Data Processing Agreement

Parties to This Agreement

This Data Processing Agreement ("DPA", "Agreement") is entered into between:

Data Controller: The Employer entity identified in the Employer account registered on the Hab Jobs Platform ("Controller", "Employer", "you"), and

Data Processor: Avenor Holdings LLC, a Wyoming limited liability company, operating the Hab Jobs platform at https://www.habposlovi.com/ ("Processor", "Company", "we").

Together referred to as the "Parties" and individually as a "Party".

Background

The Controller operates as an Employer on the Hab Jobs Platform and uses the Platform's services to post job listings and receive applications from Candidates. In the course of providing these services, the Processor transmits personal data of Candidates ("Candidate Data") to the Controller on behalf of Candidates who submit job applications. The Parties have entered into this DPA to govern the Processor's activities in relation to the processing of Candidate Data transmitted through the Platform, in accordance with applicable data protection law including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK GDPR.

This DPA forms part of and supplements the Employer Terms and Conditions and the general Terms of Service between the Parties. In the event of a conflict between this DPA and those documents on a data protection matter, this DPA shall prevail.

1. Definitions

For the purposes of this Agreement, the following definitions apply. Terms defined in the GDPR have the meanings given to them in that Regulation.

• "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as implemented and supplemented by applicable national law.
• "UK GDPR" means the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
• "Candidate Data" means personal data relating to Candidates who submit job applications through the Platform, transmitted by the Processor to the Controller in the course of providing the Platform's application management services.
• "Data Subject" means an identified or identifiable natural person to whom personal data relates, in this context a Candidate who has submitted a job application through the Platform.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means.
• "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller in connection with this DPA.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor decision.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of the GDPR, as established under Article 51 GDPR.

2. Roles of the Parties

2.1 Controller and Processor Roles

The Parties acknowledge and agree that:

• With respect to Candidate Data transmitted by the Processor to the Controller through the Platform's application delivery function, the Processor acts as a data processor on behalf of the Controller, processing Candidate Data solely for the purpose of transmitting it to the Controller as instructed.
• Upon receipt of Candidate Data, the Controller acts as an independent data controller with full responsibility for ensuring that its subsequent use, storage, sharing, and retention of that data complies with applicable data protection law, including the GDPR.
• With respect to the Processor's own Platform operations — including account management, analytics, security, and communications — the Processor acts as an independent data controller and its processing activities are governed by the Processor's Privacy Policy, not by this DPA.

2.2 Scope of Processing Under This DPA

This DPA governs only the specific processing activity of transmitting Candidate Data from the Processor's Platform to the Controller upon receipt of a job application. It does not govern the Controller's subsequent processing of that data, for which the Controller is solely responsible as an independent data controller.

3. Details of Processing

3.1 Subject Matter

The subject matter of the processing governed by this DPA is the transmission of Candidate Data collected by the Processor through the Platform's application submission process to the Controller for the purpose of recruitment and candidate evaluation.

3.2 Duration

Processing under this DPA commences upon the Controller's acceptance of these terms and continues for as long as the Controller maintains an active Employer account on the Platform. Upon closure of the Employer account, the Processor ceases transmission of new Candidate Data to the Controller. The Controller's obligations under this DPA with respect to Candidate Data already received continue until that data is deleted or anonymized in accordance with Section 9.

3.3 Nature and Purpose of Processing

The nature of the processing is the transmission, via secure server-to-server communication, of personal data submitted by Candidates through the Platform's application interface. The purpose of the processing is to deliver job applications to the Employer to whom the Candidate has directed their application, enabling the Employer to evaluate the Candidate's suitability for the advertised role.

3.4 Categories of Data Subjects

The data subjects whose personal data is processed under this DPA are Candidates who have voluntarily submitted a job application through the Platform in response to a listing published by the Controller.

3.5 Categories of Personal Data

The categories of personal data transmitted under this DPA may include, depending on what the Candidate has chosen to provide:

• Full name
• Email address
• Phone number (if provided)
• Professional profile information, including work history, education, skills, and qualifications
• CV or resume documents uploaded by the Candidate
• Cover letter or application message
• Any other information the Candidate includes in their application or profile

The Processor does not intentionally transmit special category data as defined under Article 9 GDPR. If a Candidate includes special category data in their application materials, the Controller is responsible for handling that data with the heightened protections required under Article 9 and must identify an appropriate legal basis for processing it.

4. Processor Obligations

4.1 Processing on Instructions

The Processor shall process Candidate Data only for the purpose of transmitting it to the Controller as described in Section 3 and only in accordance with the Controller's documented instructions. The Controller's instruction to the Processor is to transmit Candidate Data to the Controller upon receipt of a valid job application directed at the Controller's listing. The Processor shall not process Candidate Data for any other purpose on the Controller's behalf without prior written instruction from the Controller.

