Master SaaS Agreement (MSA) and Data Processing Agreement (DPA)

July 1, 2023
Quick Links

Heading

This is some text inside of a div block.

Master SaaS Agreement (MSA)

This Master Starred SaaS Agreement (this "Agreement"), effective as of {DATE} (the "Effective Date"), is by and between Starred (as defined in Section 1 below) and {Customer Name}, {STATE DESCRIPTION} [corporation][limited liability company][general partnership][limited partnership][{OTHER ENTITY}] with offices located at {STREET ADDRESS}, {CITY}, {STATE} {ZIP CODE},{COUNTRY} ("Customer"). Starred and Customer may be referred to herein collectively as the "Parties" or individually as a "Party.")

1. Definitions

The terms in the General Terms and Conditions of which the first letter is capitalised have the following meaning.


(a) "Account" means the online environment, made available to the Customer, whereby the Customer can administer and configure (certain aspects of) the Services, as well as the configuration(s) and data stored by the Customer.


(b) "Administrator(s)" has the meaning set forth in Section 3(c).


(c) "Affiliate" means, in relation to a Party, any other entity which directly or indirectly controls, is controlled by, or is under direct or indirect common control with that Party;

(d) "Aggregated Statistics" has the meaning set forth in Section 2(e).

(e) "Authorized User" means Customer's employees, consultants, contractors, and agents, including one or more Administrators, (i) who are authorized by Customer to access and use the Services under the rights granted to Customer pursuant to this Agreement and the Statement of Work and (ii) for whom access to the Services has been licensed hereunder.

(f) "Confidential Information" has the meaning set forth in Section 6.

(g) "Customer Data" means information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or an Authorized User through the Services.

(h) "Fees" has the meaning set forth in Section 5(a).

(i) "Losses" has the meaning set forth in Section 10(a)(i).

(j) "Services" means the Starred SaaS based solutions for HR departments and recruiting teams to improve employee engagement and/or candidate experiences, as updated from time to time by Starred and as agreed upon in the Statement of Work.

(k) "Service Suspension" has the meaning set forth in Section 2(d).

(l) "Starred" means Starred B.V., a Dutch corporation with offices located at Wibautstraat 137 D, 1097 DN, Amsterdam, the Netherlands, registered with the Dutch Chamber of Commerce under number 55735452, or, if Customer is located in the United States of America, Starred USA Inc., a Delaware corporation with offices located at 228 East 45th Street, Suite 9E, New York, New York 10017, USA.

(m) "Starred IP" means the Services and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing, as well as benchmark reports set forth in Section 13(f). Starred IP does not include Customer Data.

(n) "Statement of Work" means the mutually agreed upon written license order, executed by both Parties, setting forth in detail the commercial terms and specifications of a specific Customer order, governed by this Agreement.

(o) "Term" has the meaning set forth in Section 12(a).

(p) "Third-Party Claim" has the meaning set forth in Section 10(a)(i).

2. Access and Use

(a) Provision of Access. Subject to and conditioned on Customer’s payment of Fees, as defined in Section 5(a) below, and compliance with this Agreement and the applicable Statement(s) of Work, Starred hereby grants Customer a non-exclusive, non-transferable right to access and use the Services during the Term, solely for use by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Customer’s use and governed by the Starred user policies, available through the Account. Starred shall provide Customer with the necessary passwords and network links or connections to allow Customer to access the Account and the Services.

(b) Use Restrictions. Customer shall not use the Services for any purposes beyond the scope of the access granted in this Agreement or the relevant Statement(s) of Work. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; (iv) remove any proprietary notices from the Services; or (v) use the Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law.

(c) Reservation of Rights. Customer understands and agrees that Starred continues to develop and improve its Services for all of its customers and that amendments to the Services may be introduced by Starred without prior notice. Starred will provide prior notice of any amendments that may affect the functionality of the Services substantially. Starred reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Starred IP.

