For Customers who entered in the Data Processing Agreement on or before October 25, this version of the Data Processing Agreement applies. For other use cases, this version has been deprecated as of October 26, 2022.
A Data Processing Agreement (DPA) is a contract between a data controller and a data processor that governs the processing of personal information.
In the most general sense (and bearing in mind that this terminology may vary depending on the jurisdiction and subject matter involved):
It depends on the jurisdictions and types of data involved.
In many jurisdictions (e.g., the European Union under the GDPR), parties are legally required to execute a DPA--or a similar contractual arrangement-- if one party will process personal information on behalf of the other party. In the United States, whether a DPA is legally required depends on many factors (including, for instance, the sectors and states involved) and is often unclear.
It depends on where eligible employees reside.
We have also compiled a list of country-specific “schedules” that may be attached to the DPA, depending on which non-U.S. jurisdictions are involved. One common and well-known example involves the transfer of personal data from the European Economic Area (EEA) to the United States. To comply with the GDPR, the customer and Carrot must sign Standard Contractual Clauses (SCCs) Module 2 before such a transfer can take place.
A Sub-processor is an entity that processes personal information on behalf of a data processor. If a data processor engages a Sub-processor, it needs to have a DPA (or similar contractual mechanism) in place with that Sub-processor (e.g., a “Sub-processor Agreement”).
A current list of Carrot’s Sub-processors is available here.
DPAs between controllers and processors ensure they both understand their obligations, responsibilities, and liabilities.
DPAs also help them comply with various regulations, such as the GPDR, and help demonstrate compliance to regulators and individuals.
The answer varies depending on the jurisdiction and subject matter involved, but there are certain elements that should always be included in a DPA:
First, DPAs must define:
Second, DPAs must also include specific terms or clauses regarding:
The ideas of data ownership and confidentiality are specific to Carrot’s standard contracting process, which, because of the sensitive nature of the services Carrot and our partners provide, is designed to be very pro-user. As a result, we cover a lot of ground related to data (such as restrictions on use and obligations in the event of a security incident) in the service agreements we enter into with customers.
When we have reviewed customers' DPAs, we often find that these contain provisions that overlap with what the service agreement already contains. We also find that other DPAs describe ownership in ways that conflict with how the service agreement outlines them, which makes the documents difficult to read together. Our DPA is already tailored both to the coverage of our MSA and to the specifics of data ownership, as they apply to us.
It is common for the same entity to be considered a controller in one context and a processor in another context. This is the case for Carrot.
Under the GDPR:
In the context of the DPA, Carrot is acting as a processor because it is processing personal data on behalf of a controller (i.e. the customer). The customer sends Carrot an Employee Eligibility File ("means") for the "purpose" of confirming which employees are eligible for the Service. Carrot then processes this data on behalf of the customer and in accordance with the customer's instructions (i.e., to confirm eligibility).
In the context of the Privacy Notice, on the other hand, Carrot acts as the controller when members (i.e, employees whose eligibility has been confirmed) sign up directly for the Service through the Platform. Here, Carrot determines the purpose (i.e, providing the Service) and the means (i.e, collecting personal data from members through the Platform) of processing personal data. The Privacy Notice governs the relationship between Carrot (the controller) and individual members (the data subjects).