Symmetry I-9 Data Processing Addendum
Symmetry Software
Last updated on March 2025
This Data Processing Addendum (“DPA”) supplements any existing and currently valid Agreement(s) either previously or concurrently made between Symmetry Software LLC (“Processor”) and the customer identified in a Schedule or other ordering document (“Customer”) in connection with the services provided by Processor to Customer under one or more agreements between Processor and Customer (collectively, the “Agreement”) relating to the processing of personal information originating from the United States or relating to individuals residing in the United States.
All capitalized terms not otherwise defined in this DPA will have the meanings given to them in the Agreement. If there is any inconsistency or conflict between this DPA and any Agreement in effect between Processor and Customer, then as it relates to data protection or Processing, this DPA will control and will survive any termination or expiration of the Agreement.
This DPA only applies to the extent Processor Processes Personal Information on behalf of Customer.
Definitions
To the extent not otherwise defined in the Agreement, terms defined in this DPA shall bear the below meanings and cognate terms shall be construed accordingly.
- “Applicable US Regulation(s)” means all regulations and applicable industry standards in force on data protection and data privacy relating to that Personal Information for each relevant jurisdiction in the United States where Processor provides Services to the Customer.
- “Business Purpose” means the use of Personal Information for the Customer’s or Processor’s operational purposes, or other notified purposes, as defined in the CCPA, provided that the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which Personal Information was Collected or processed or for another operational purpose that is compatible with the context in which Personal Information was Collected.
- “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. as amended from time to time.
- “Collects,” “Collected,” or “Collection” means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means.
- “Commercial Purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
- “Consumer” means a natural person or household.
- “Controller” means a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that Collects Consumers’ Personal Information, or on behalf of whom such information is Collected and that alone or jointly with others determines the purposes and means of the processing of Consumers’ Personal Information. In jurisdictions that use the term "Business" to refer to a person or entity fitting the foregoing description, the term "Controller" as used in this DPA has the same meaning as the term "Business".
- “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifier.
- “Process,” “Processing,” and “Processes” refer to any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
- “Processor” means a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that Processes information on behalf of a Controller and to which the Controller discloses a Consumer’s Personal Information for a Business Purpose. In jurisdictions that use the term "Service Provider" to refer to the person or entity fitting the foregoing description, the term "Processor" as used in this DPA has the same meaning as the term "Service Provider".
- “Security Breach” means a breach of security leading to the unauthorized access to or acquisition of Personal Information that compromises the security, confidentiality, or integrity of Personal Information Processed on Customer’s behalf.
- “Sell” means (a) selling, renting, licensing to others, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information to another business or a third party for monetary or other valuable consideration, and (b) transferring Personal Information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
- “Services” means the services or other activities to be supplied to or carried out by or on behalf of Processor for Customer pursuant to the Agreement.
- “Subcontractor” means a person (but excluding any employee) engaged or appointed by Processor to receive or Process Personal Information in connection with the Agreement. Subcontractors are identified in Exhibit A.
Roles and Responsibilities
- Roles of the Parties and Details of the Processing. The parties acknowledge and agree that Processor is providing Services to and Processing Personal Information on behalf of the Customer, a Controller. Details of the Processing are outlined in Exhibit A.
- Compliance with Regulations. Processor shall at all times be aware of and comply with Applicable US Regulations when Processing Personal Information.
- Processor’s Responsibilities. When Processing Personal Information on behalf of the Customer, Processor shall not: (a) retain, use, or disclose Personal Information it receives, Collects or Processes in connection with the Services for any purpose other than for performing the Services and in accordance with the terms of this DPA, the Agreement and the Customer’s instructions; (b) use or Process Personal Information for a Commercial Purposes other than performing the Services; (c) Sell Personal Information; or (d) disclose or transfer Personal Information outside the direct business relationship between the parties. Processor shall adhere to the principles of data minimization and purpose limitation, ensuring that only necessary Personal Information is Processed
- Permitted Activities. Regardless of the prohibitions in subsection 3.3, the parties agree that Processor may Process Personal Information for the following activities that are necessary to support the Services: (a) retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a Processor under Applicable US Data Protection Laws; (b) detect data security incidents; (c) protect against fraudulent or illegal activity; (d) effectuate repairs; and (e) maintain or improve the quality of the Services. Processor also may Process Personal Information, subject to Section 2.3, when necessary to comply with federal, state, or local laws or legal process; cooperate with law enforcement; and cooperate with a government agency request for emergency access to Personal Information if a person is at risk or danger of death or serious physical injury.
- Compliance Monitoring and Assurance. Customer has the right to take reasonable and appropriate steps to ensure that the Processor uses the Personal Information in a manner consistent with the Customer's obligations under the Applicable US Regulations. No more than once per calendar year, Processor will provide to Customer, upon Customer’s written request, information and documentation in Processor’s possession and control necessary to demonstrate Processor’s compliance with its obligations under this DPA.
- Notification. Processor shall promptly notify the Customer if it determines or reasonably suspects it will be unable to comply with its obligations set forth in Section 2.3. Upon any such notice to the Customer, Processor shall immediately cease all use of Personal Information hereunder, but its obligations regarding safeguarding information shall remain in effect.
Personnel and Subcontractors
- Processor Personnel. Processor will take reasonable steps to ensure that each of its employees and agents who Process Personal Information are made aware of Processor’s obligations under this DPA, and where required by Applicable US Regulation, shall require that they enter into binding obligations with Processor as appropriate to maintain the levels of security and protection required under this DPA.
- Access to Personal Information. Processor shall limit access to Personal Information to those individuals who need to know, as necessary for the purpose of providing Services.
- Subcontractors. Processor remains obligated and fully liable to the Customer for the acts and omissions of any Subcontractor.