(d) Suspension. Notwithstanding anything to the contrary in this Agreement, Starred may temporarily suspend Customer’s and any Authorized User’s access to any portion or all of the Services if: (i) Starred reasonably determines that (A) there is a threat or attack on any of the Starred IP; (B) Customer, or any Authorized User, is using the Starred IP for fraudulent or illegal activities; (C) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (D) Starred’s provision of the Services to Customer or any Authorized User is prohibited by applicable law; or (ii) in accordance with Section 5(a)(iii) (any such suspension described in subclause (i), or (ii) a “Service Suspension”). Starred shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Services following any Service Suspension. Starred shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Starred will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.

(e) Aggregated Statistics. As an indispensable part of the Services, Starred will monitor and analyze Customer’s use of the Services, and collect and compile data and information related to such usage, for the sole purpose of enhancing the Services and generating anonymized benchmarks that provide valuable comparisons and performance metrics, allowing customers to assess their own performance within a broader context (“Aggregated Statistics”). The Aggregated Statistics do not include any (i) information identifying Customer or any individual or (ii) Customer’s Confidential Information.

3. Customer Responsibilities

(a) Customer is responsible and liable for all uses of the Services resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement or the Starred user policies available through the Account, if taken by Customer, will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services, and shall cause Authorized Users to comply with such provisions.

(b) Customer and Authorized Users must provide accurate and complete information as requested by Starred for the purpose of setting up the Account and providing the Services, and keep this information up to date. Failure to do so may result in incorrect output of the Services for which Starred cannot be held responsible or liable. If Starred reasonably suspects that certain information is not correct or outdated resulting in incorrect output of the Services, Starred will notify Customer in writing, and Parties will reasonably discuss correction of the information as soon as possible. If Parties cannot agree on correction of information resulting in incorrect output of the Services, as determined by Starred, each Party may terminate this Agreement as set forth in Section 11(b)(ii) hereunder. In such case, termination will be the sole remedy and neither Party will be liable for damages of the other Party.

(c) Through the settings in the Account, Customer will inform Starred of one or more administrators who are authorized to represent Customer and decide on Customer’s behalf all matters related to the Services (the “Administrator(s)”).

4. Service Levels and Support

Subject to the terms and conditions of this Agreement, Starred shall use commercially reasonable efforts to make the Services available and to provide support services as set forth in the Statement of Work.

5. Fees and Payment

(a) Fees. Customer shall pay Starred the fees (“Fees”) as set forth in the relevant Statement of Work without offset or deduction. Customer shall make all payments hereunder in the currency and payment conditions set forth in the Statement of Work. If Customer fails to make any payment when due, without limiting Starred's other rights and remedies: (i) Starred may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Starred for all reasonable costs incurred by Starred in collecting any late payments or interest, including attorneys' fees, court costs, and collection agency fees; and (iii) if such failure continues for ten (10) days or more, Starred may suspend Customer's and its Authorized Users' access to any portion or all of the Services until such amounts are paid in full.

(b) Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, VAT, and excise taxes, if applicable, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Starred's income.

6. Confidential Information

Confidential Information. From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media, and whether or not marked, designated, or otherwise identified as "confidential" (collectively, "Confidential Information"). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party's Confidential Information to any person or entity, except to the receiving Party's employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party's rights under this Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party's Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party's obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

7. Intellectual Property Ownership

(a) Starred IP. Customer acknowledges that, as between Customer and Starred, Starred and/or its licensors own all right, title, and interest, including all intellectual property rights, in and to the Starred IP.

(b) Customer Data. Starred acknowledges that, as between Starred and Customer, Customer owns all right, title, and interest, including all intellectual property rights, in and to the Customer Data. Customer hereby grants to Starred a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as necessary to provide the Services to Customer.

8. Privacy and Security

(a) As the processor of personal data controlled by Customer, Starred shall comply with all applicable data protection laws and regulations that apply to its provision of Services, including, where applicable, the California Consumer Privacy Act and the General Data Protection Regulation.

(b) Parties will separately agree on a Data Processing Agreement in writing, if required by law.

