Download app

Data Sharing Addendum (Controller-Controller)

Last Updated May 29, 2025

Indeed Flex, Inc., on behalf of itself and its Affiliates (“Indeed Flex”) and the counterparty agreeing to this Data Sharing Addendum (“Client”) have entered into an agreement or other contract for the provision of the Controller Services, as amended from time to time. In the United States of America, the Indeed Flex  Service is operated by Indeed Flex, Inc., 10721 Domain Drive, Austin, TX 78758 and in the United Kingdom, the Indeed Flex Service is operated by Syft Online Limited, 20 Farringdon Road, London, EC1M 3HE, UK (company registration number: 09372516), each shall be referred to as “Indeed Flex”, “we”, “our”, and “us”. This Data Sharing Addendum (“DSA”) is intended to comply with the parties’ obligations under Data Privacy Laws with respect to the Processing of Controller Personal Data pursuant to the Primary Agreement. Indeed Flex and Client are individually referred to as a “Party” or together as “Parties”. In the event of a conflict between this DSA and the Primary Agreement, this DSA shall prevail.

1. Definitions

Words and expressions used in this DSA but not defined herein shall have the meanings given to such words and expressions in the GDPR unless otherwise stated herein. Where the Applicable Data Protection Law gives meanings to such words and expressions that differ from the GDPR, then those meanings in the Applicable Data Protection Law shall apply instead for purposes of compliance with such Applicable Data Protection Law. The following definitions apply to this DSA unless otherwise specified herein.

  1. “Adequate Country” means a country or territory that is recognized under EU Data Protection Law as providing adequate protection for Personal Data;
  2. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
  3. “Applicable Data Protection Laws” means all laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data applicable to the processing of Client Personal Data under the Primary Agreement including but not limited to General Data Protection Regulation 2016/679 (“GDPR”), Federal Data Protection Act of 19 June 1992 (Switzerland), UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), Japanese Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) and any US state or federal laws or regulations pertaining to the collection, use, disclosure, security or protection of personal data, or to security breach notification, e.g. California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2020 (“CPRA”); the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), and/or the Utah Consumer Privacy Act (the “UCPA”) and binding guidance and / or codes of practice issued by the governments, a competent supervisory authority under applicable laws (as defined in the GDPR), or the European Data Protection Board.
  4. “Controller“, “Consent“, “Processor“, “Sub-Processor“, “Data Subject“, “Personal Data”, “Personal Information”, “Processing”, “Third Party” or similar terms shall have the meaning given under Applicable Data Protection Law. 
  5. “Controller Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the Primary Agreement in connection with the receiving Party’s use of the Controller Services. Unless prohibited by Applicable Data Protection Law, Personal Data shall not include information or data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific person.
  6. “Controller Services” means the services as described in the Flex Client Terms of Service or the fully executed agreement for temporary staffing services, as applicable.
  7. “EEA” means the European Economic Area, the United Kingdom.
    “Process, Processing and Processed” means any operation or set of operations which is performed on Controller Personal Data or on subsets thereof, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  8. “Personal Data Breach” means an actual, confirmed breach of security of Controller Personal Data that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such  Controller Personal Data transmitted, stored or otherwise processed by a Party under the terms of the Primary Agreement.
  9. “Primary Agreement” means Flex Client Terms of Service or the fully executed agreement for temporary staffing services, as applicable. 
  10. “Personnel” means all officers, directors and employees, independent contractors or service providers of a Party or its Affiliates.
  11. “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“).
  12. “Technical and Organizational Security measures” means those measures as set forth in Appendix B of this DSA, aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
  13. “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by subsequent legislation.
    “UK SCCs Addendum” means the standard contractual clauses addendum issued by the UK Secretary of State for the transfer of Personal Data outside the UK and any amendment or replacement of such standard contractual clauses pursuant to Article 46(5) of the GDPR.

2. Role of the Parties

Each Party is an independent Controller of the Controller Personal Data that it collects or Processes pursuant to the Primary Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Privacy Law. The Parties agree that they are not joint Controllers of any Controller Personal Data. Each Party will individually determine the purposes and means of its Processing of Controller Personal Data.

