Data Processing Agreement
1. Definitions and scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Information Direct, Inc. ("Processor") and the client ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with background screening services.
For GDPR, UK GDPR, and similar data protection laws, the client generally acts as Controller for screening decisions and candidate relationship management, and Information Direct acts as Processor when processing personal data on documented client instructions. Information Direct may also have independent statutory duties as a consumer reporting agency under the FCRA and applicable consumer reporting laws.
For purposes of this DPA: "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the services; "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure; "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller; "Data Protection Laws" means all applicable data protection and privacy legislation, including the GDPR, CCPA/CPRA, and the FCRA as applicable.
2. Data processing scope and purpose
The Processor shall process Personal Data only for the purpose of providing the background screening services requested by the Controller, including: compiling consumer reports under the FCRA, performing courthouse research and criminal records searches, conducting employment, education, and professional license verifications, facilitating drug testing through certified laboratory partners, and delivering reports and results through the Information Direct platform.
The categories of Personal Data processed include: applicant identifiers (name, date of birth, Social Security number, address history), employment and education history, criminal records and court filings, professional license information, and drug test results. The categories of data subjects include: job applicants, employees, contractors, tenants, and other individuals for whom the Controller has a permissible purpose under applicable law. Processing begins when the Controller submits an authorized request and continues for the term of service delivery plus the retention period required by law, contract, audit, or litigation hold.
3. Processor obligations
The Processor shall: (a) process Personal Data only on documented instructions from the Controller, unless required by law; (b) ensure that persons authorized to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures as described in Section 5 of this DPA; (d) assist the Controller in responding to data subject requests; (e) assist the Controller in ensuring compliance with data protection impact assessments and prior consultation obligations where required; (f) make available all information necessary to demonstrate compliance with this DPA; and (g) immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable Data Protection Laws.
4. Sub-processor management
The Controller provides general authorization for the Processor to engage Sub-processors in connection with the services. Current sub-processor categories include hosting and infrastructure providers, transactional email providers, payment processors when enabled, customer relationship management systems when enabled, laboratory partners, verification partners, and courthouse research contractors. A current named list will be made available upon request. The Processor shall notify the Controller at least thirty (30) days before adding or replacing a material Sub-processor, providing the Controller with an opportunity to object.
If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached within fifteen (15) days, the Controller may terminate the affected services without penalty.
The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those set forth in this DPA, and shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
5. Security measures
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include encryption of sensitive candidate fields at rest, TLS 1.2+ in transit, role-based access controls, strong password hashing, least-privilege administration, audit logging, secure backup procedures, vendor due diligence, documented incident response procedures, employee confidentiality obligations, security awareness practices, and periodic control reviews. Additional controls, such as multi-factor authentication, are applied where available and appropriate for the relevant system.
The Processor maintains security controls mapped to recognized frameworks and shall provide available security documentation, audit summaries, or independent reports upon the Controller's reasonable request. Information Direct will not represent a certification as current unless a current certificate or attestation is available.
6. Data breach notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach. The notification shall include: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and records affected; (b) the name and contact details of the Processor's data protection contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its effects.
The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach, and shall provide timely updates as additional information becomes available.
7. Data return and deletion on termination
Upon termination or expiration of the services agreement, the Processor shall, at the Controller's election, return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, securely delete eligible Personal Data in the Processor's possession, or retain only the records required by law, contract, audit, or litigation hold and certify the selected action in writing.
Notwithstanding the foregoing, the Processor may retain Personal Data to the extent required by applicable law, including FCRA record retention requirements and applicable state retention schedules. Any retained data shall continue to be protected in accordance with this DPA and shall be deleted promptly upon expiration of the applicable retention period.
8. Audit rights
The Controller shall have the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or a qualified independent auditor appointed by the Controller, subject to reasonable confidentiality obligations. The Controller shall provide at least thirty (30) days' prior written notice of any audit.
Audits shall be conducted during normal business hours, no more than once per twelve-month period (unless required by a supervisory authority or following a data breach), and in a manner that minimizes disruption to the Processor's operations. The Processor shall cooperate with audits and provide reasonable access to relevant facilities, systems, and documentation.
In lieu of an on-site audit, the Processor may provide the Controller with available security documentation, privacy impact assessment summaries, data protection impact assessment materials where applicable, audit summaries, control mappings, independent third-party reports, or current certifications that demonstrate compliance with the obligations of this DPA.
9. International data transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to the Processor in the United States, the parties agree to use an appropriate transfer mechanism for the relevant jurisdiction, including the European Commission's Standard Contractual Clauses (SCCs) as adopted under Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Addendum or International Data Transfer Agreement where applicable, and Swiss transfer safeguards where applicable. Additional supplementary measures will be applied as appropriate based on the transfer impact assessment.
10. Annex I - processing details
Subject matter: background screening, verification, reporting, client support, billing, security, and compliance services. Duration: the term of the applicable client relationship plus legally required retention periods, audit periods, contract obligations, or litigation holds. Nature and purpose: collection, validation, research, verification, report preparation, delivery, dispute handling, audit logging, and secure retention or deletion. Data subjects: applicants, employees, contractors, tenants, client users, authorized representatives, and other individuals submitted by the Controller for a permissible purpose. Data categories: identifiers, contact details, date of birth, government identifiers where authorized, address history, employment and education details, license details, public records, drug testing coordination details, audit logs, and client account metadata.
11. Annex II - technical and organizational measures
Measures include encryption in transit, encryption of sensitive candidate fields at rest, access controls, role-based permissions, least-privilege administration, secure password hashing, CSRF and bot protection for forms, audit logging, backup and recovery controls, vendor due diligence, incident response procedures, employee confidentiality obligations, and periodic control reviews. Additional security documentation may be provided under confidentiality on reasonable request.
12. Annex III - sub-processor categories
Current sub-processor categories include infrastructure hosting, bot-protection and security providers, transactional email, payment processing when enabled, customer relationship management when enabled, laboratory partners, verification partners, courthouse research contractors, and professional service providers supporting legal, security, or accounting obligations. A named list is available upon request under confidentiality where needed, and material changes are handled under the notice and objection process in this DPA.
13. Liability and indemnification
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service, except that neither party's liability for breaches of its data protection obligations shall be limited to the extent prohibited by applicable Data Protection Laws.
14. Term and amendments
This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. The Processor may update this DPA from time to time to reflect changes in applicable Data Protection Laws or processing practices. Material changes will be communicated to the Controller at least thirty (30) days before taking effect.
For questions or requests related to this DPA, please contact: Information Direct, Inc. · Attn: Data Protection · 1519 E Chapman Ave #342, Fullerton, CA 92831 · Email: privacy@informationdirect.us · Phone: (800) 707-2450