9. Limited Warranty and Warranty Disclaimer

(a) Starred warrants that the Services will conform in all material respects with the Statement of Work, when accessed and used in accordance with the Starred user policies available through the Account.

(b) EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 9(a), THE STARRED IP AND SERVICES ARE PROVIDED "AS IS" AND STARRED HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. STARRED SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 9(a), STARRED MAKES NO WARRANTY OF ANY KIND THAT THE STARRED IP, OR ANY SERVICES, PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER'S OR ANY OTHER PERSON'S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.

10. Indemnification

(a) Starred Indemnification.

(i) Starred shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys' fees) ("Losses") incurred by Customer resulting from any third-party claim, suit, action, or proceeding ("Third-Party Claim") that the Services, or any use of the Services in accordance with this Agreement, infringes or misappropriates such third party's US patents, copyrights, or trade secrets, provided that Customer promptly notifies Starred in writing of the claim, cooperates with Starred, and allows Starred sole authority to control the defense and settlement of such claim.

(ii) If such a claim is made or appears possible, Customer agrees to permit Starred, at Starred's sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Starred determines that neither alternative is reasonably available, Starred may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer. This Section 10(a) will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with data, software not provided by Starred or authorized by Starred in writing; (B) modifications to the Services not made by Starred; or (C) Customer Data.

(b) Customer Indemnification. Customer shall indemnify, hold harmless, and, defend Starred from and against any Losses resulting from any Third-Party Claim that the Customer Data, or any use of the Customer Data in accordance with this Agreement, infringes or misappropriates such third party's intellectual property rights and any Third-Party Claims based on Customer's or any Authorized User's (i) negligence or willful misconduct; (ii) use of the Services in a manner not authorized by this Agreement or the Starred user policies available through the Account; (iii) use of the Services in combination with data, software, or technology not provided by Starred or authorized by Starred in writing; or (iv) modifications to the Services not made by Starred, provided that Customer may not settle any Third-Party Claim against Starred unless Starred consents to such settlement, and further provided that Starred will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

(c) Sole Remedy. THIS SECTION 10 SETS FORTH CUSTOMER'S SOLE REMEDIES AND STARRED'S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.

11. Limitations of Liability

IN NO EVENT WILL STARRED BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY, OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER STARRED WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL STARRED'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THE TOTAL AMOUNTS PAID TO STARRED UNDER THIS AGREEMENT IN THE 12-MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM OR $10,000, WHICHEVER IS LESS.

12. Term and Termination

(a) Term. Unless agreed upon in writing in a Statement of Work differently, the term of this Agreement begins on the Effective Date and, unless terminated earlier pursuant to this Agreement's express provisions, will continue in effect for as long as a Statement of Work is in effect, and this Agreement will automatically expire upon the termination or expiration date of the last effective Statement of Work between the Parties (the "Term").

(b) Termination. In addition to any other express termination right set forth in this Agreement:

(i) Starred may terminate this Agreement, effective on written notice to Customer, if Customer: (A) fails to pay any amount when due hereunder, and such failure continues more than 5 days after Starred's delivery of written notice thereof; or (B) breaches any of its obligations under Section 2(b);

(ii) either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured 10 days after the non-breaching Party provides the breaching Party with written notice of such breach; or

(iii) either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.

(c) Effect of Expiration or Termination. Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Starred IP and, without limiting Customer's obligations under Section 5, Customer shall delete, destroy, or return all copies of the Starred IP and certify in writing to the Starred that the Starred IP has been deleted or destroyed. No expiration or termination will affect Customer's obligation to pay all Fees that may have become due before such expiration or termination or entitle Customer to any refund.

(d) Survival. This Section 12(d) and Sections 5, 6, 7(b), 8, 9, 10, 11, and 13 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.

13. Miscellaneous

(a) Entire Agreement. This Agreement, together with the relevant Statements of Work, the Starred user policies available through the Account, as well as any other documents incorporated herein by reference and all related Exhibits, if any, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following order of precedence governs: (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference.

