act 2018, the UK GDPR, the Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR);
“Terms of Service” or "ToS" means the legally binding agreement governing the use of the Services entered into between the parties on or about the date of this Agreement;
“Standard Contractual Clauses” or “SCC” means the standard contractual clauses for international transfers annexed to the European Commission's Implementing Decision decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable; and
"Schedule" means any schedule attached to the main body of this Agreement.
2.1 This Agreement is part of Metaview’s Terms of Service (ToS)
2.2 Any capitalized terms that are:
- used in this Agreement;
- defined in the ToS; and
- not defined in this Agreement,
shall in this Agreement have the meanings given to them in the ToS.
2.3 If there is a conflict between this Agreement and the ToS, then the ToS shall take precedence.
3.1 This Agreement shall come into force upon the Commencement Date and shall continue until all rocessing of Personal Data under the ToS has completed.
4.1 The Parties acknowledge and agree that for the purposes of the Data Protection Laws the Customer is the Controller and Metaview is the Processor in respect of all Personal Data Processed by Metaview in connection with the Services.
5. Data protection
5.1 Both Parties shall comply with the Data Protection Laws with respect to the Processing of Personal Data.
5.2 The Customer shall provide the Data Subjects with all necessary information and shall obtain all necessary consents to ensure that Metaview can lawfully Process their Personal Data for the purposes of performing the Services.
5.3 The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of Data Subjects are set out in Schedule 1 to this Agreement.
5.4 Metaview shall only Process the Personal Data for the purposes of the Services and on the documented instructions of the Customer.
5.5 Metaview shall promptly inform the Customer if, in the opinion of Metaview, an instruction of the Customer relating to the Processing of the Personal Data infringes the Data Protection Laws.
5.6 Notwithstanding any other provision of this Agreement, Metaview may process the Personal Data if and to the extent that Metaview is required to do so by law. In such a case, Metaview shall inform the Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.7 Metaview shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality obligations no less stringent than set forth in the Agreement or are under an appropriate statutory obligation of confidentiality no less stringent as set forth in the Agreement.
5.8 Metaview must at all times implement industry standard technical and organizational measures against unauthorized or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Schedule 1 and the following (as appropriate):
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
5.9 Metaview must not engage any third party to Process the Personal Data (Sub-Processor) without the prior specific or general written authorisation of the Customer. In the case of a general written authorisation, Metaview shall inform the Customer at least 7 days in advance of any intended changes concerning the addition or replacement of any Sub-Processor, and if the Customer (acting reasonably) objects to any such changes before their implementation, then Metaview shall take account of the Customer’s objections before proceeding with the change.
5.10 Metaview shall enter into a contract with each Sub-Processor on the terms of this Agreement. Where the Sub-Processor fails to fulfil any of its obligations in relation to this Agreement, Metaview shall be directly liable to the Customer.
5.11 As at the Commencement Date, Metaview is hereby authorised by the Customer to engage, as Sub-Processors with respect to Personal Data, the third parties identified in Paragraph 6 of Schedule 1 (Data processing information).
5.12 Metaview shall take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer’s obligation to respond to requests exercising a Data Subject's rights under the Data Protection Laws.
5.13 Metaview shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws.
5.14 Metaview must notify the Customer of any Personal Data breach affecting the Personal Data without undue delay and, in any case, not later than 48 hours after Metaview becomes aware of the breach.
5.15 Metaview shall make available to the Customer all information necessary to demonstrate the compliance of Metaview with its obligations under this Agreement.
5.16 Metaview shall, at the choice of the Customer, delete or return all of the Personal Data to the Customer after the provision of Services relating to the Processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.
5.17 Metaview shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of Metaview’s processing of Personal Data with the Data Protection Laws and this Clause 5.
5.18 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to Processing of Personal Data carried out under this Agreement, then the parties shall use all reasonable endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.
6. Cross-border transfers of Personal Data
6.1 Metaview shall not transfer any of the Customer’s Personal Data outside of the European Economic Area (EEA) and the United Kingdom to a country or territory that is not in receipt of an adequacy decision save where Metaview has entered into the Standard Contractual Clauses or (provided it has obtained the prior written agreement of the Customer) has ensured appropriate legal and technical safeguards or mechanisms are in place in order to comply with Data Protection Legislation.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
1. Categories of data subject
The employees of the Customer, the job candidates of the Customer.
2. Types of Personal Data
Names of employees and job candidates of the Customer, email addresses of the job candidates and employees of the Customer, video and voice of employees and job candidates of the Customer.
3. Subject-Matter, Nature and Purposes of processing
Assessing and evaluating interview technique of the employees of the Customer, aiding in the decision making process on the job candidates of the Customer.
4. Duration of processing
For the duration of this Contract plus a reasonable period of time afterwards to allow for the return or deletion of the Personal Data.
5. Security measures for Personal Data
Preventing Unauthorized Product Access
Authentication: Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Metaview’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the roles associated with each user.
Preventing Unauthorized Product Use
Metaview implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Static code analysis: Security reviews of code stored in Metaview’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Limitations of Privilege & Authorization Requirements
Product access: A subset of Metaview’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All of Metaview’s employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
- Transmission Control
In-transit: Metaview makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on Metaview’s products. Metaview’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Metaview has implemented technologies to ensure that stored data is encrypted at rest.
Detection: Metaview designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Metaview’s personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Metaview maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Metaview will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Metaview becomes aware of unlawful access to Customer data stored within its products, Metaview will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Metaview is taking to resolve the incident; and 3) provide status updates to the Customer contact, as reasonably requested by Customer. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Metaview selects, which may include via email or telephone.
6. Sub-processors of Personal Data
6.1 General Consent: Customer agrees that Metaview may engage third-party Sub-processors in connection with the provision of Services, subject to compliance with the requirements in accordance with the terms of this Agreement. As a condition to permitting a Sub-processor to Process Customer Data, Metaview will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this Agreement, to the extent applicable to the nature of the Services provided by such Sub-processor. Metaview will provide copies of any Sub-processor agreements to Customer pursuant only upon reasonable request by Customer.
6.2 Current Sub-processor List: Customer acknowledges and agrees that Metaview may engage its current Sub-processors listed in the chart below.
|Lawful transfer mechanism
Application hosting and data storage
Capture and storing system logs
Automated interview transcription
Logging of users’ website interactions
Standard Contractual Clauses
Email notifications to interviewers. Recording of interviews conducted by phone.
Standard Contractual Clauses
DPA + Standard Contractual Clauses
DPA + Standard Contractual Clauses