CPRA Data Processing Addendum

This CPRA Data Processing Addendum (“CDPA”) replaces the CCPA Data Processing Addendum, amends the terms and forms part of the Lever Terms of Service or other agreement governing your use of the applicable Lever cloud product(s) (“Services”) (collectively, the “Agreement”) by and between you (the “Customer”) and Lever, Inc. (“Lever”). This CDPA shall apply to “Personal Information” of a “Consumer” as those terms are defined under the California Privacy Rights Act of 2020 (“CPRA”) (referred to hereafter as “Customer Data”), that Lever processes in the course of providing Customer the Services under the Agreement.

This CDPA shall be effective the later of: (a) the date Lever receives a complete and executed Order Form from the Customer indicated in the signature block above (the “Effective Date”) or (b) January 1, 2023.

This DPA was last updated January 25, 2023. Lever reserves the right to periodically modify this DPA upon written notice to Customer, and such modification will automatically become effective in the next service term. Archived versions of this DPA are available here.

Lever understands the terms in this CDPA and agrees to comply with them. In the event of any conflict between the Order Form, the CDPA and/or the Agreement, the following order of precedence shall apply (in descending order): (1) the CDPA (if applicable), (2) the Agreement, and (3) the Order Form. There will be no force or effect to any different terms of any related purchase order or similar form even if signed by the parties after the date hereof.

1 Effectiveness
1.1 This CDPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this CDPA.

2 Data Processing
2.1 Customer’s Role. The Customer is a Business (as such term is defined under the CPRA), and as such Customer determines the purpose and means of processing Customer Data. Customer will provide Customer Data to Lever solely for the purpose of Lever performing the Services.
2.2 Lever’s Role. Lever is a Service Provider (as such term is defined under the CPRA), and as such Lever shall provide the Services and process any Customer Data in accordance with the Agreement. Lever may not retain, use, or disclose Customer Data for any other purpose other than for providing the Services and in performance of the Agreement.
2.3 Data Processing, Transfers and Sales. Lever will process Customer Data only as necessary to perform the Services, and will not, under any circumstances, collect, combine, share, use, retain, access, share, transfer, or otherwise process Customer Data for any purpose not related to providing such Services. Lever will refrain from taking any action that would cause any transfers of Customer Data to or from Lever to qualify as “selling personal information” as that term is defined under the CPRA.
2.4 Sub-Service Providers. Notwithstanding the restrictions in Section 2.3, Customer agrees that Lever may engage other Service Providers (as defined under the CPRA), to assist in providing the Services to Customer (“Sub-Service Providers”). A list of Lever’s Sub-Service Providers can be found at www.lever.co/subprocessors. ,provided always that such engagement shall be subject to a written contract binding each such Sub-Service Provider to terms no less onerous than those contained within this CDPA. Lever shall be responsible for all acts or omissions of its Sub-Service Providers as if they were the acts or omissions of Lever.
2.5 Security. Lever will use commercially reasonable security procedures that are reasonably designed to maintain an industry-standard level of security, prevent unauthorized access to and/or disclosure of Customer Data. An outline of Lever’s minimum security standards can be found at www.lever.co/security-exhibit/.
2.6 Retention. Lever will retain Customer Data only for as long as the Customer deems it necessary for the permitted purpose, or as required by applicable laws. At the termination of this CDPA, or upon Customer’s written request, Lever will either destroy or return Customer Data to the Customer, unless legal obligations require storage of the Customer Data.
2.7 Consumer Rights Requests. Lever provides Customer with tools to enable Customer to respond to a Consumer Rights’ requests to exercise their rights under the Data Protection Laws. See help.lever.co/hc/en-
. To the extent Customer is unable to respond to Data Subject’s request using these tools, Lever will provide reasonable assistance to the Customer in responding to the request.
2.8 Assistance with Consumers’ Rights Requests. If Lever, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under the CPRA in relation to that Consumer’s Customer Data, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with Consumers in relation to such requests.

3 Assessments & Third-Party Certifications
3.1 Impact Assessment Assistance. Taking into account the nature of the Processing and the information available, Lever will provide assistance to Customer in complying with its obligations under Applicable Law (inclusive) (which address obligations with regard to security, breach notifications, data risk assessments, and prior consultation). Upon request, Lever will provide Customer a list of processing operations.
3.2 Certification/SOC Report. In addition to the information contained in this CDPA, upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement place, Lever will make available the following documents and information regarding the System and Organization Controls (SOC) 2 Report (or the reports or other documentation describing the controls implemented by Lever that replace or are substantially equivalent to the SOC 2), so that Customer can reasonably verify Lever’s compliance with its obligations under this CDPA.
3.3 If Customer has reasonable cause to suspect that Lever is not providing the platform in a manner consistent with CPRA and allowing unauthorized use of personal information, Customer may (i) submit an inquiry to privacy@employinc.com, (ii) cease use of their license until they are able to confirm Lever’s compliance, or (iii) with evidence of non-compliance of CPRA terminate the Agreement between the parties. Lever will provide notice if it believes it can no longer meet its obligations under this CDPA.

4 Enforceability
4.1 Enforceability of the CDPA. Any provision of this CDPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision into this CDPA.

5 Liability
5.1 To the extent permitted by applicable laws, liability arising from claims under this CDPA will be subject to the terms of the Agreement.