(b) Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder must be in writing and addressed to the Parties and the Administrator(s) at the email address set forth in the Statement of Work. Except as otherwise provided in this Agreement, a notice is effective only upon receipt by the receiving Party.

(c) Force Majeure. In no event shall either Party be liable to the other Party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement (except for any obligations to make payments), if and to the extent such failure or delay is caused by any circumstances beyond such Party's reasonable control, including but not limited to acts of God, flood, fire, earthquake, Covid19, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.

(d) Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof, and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

(e) Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

(f) Benchmark Reports. Starred publishes benchmark reports periodically through online and/or offline channels, based on the anonymized benchmarks created for its customers. These reports do not include any (i) references to specific customers or individuals or (ii) Confidential Information. Sample benchmark reports can be found here.

(g) Governing Law; Submission to Jurisdiction.

(i) Any and all agreements between the Parties, including this Agreement and any Statement of Work, shall be governed by and construed in accordance with the laws of the Netherlands, notwithstanding any conflict of law principles. The Parties agree that any suits, actions, or proceedings that may be instituted by any Party shall be initiated exclusively before the competent courts of the Netherlands, located in Amsterdam, the Netherlands, and the Parties do hereby consent to the jurisdiction of those courts and waive any objection which they may have, now or hereafter, to venue of those suits, actions or proceedings.

(ii) Only for Customers located in the United States: Unless stated otherwise in writing, any and all agreements between the Parties, including this Agreement and any Statement of Work, shall be governed by and construed in accordance with the laws of the State of New York, USA, notwithstanding any conflict of law principles. All disputes and controversies arising out of or relating to this Agreement, a Statement of Work, and any other agreements between the parties shall be finally and bindingly resolved under the Commercial Arbitration Rules of the American Arbitration Association in front of a sole arbitrator. The place of arbitration shall be New York, New York. The language of the arbitration shall be English. Any award, verdict or settlement issued under such arbitration may be entered by any party for order of enforcement by any court of competent jurisdiction. Additionally, in case of unpaid invoices, Starred may bring suit against Customer in the applicable state or federal courts of New York County, New York, and/or in the jurisdiction in which the Customer holds offices.

(iii) ANY CAUSE OF ACTION AGAINST A PARTY, REGARDLESS WHETHER IN CONTRACT, TORT OR OTHERWISE, MUST COMMENCE WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES. OTHERWISE, SUCH CAUSE OF ACTION IS PERMANENTLY BARRED.

(h) Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law, or otherwise, without the prior written consent of Starred. Starred may assign its rights and obligations under this Agreement to an Affiliate or to any entity that it merges with or that it transfers part or all of its business to.

(i) Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under Sections 6 and 7, or, in the case of Customer, Section 2(b), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.

(j) Parties will maintain throughout the Term commercial liability insurance from a reputable carrier as customary in their respective industries.

(k) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the Effective Date.

☐ STARRED B.V. / ☐ STARRED USA INC. | {CUSTOMER NAME}

By: ____________________                              By: ____________________

Name: ____________________                        Name: ____________________

Title: ____________________.                         Title: ____________________

Data Processing Agreement

1 July 2023

1. CONTROLLER, {Customer Name}, {STATE DESCRIPTION} [corporation][limited liability company][general partnership][limited partnership][{OTHER ENTITY}] with offices located at {STREET ADDRESS}, {CITY}, {STATE} {ZIP CODE},{COUNTRY}

and

2. Starred B.V., a Dutch corporation with offices located at Wibautstraat 137, 1097 DN, Amsterdam, the Netherlands, registered with the Dutch Chamber of Commerce under number 55735452, or, if Controller is located in the United States of America, Starred USA Inc., a Delaware corporation with offices located at 228 East 45th Street, Suite 9E, New York, New York 10017, USA. (hereinafter: Processor),

considering, that

  • the Controller has access to personal data of various data subjects,
  • parties have entered into a Master SaaS Agreement,
  • definitions from the Master SaaS Agreement are used in this Data processing agreement,
  • the Controller intends to have the Processor perform certain processing operations, for which the Controller determines purpose and means,
  • the Processor is willing to do so, and further is willing to adhere to the obligations regarding security and other aspects of data processing legislation to the best of its abilities,
  • the Parties, in consideration of the requirements of Article 28(3) GDPR, wish to lay down their rights and obligations in writing.