If the Processor is required by applicable law to process Candidate Data for purposes other than those set out in this DPA, it will inform the Controller of that legal requirement before processing, unless prohibited from doing so by law.

4.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Candidate Data under this DPA are subject to binding confidentiality obligations, whether by contract or by operation of law. Access to Candidate Data is restricted to personnel who require it to perform the transmission function described in this DPA.

4.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Candidate Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. These measures include at minimum:

• Encryption of personal data in transit using TLS version 1.2 or higher
• Encryption of personal data at rest where technically feasible and appropriate given the risk
• Access controls and role-based permissions limiting access to Candidate Data to authorized personnel only
• Regular review of security measures to ensure they remain appropriate given evolving risk levels
• Maintenance of an incident response procedure for detecting, reporting, and investigating personal data breaches

The Processor shall provide the Controller with reasonable assistance in ensuring compliance with the security obligations applicable to the Controller under Articles 32 to 34 GDPR, taking into account the nature of processing and the information available to the Processor.

4.4 Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors for the purpose of providing the Platform's technical infrastructure, including cloud hosting, email delivery, and payment processing services. The Processor shall:

• Ensure that any sub-processor is subject to written contractual obligations that impose data protection requirements no less protective than those set out in this DPA
• Maintain a current list of sub-processors, available to the Controller upon written request at info@habposlovi.com
• Notify the Controller of any intended addition or replacement of sub-processors by updating the sub-processor list and notifying registered Employer accounts by email with no less than 14 calendar days' notice prior to the change taking effect

The Controller may object to a new sub-processor on reasonable data protection grounds by notifying the Processor in writing within 14 calendar days of receiving notice. If the Parties cannot resolve the objection within 30 days, the Controller may terminate the Employer Terms and Conditions on written notice, subject to the termination provisions therein.

4.5 Assistance with Data Subject Rights

The Processor shall provide reasonable assistance to the Controller in fulfilling the Controller's obligations to respond to data subject rights requests from Candidates under Articles 15 to 22 GDPR, taking into account the nature of the processing and the information available to the Processor. Where a Candidate submits a data subject rights request directly to the Processor relating to data held by the Controller, the Processor will inform the Controller promptly and will not respond on the Controller's behalf without the Controller's explicit authorization.

4.6 Assistance with Data Protection Impact Assessments

Where required, the Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) and in prior consultations with Supervisory Authorities under Articles 35 and 36 GDPR, to the extent such assistance relates to the processing activities covered by this DPA and the information available to the Processor.

4.7 Audit Rights

Upon the Controller's written request and with no less than 30 calendar days' prior notice, the Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA. The Controller may conduct audits or inspections of the Processor's processing activities covered by this DPA, either directly or through a mutually agreed third-party auditor, subject to the following conditions:

• Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations
• The Controller shall bear the reasonable costs of any audit it initiates
• Any third-party auditor engaged by the Controller must be subject to written confidentiality obligations acceptable to the Processor
• Audits may not be conducted more than once per calendar year, except where the Controller has reasonable grounds to suspect a material breach of this DPA

The Processor may satisfy this obligation in whole or in part by providing the Controller with relevant certifications, audit reports, or other documentation issued by accredited third-party assessors, to the extent that such documentation addresses the Controller's reasonable compliance queries.

5. Controller Obligations

5.1 Lawful Basis for Processing

The Controller warrants and represents, on a continuing basis, that it has and will maintain a lawful basis under Article 6 GDPR (and, where applicable, Article 9 GDPR for special category data) for all processing of Candidate Data it receives through the Platform. The Controller acknowledges that the primary legal basis for processing Candidate Data received through the Platform will typically be the performance of steps taken at the Candidate's request prior to entering into a contract (Article 6(1)(b) GDPR), though the Controller is solely responsible for determining the appropriate legal basis for its own processing activities.

5.2 Compliance with Data Protection Law

The Controller is solely responsible for ensuring that its collection, use, storage, sharing, disclosure, and retention of Candidate Data received through the Platform complies with all applicable data protection laws in every jurisdiction in which the Controller operates or where the relevant Candidates are located. This includes, without limitation, providing Candidates with any required privacy notices or information about the Controller's data processing activities.

5.3 Data Minimization and Purpose Limitation

The Controller shall process Candidate Data only to the extent necessary for the legitimate purposes of evaluating candidates for the specific role to which they applied and for related recruitment record-keeping. The Controller shall not use Candidate Data for purposes materially inconsistent with the purpose for which it was collected without obtaining the Candidate's separate, informed consent.