Security of Personal Information
- Responsibility of Processor. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Consumers, Processor will maintain appropriate technical and organizational measures, as outlined in Exhibit B, to ensure a level of security appropriate to the risk of Processing Personal Information. Processor will conduct periodic data protection assessments for Processing activities that may pose a heightened risk to Consumer privacy.
- Transfer and Access Restrictions. Except as otherwise specifically authorized by Customer in writing in advance, (a) all Personal Information shall be stored within the United States; (b) Processor will not transfer Personal Information outside of the United States; and (c) no Authorized Employee or agent (including any subcontractor) will have the ability to access or use Personal Information from outside the United States.
- Encryption. Processor shall encrypt all Personal Information data in transit and at rest.
Consumer Rights and Other Requests
- Consumer Rights. If Processor receives a request from a Consumer to exercise their rights under an Applicable US Regulation, it shall communicate this request to the Customer without first responding to the request except on the prior written instructions of the Customer, unless otherwise required by the Applicable US Regulation.
- Cooperation. Processor shall work with, and if necessary reasonably assist, the Customer with responding to the Consumer’s request. Processor will do so in a manner that allows the Customer to respond to such requests within the timeframes set under such Applicable US Regulation.
Security Breach
- Breach Response. In the event of a Security Breach, Processor will (a) reasonably investigate the Security Breach and perform a root cause analysis; (b) develop a remediation plan to address the Security Breach; and (c) promptly upon request, provide to the Customer any required information to enable it to comply with its notification obligations under Applicable US Regulations, if any.
- Consumer Notifications. To the extent Applicable US Regulation requires the affected Consumers or governmental authorities to be notified of a Security Breach, Processor will cooperate with the Customer’s reasonable requests in enabling Customer to respond to such Security Breach.
General Provisions
- Limitation of Liability. The total liability of each of Customer and Processor (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, will not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement, unless Applicable US Regulations prohibit such limitations.
- Ownership. Customer controls and owns all right, title and interest in and to Personal Information and at all times remains the data Controller under the Agreement and Applicable US Regulations. The Personal Information that Customer discloses to Processor is provided to Processor for a Business Purpose, and Customer does not Sell Personal Information to Processor in connection with the Agreement. Nothing in the Agreement transfers or conveys to Processor any ownership interest in or to Personal Information. Customer warrants that it has complied with all relevant laws in Collecting, using, and disclosing the Personal Information.
- Entire Agreement. This DPA and the Agreement represent the entire agreement between the parties and supersede any and all prior oral or written agreements between the parties related to the Processing of Personal Information.
- Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA will prevail as it pertains to the Processing of Personal Information. For any other conflict, the Agreement will prevail.
- Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in effect.
- Assignment. As an addendum to the Agreement, this DPA is binding upon all respective successors and permitted assigns of the Agreement.
- Term. The obligations established under this DPA will survive termination of the Agreement and will continue in full force and effect until such time as Processor has returned or destroyed all Personal Information, as applicable, in accordance with the terms of this DPA.
- Changes to Applicable US Regulations. In the event of modifications, amendments or changes to Applicable US Regulations, the parties agree to cooperate in good faith with respect to any necessary modifications or amendments to this DPA, to the extent required. Processor shall further take reasonable measures to remain compliant with any changes in the Applicable US Regulation.
Exhibit A
Details of Processing Activities
Nature and Purpose of Processing | Providing the Services and related technical support in accordance with the Agreement and otherwise in accordance with any documented instructions of Customer. |
---|---|
Duration of processing | The term of the Agreement plus the period from expiration of such term to deletion or destruction of all Customer Personal Information subject to the Agreement. |
Categories of Data Subjects | Users, job applicants, and employees of Customer, and individuals who verify the identity of applicants and employees, each provided to Processor by and at the direction of Customer, for the purpose of providing the Services under the Agreement. Data subjects are determined and controlled by the Customer in its sole discretion. |
Types of Personal Information | Personal Information provided by Customer, which may include the following types of data: Names, postal addresses for home and work, social security numbers, employee or applicant identification numbers, precise geolocation data, and other information required by US Government form I-9 and the E-Verify system. |
Permitted Subcontractors
The following Subcontractors may Process data on Processor’s behalf:
Amazon Web Services, United States, Data Center
All4Staff, Inc. dba WorkBright “Workbright” and its Subcontractors listed at https://security.workbright.com/subprocessors, I-9 verification.
Processor may change a Subcontractor or add a new Subcontractor. Processor will provide 60 days’ notice to Customer of its intent to change a Subcontractor or add a new Subcontractor. If Customer objects to the new or additional Subcontractor, Customer may terminate the Processing upon 30 days’ notice to Processor.
Exhibit B
Technical and Organizational Security Measures
In accordance with the Agreement, the Processor will adopt and maintain appropriate technical and organizational security measures in dealing with the Personal Information in order to protect against unauthorized or accidental access, loss, alteration, disclosure, or destruction of such data, in particular where the processing involves the transmission over a network, and against all other unlawful forms of processing.
In determining the technical and organizational security measures required under the Agreement, the Processor will take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Processor will implement the following specific security measures, as applicable:
- Relevant employees are to be trained in relation to specific technical and organizational security measures;
- Personal Information is to be stored on secured servers behind a firewall;
- Servers are to be monitored by industry standard network monitoring tools to prevent any potential security breaches;
- Corporate systems and databases to be password protected;
- VPN and direct network access to be limited to company-issued devices;
- Dual-factor authentication for VPN access;
- Segregation and limitation of employee access permissions;
- Active and automated monitoring of critical access logs and anomaly detection;
- Pseudonymization and/or encryption methods;
- System(s) to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; and
- Process(es) for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.