have agreed as follows:

1. Purposes of processing

1.1 Processor hereby agrees under the terms of this Data processing agreement to process personal data on behalf of the Controller. Processing shall be done solely for the purpose of delivering the Services: a SaaS based solutions for HR departments and recruiting teams to improve employee engagement and/or candidate experiences, and all purposes compatible therewith or as determined jointly.

1.2 The personal data to be processed by Processor for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data processing agreement. Processor shall not process the personal data for any other purpose unless with Controller's consent. Controller shall inform Processor of any processing purposes to the extent not already mentioned in this Data processing agreement. Processor however is permitted to use personal data for quality assurance purposes, and statistical research purposes regarding the quality of Processor's services.

1.3 All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.

2. Processor obligations

2.1 Upon first request Processor shall inform Controller about any measures taken to comply with its obligations under this Data processing agreement.

2.2 All obligations for Processor under this Data processing agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees in the broadest sense of the term.

2.3 Processor shall inform Controller without delay if in its opinion an instruction of Controller would violate the applicable legislation.

2.4 Processor shall provide reasonable assistance to Controller in the context of any data protection impact assessments to be made by Controller.

3. Transfer of personal data

3.1 Processor may process the personal data in any country within the European Union.

3.2 In addition Processor may transfer the personal data to a country outside the European Union, provided that country ensures an adequate level of protection of personal data and complies with other obligations imposed on it under this Data processing agreement and the GDPR, including the availability of appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects.

3.3 Processor reports to Controller the countries involved in Annex 3. Processor shall ensure that, considering the circumstances that apply to the transfer of personal data or any category of transfers, there is an adequate level of protection.

4. Allocation of responsibilities

4.1 Processor is solely responsible for the processing of personal data under this Data Processing Agreement in accordance with the instructions of Controller and under the explicit supervision of Controller. For any other processing of personal data, including but not limited to any collection of personal data by Controller, processing for purposes not reported to Processor, processing by third parties and/or for other purposes, the Processor does not accept any responsibility.

4.2 Controller represents and warrants that the content, usage and instructions to process the personal data as meant in this Data processing agreement are lawful and do not violate any right of any third party.

5. Subprocessor

5.1 Processor shall involve third parties in the processing under this Data processing agreement on the condition that such parties are reported in advance to the Controller; Controller may object to a specific third party if its involvement would reasonably be unacceptable to it. Controller hereby consents to the use of sub-processors mentioned in Annex 3 of this Data processing agreement. 

5.2 In any event, Processor shall ensure that all third parties are bound to at least the same obligations as agreed between Controller and Processor.

6. Security

6.1 Processor shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing operations involved, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed).

6.2 Processor shall implement at least the specific security measures as mentioned in Annex 2 to this Data processing agreement. Processor may adjust the security measures at any time unilaterally. Processor shall inform Controller of any adjustments online on: https://starred.com/security

6.3 Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken. Controller is responsible for the parties' compliance with these security measures.

7. Notification and communication of data breach

7.1 Controller is responsible at all times for notification of any security breaches and/or personal data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed as described in Article 4 (12) of the GDPR) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable Controller to comply with this legal requirement, Processor shall notify Controller within 24 hours after becoming aware of an actual security or personal data breach.

7.2 The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:

  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • describe the likely consequences of the personal data breach;
  • include the name and contact details of the contact person regarding privacy subjects;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Processing requests from data subjects

8.1 In the event a data subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Processor, Processor shall pass on such request to Controller, and Controller shall process the request. Processor may inform the data subject of this passing on.