5.4 Candidate Rights Requests

The Controller is responsible for responding to data subject rights requests from Candidates in relation to personal data held by the Controller. The Controller shall respond to such requests within the timeframes required by applicable data protection law. Where the Controller requires the Processor's assistance to respond to a request, it shall contact info@habposlovi.com with sufficient notice to allow the Processor to provide that assistance within the applicable legal timeframe.

6. Personal Data Breaches

6.1 Processor Notification

In the event of a Personal Data Breach affecting Candidate Data processed under this DPA, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, to the extent that it is possible to do so. The notification shall include, to the extent available at the time of notification:

• A description of the nature of the breach, including the categories and approximate number of data subjects affected and the categories and approximate volume of personal data records affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken to address the breach, including mitigation measures

Where all required information is not available within 72 hours, the Processor shall provide an initial notification with the information available and supplement it with further details as they become available. A breach notification does not constitute an admission of fault or liability by the Processor.

6.2 Controller Notification Obligations

The Controller is solely responsible for determining whether to notify the relevant Supervisory Authority and affected Candidates of a breach in accordance with Articles 33 and 34 GDPR and any equivalent provisions of applicable national law. The Processor's notification to the Controller under Section 6.1 does not relieve the Controller of its own notification obligations or constitute a determination that notification to a Supervisory Authority or Candidates is required.

6.3 Cooperation

Following a Personal Data Breach, the Processor shall cooperate fully with the Controller in investigating the breach and implementing remediation measures, to the extent the breach relates to data processed under this DPA. Each Party shall bear its own costs of investigation unless the breach was caused solely by the negligence or willful misconduct of the other Party.

7. International Data Transfers

7.1 Transfers by the Processor

Avenor Holdings LLC is incorporated in the United States. The transmission of Candidate Data from the Processor to the Controller constitutes a transfer of personal data from the Platform's infrastructure to the Controller's systems. Where the Controller is located outside the European Economic Area (EEA) or another country recognized as providing adequate protection under GDPR, the Parties acknowledge that such transfer requires appropriate safeguards.

Where the Controller is located in a country not recognized as providing adequate protection, the Parties agree that the relevant Standard Contractual Clauses (Module 1: Controller to Controller) issued by the European Commission pursuant to Implementing Decision (EU) 2021/914, or such successor mechanism as may be approved under applicable law, are incorporated into and form part of this DPA, to the extent required by applicable data protection law.

7.2 Transfers by the Controller

The Controller is solely responsible for ensuring that any onward transfer of Candidate Data from the Controller to third parties — including to sub-processors engaged by the Controller — is conducted in compliance with applicable data protection law, including any requirements relating to cross-border data transfers.

7.3 Processor's Transfer Mechanisms

To the extent the Processor transfers Candidate Data to its own sub-processors located outside the EEA as part of providing the Platform's technical infrastructure, the Processor shall ensure appropriate transfer mechanisms are in place, including Standard Contractual Clauses with relevant sub-processors where required.

8. Sub-Processor List

As of the Effective Date of this DPA, the Processor's principal sub-processors that may process Candidate Data in the course of providing Platform services include:

Stripe, Inc.: Payment processing infrastructure. Processing location: United States and European Union. Purpose: Payment authentication and fraud prevention in connection with Employer billing. Note: Stripe does not process Candidate Data for payment purposes; Stripe may process limited technical metadata (such as IP addresses and device identifiers) as part of its fraud prevention functions.

Cloud infrastructure and hosting provider(s): Server hosting, data storage, and content delivery. Processing location: United States and/or European Union, depending on infrastructure configuration. Purpose: Platform operation and data storage.

Email delivery service provider(s): Transactional email delivery. Processing location: United States and/or European Union. Purpose: Delivering application notifications and account communications to Employers.

The Processor will maintain an updated sub-processor list and will provide the current version to the Controller upon written request at info@habposlovi.com.

9. Deletion and Return of Data

9.1 Upon Termination

Upon termination or expiry of the Employer Terms and Conditions, or upon written request by the Controller at any earlier time, the Processor shall, at the Controller's election:

• Delete all Candidate Data that remains in the Processor's systems and that was processed solely on behalf of the Controller under this DPA; or
• Return to the Controller a copy of Candidate Data in a commonly used, machine-readable format, following which the Processor shall delete all copies from its systems

The Processor shall complete deletion or return within 30 calendar days of the relevant request or termination event and shall provide written confirmation to the Controller upon completion.

9.2 Retention Permitted by Law

Notwithstanding Section 9.1, the Processor may retain Candidate Data to the extent required by applicable law, and only for as long as required by that law. Any such retained data shall remain subject to the confidentiality and security obligations of this DPA.

9.3 Controller's Deletion Obligations

The Controller is solely responsible for deleting or anonymizing Candidate Data it holds in its own systems in accordance with applicable data protection law and the data retention principles described in Section 5. The Processor's deletion obligations under this Section relate only to data processed on behalf of the Controller within the Processor's own infrastructure.