9. Confidentiality obligations

9.1 All Confidential Information that Processor processes for Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties.

9.2 The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.

10. Audit

10.1 Controller has the right to have audits performed on Processor by an independent third party bound by confidentiality obligations to verify compliance with the Data processing agreement, and all issues reasonably connected thereto.

10.2 This audit may be performed once every year as well as in the event of a substantiated allegation of misuse of personal data.

10.3 Processor shall give its full cooperation to the audit and shall make available employees and all reasonably relevant information, including supporting data such as system logs.

10.4 The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either party or jointly.

10.5 The costs of the audit shall be borne by Controller.

11. Liability

11.1 Parties explicitly agree that any liability arising in connection with personal data processing shall be as provided in the Master SaaS Agreement.

12. Term and termination

12.1 This Data processing agreement enters into force upon signature by the parties and on the date of the last signature.

12.2 This Data processing agreement is entered into for the duration of the cooperation between the parties.

12.3 Upon termination of the Data processing agreement, regardless of reason or manner, Processor shall - at the choice of Controller - destroy all personal data available to it.

12.4 Parties may change this Data processing agreement only with mutual consent.

13. Applicable law and competent venue

13.1 This Data processing agreement and its execution are subject to the laws of the Netherlands, or the laws of the United States in case Controller is located in the US.

13.2 Any disputes that may arise between the parties in connection with this Data processing agreement shall be brought to the competent court for the place of business of Processor.

Annex 1: Purpose of processing, data subjects, and categories of personal data

Purpose of processing:

Delivering a SaaS-based solutions for HR departments and/or recruiting teams to improve employee engagement and/or candidate experiences and thereby processing the Data

Data subjects of data processing:
Processor shall process personal data of the following data subjects:  (prospective) employees. 

Categories of personal data of data subject:

  • Email addresses
  • First and last name
  • IP address
  • Candidate Experience and/or Employee Engagement information

Duration for which the data will be retained:

Personal data will be retained for the duration of the Agreement and then disposed of as set forth in Section 12.3 of the DPA, or earlier indicated by the data retention period managed by Controller via the Service.

Annex 2: Technical and organizational measures of the Processor

This overview outlines the Processor’s approach to security, and compliance, including details on technical and organizational measures regarding how Processor protects your data.

Contents:

  • Product security
  • Hardware and infrastructure
  • Systems and operations
  • Application and access
  • Transmission and storage
  • People
  • Process
  • Application
  • Certifications
  • ISO 27001

Product security

For an overview of key security features and practices that protect your data within Processor, see below.

Hardware and infrastructure

  • AWS Geo-dispersed, ISO 27001-certified, and SOC-audited data centers, located across multiple regions in the EU: in Ireland (AWS: eu-west-1), in Frankfurt, Germany (AWS: eu-central-1)
  • Secure data replication and encrypted archival.
  • Annual Business Continuity Planning (BCP) and Disaster Recovery (DR) testing.
  • Professional, commercial-grade firewalls, border routers, and network management systems.

Systems and operations

  • Centralized, logical access management system.
  • Two-factor authentication, encrypted VPN access.
  • Denial of Service (DDoS) mitigation.
  • Active intrusion detection and prevention.
  • Anti-malware software integration that automatically alerts Starred’s incident response team if potentially harmful code is detected.
  • Third-party penetration testing.

Applications and access

  • Formal code reviews and vulnerability mitigation by third parties.
  • Application-level Advanced Encryption Standard (AES) 256-bit encryption.
  • Key management and encryption program.
  • Malware protection.
  • Configurable security features.
  • Multi-factor authentication provides an additional level of assurance that only those authorized to access Starred can access.
  • Role-based authorization enables you to designate access to specific individuals.

Transmission and storage

  • Data encrypted in accordance with industry best-practice standards. Starred supports full encryption in transit. No non-encrypted data leaves our data center. All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet. All data is encrypted at rest on our AWS EBS disks. Backups sent to our private S3 buckets are encrypted using 4,096 bit GPG keys.
  • Access and transfer of data to/from Starred via HTTPS.
  • Digital certificate technology.
  • Customer-configurable data retention capability.

People

Information security at Starred is everyone’s job. We invest in training and awareness to ensure that information security stays top of mind for all of our employees.

  • Starred conducts background checks for all prospective employees. Before they join our staff, Starred will verify an individual's education and previous employment, and perform reference checks. The extent of these background checks is dependent on the desired position.
  • Starred employs a Security Officer who is part of our software engineering and operations division. This professional is tasked with developing security review processes, building security infrastructure and implementing Starred’s security policies. Starred actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.
  • All Starred employees undergo information security and privacy training as part of the onboarding process and receive ongoing training throughout their Starred careers, at least annually. During onboarding, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure.
  • Training for engineers to ensure coding is done securely, with regular security audits of the code base.

Process

Starred’s business processes, including internal policies, software development and application monitoring, take into consideration the security of our customer data.

  • On-premise security policies, such as badge access, manned public entrances and physical access controls.
  • Only a small group of Starred employees have access to customer data. For Starred employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
  • Active monitoring and alerting. Our infrastructure and services are monitored in a variety of ways, including: system and application metadata to a centralised logging service for analysis and alerting, tailored to our systems, AWS alerting of events such as instance scaling and spikes in traffic/changes in application performance, AWS Cloudwatch alerting for infrastructure and application level monitoring.
  • Security reviews within the Starred Software Development Life Cycle (SDLC), including the planning, design, implementation testing, shipping and response phases.
  • Formal code reviews and vulnerability mitigation by third parties for applications and access security.
  • Annually reviewed Business Continuity Policy, and Disaster Recovery Plan.
  • We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security officer logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority.

Application

Starred’s secure application encompasses hardware and infrastructure, systems and operations, applications and access, and transmission and storage.

  • Commercial-grade data centers across regions, so that critical customer data remain available in the event of any business disruption.
  • Secure, near real-time data replication.
  • Physically and logically separated networks for systems and operations. Currently, we have networks for management, staging, and production. There are peering links between management and the other two, for the purposes of management services having access to those environments, but not between staging and production.
  • We utilise EC2 Security Groups to control access between subnets, networks, and the internet. By default, no access between machines is given, ports are only opened between them when necessary.
  • Our VPN is protected with multi-factor authentication. The first (the “possession factor”) is a revocable certificate, attached to a username. The second is (the “knowledge factor”) is a (very) strong password for that certificate. And the third (the “inherence factor”) is an OTP token, regenerated every minute.
  • Malware protection.
  • Commercial-grade firewalls and border routers to resist/detect IP-based and denial-of-service attacks.
  • Digital certificate technology
  • Two-factor encrypted VPN access 

Certifications

ISO 27001

Starred is certified at the highest level of global information security assurance available today, ISO 27001, which provides customers assurance that Starred meets stringent international standards on security.

Annex 3: Sub-processors

Sub-processors

The information below is provided to illustrate Starred’s engagement process for sub-processors, and to provide a sub-processor list. Starred uses certain sub-processors to support the delivery of the Starred services.

What is a sub-processor?

A sub-processor is a data processor who, on behalf of Starred, processes personal data.

Starred uses certain infrastructure sub-processors to host its applications and other service-specific sub-processors to provide specific functionality within the Starred services. Starred processes personal data in countries within the European Union whenever possible to keep data transfer to a minimum. If Starred processes personal data outside the European Union it is with due regard for the applicable privacy laws, which are governed by Standard Contractual Clauses (SCCs). The SCCs are a set of terms that have been approved by the European Commission which allow data to be safely transferred.

List of Sub-processors

Please find the list of sub-processors, their role, and the location of processing below.

Amazon Web Service, Inc. | Data hosting | EEA (Ireland, Germany)

Mailgun Technologies, Inc. | Email service provider | EEA (Germany)

New Relic, Inc. | Performance Monitoring | EEA (Belgium, Germany)

Looker Data Sciences, Inc. | Data Reporting and Visualization | EEA (Netherlands)

Print icon