10. Liability

Each Party shall be liable to the other for direct damages caused by a breach of this DPA, subject to the limitations set out in the general Terms of Service and Employer Terms and Conditions. Neither Party shall be liable to the other for any indirect, incidental, consequential, or punitive damages arising out of or in connection with this DPA, to the maximum extent permitted by applicable law.

As between the Parties, each Party shall be liable to data subjects and Supervisory Authorities for breaches of the GDPR or other applicable data protection law to the extent attributable to its own processing activities. If a Party pays compensation to a data subject or Supervisory Authority for a breach that is attributable in whole or in part to the other Party, the paying Party may seek contribution from the other Party in proportion to their respective responsibility for the breach.

Nothing in this Section limits either Party's liability to data subjects under applicable data protection law.

11. Term and Termination

This DPA enters into force on the date the Controller accepts the Employer Terms and Conditions and remains in force for as long as the Employer Terms and Conditions are in effect. Upon termination of the Employer Terms and Conditions for any reason, this DPA terminates automatically, subject to the survival of obligations relating to data already processed, deletion, confidentiality, and audit rights for the periods specified herein.

Either Party may terminate this DPA on written notice if the other Party materially breaches this DPA and fails to remedy the breach within 30 calendar days of receiving written notice identifying the breach in reasonable detail. Termination of this DPA does not affect either Party's rights or obligations that have accrued prior to termination.

12. Governing Law

This DPA shall be governed by the laws of the State of Wyoming, United States, without prejudice to the mandatory application of GDPR provisions where applicable. For matters specifically governed by the GDPR or EU data protection law, the applicable EU legal framework shall take precedence.

Any dispute arising under this DPA shall be resolved in accordance with the dispute resolution provisions set out in the general Terms of Service, subject to any mandatory rights of data subjects and Supervisory Authorities under applicable data protection law.

13. Amendments

The Processor reserves the right to amend this DPA from time to time to reflect changes in applicable data protection law, updates to the Platform's processing activities, or changes to the sub-processor list. Material amendments will be communicated to the Controller by email with no less than 30 calendar days' notice. If the Controller does not object in writing within that notice period, the amended DPA shall take effect at the end of the notice period.

Where amendments are required by changes to applicable law, they may take effect immediately upon the Processor providing written notice to the Controller.

14. Contact and Execution

Employers who require a countersigned version of this DPA for their own compliance records should contact info@habposlovi.com with the subject line "DPA Request". The Processor will provide a countersigned copy within 15 business days of receiving a complete request.

For all data protection inquiries, data subject assistance requests, sub-processor queries, and breach notifications under this DPA, please contact:

Avenor Holdings LLC
Address: 75 E 3rd St, Sheridan, WY 82801, United States
Email: info@habposlovi.com
Website: https://www.habposlovi.com/

Annex 1 — Description of Processing Activities

This Annex forms part of the Data Processing Agreement between the Parties and sets out the specific details of the processing activities governed by the DPA, as required under Clause 1(b) and Annex I of the Standard Contractual Clauses where applicable.

Data exporter (Controller): The Employer registered on the Hab Jobs Platform, whose identity and contact details are recorded in the Employer account.

Data importer (Processor): Avenor Holdings LLC, 75 E 3rd St, Sheridan, WY 82801, United States. Email: info@habposlovi.com.

Activities relevant to data transfer: Transmission of Candidate job application data from the Platform's infrastructure to the Employer's account dashboard and registered email address upon receipt of a Candidate application.

Frequency of transfer: On a per-application basis, triggered each time a Candidate submits a job application in response to the Employer's listing.

Nature of processing: Electronic transmission of personal data over encrypted TLS connection from the Platform's servers to the Employer's designated access point.

Purpose of transfer: Delivery of Candidate applications to the Employer for the purpose of recruitment and candidate evaluation.

Retention period: The Processor retains Candidate Data in connection with the Controller's account for the duration of the active Employer account and for a period of up to 12 months following account closure, unless a shorter period is requested or required by applicable law.

Categories of data subjects: Candidates who have voluntarily submitted a job application through the Platform in response to a listing published by the Controller.

Categories of personal data: Name, email address, phone number (if provided), professional profile and CV data, cover letter, and any other information voluntarily included by the Candidate in their application.

Sensitive data: Not intentionally included. The Processor does not collect or transmit sensitive data as part of the standard application process. Any sensitive data inadvertently included by a Candidate is the Controller's responsibility to handle in accordance with Article 9 GDPR.

Competent supervisory authority: The supervisory authority with jurisdiction over the Controller's processing activities, as determined by the Controller's establishment or the location of its data subjects. For Controllers established in the EU, this will typically be the supervisory authority of the Member State of establishment.