3. Obligations of the Parties

3.1 Each Party shall comply with all applicable requirements of Data Privacy Laws. Each Party represents and warrants at all times that: (i) it has the necessary right and authority to enter into this DSA and to perform its obligations herein; (ii) its execution and performance under this DSA and the Primary Agreement will not violate any agreement to which it is a party; (iii) it has provided all required information to Data Subjects including, where required, that Personal Data that may be passed to third parties for the purposes of the Primary Agreement; and that it has otherwise obtained any legally required consent to the collection, use and disclosure of Controller Personal Data to allow each Party to Process such Controller Personal Data in connection with the Controller Services.

3.2  Without limiting the foregoing, each Party will maintain a publicly-accessible privacy policy on its website that is in compliance with Data Privacy Laws.

3.3  Each Party will notify the other Party in writing of any action or instruction of the other Party under this DSA or the Primary Agreement which, in its opinion, infringes applicable Data Privacy Laws.

3.4  Subject to this DSA, each Party, acting as a Controller, may Process the Controller Personal Data in accordance with, and for the purposes permitted in, the Primary Agreement (the “Permitted Purposes”).

3.5  A Party that has made Controller Personal Data available to the other Party under the Primary Agreement (“Disclosing Party”) will have the right to: (i) inform the other Party (“Receiving Party”) that in their opinion that other Receiving Party’s uses of such Controller Personal Data is a inconsistent with the Disclosing Party’s obligations under and as required by Data Privacy Laws, and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Controller Personal Data under and as required by applicable Data Privacy Laws. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under applicable Data Privacy Laws. Receiving Party acknowledges and agrees that it is receiving Controller Personal Data only for the limited and specified purposes set forth in the Primary Agreement. Receiving Party shall provide not less than the same level of privacy protection as is required by Data Privacy Laws for such Controller Personal Data.

3.6  Client shall not sell or share (as defined by CCPA) any Personal Data (as defined by CCPA).

4. Security and Confidentiality

Client shall implement appropriate technical and organisational measures to protect the Controller Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction. In the event that Client suffers a Personal Data Breach involving the Controller Personal Data, it shall notify Indeed Flex without undue delay, but in any event within seventy-two (72) hours of it confirming same, and shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Client shall ensure that all of its personnel who have access to and/or Process Controller Personal Data are obliged to keep the Controller Personal Data confidential.

5. Transfers outside the EEA

5.1   Where the Controller Services involve the storage and/or Processing of Controller Personal Data which transfers Controller Personal Data out of the European Economic Area or the UK to a jurisdiction that is not an Adequate Country, and EU Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), both parties agree that such transfers shall be governed as follows:

    1. for data subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU (MODULE ONE: Transfer Controller to Controller) as can be found at https://hrtechprivacy.com/c2cscc) (the “EU SCC”). For the purposes of entering the Standard Contractual Clauses: The optional Clause 7 shall apply.
    2. for data subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”) also available here available at: https://hrtechprivacy.com/uk-scc;
    3. the EU SCC and if applicable the UK Addendum shall be incorporated into this DSA by reference and form an integral part of this DSA. For the purposes of the descriptions in the EU SCC and only as between the parties, Indeed Flex agrees that it is a “data exporter” and Client is the “data importer” under the EU SCC;
    4. the Appendices to this DSA provide the information required by Annexes I, II and III of the EU SCC and by the UK Addendum as set out in Appendix B to this DSA. The EU SCC may also be annexed to this DSA if appropriate.

5.2   The parties may store and Process Transferred Personal Data in the United States of America, the United Kingdom and/or any other country in which either party or any of its Processors maintains facilities so long as such party and any of its Processors:

    1. transfer such data via a valid legal mechanism such as the appropriate EU SCC and/or UK Addendum, or a UK International Data Transfer Agreement; and
    2. provide at least the same level of protection to such Transferred Personal Data as is required by such mechanism to ensure an adequate level of protection for such Transferred Personal Data in accordance with the requirements of European Data Protection Laws.

5.3   In the event of inconsistencies between the provisions of the EU SCC or UK Addendum and this DSA or other agreements between the parties, then the terms of the EU SCC or UK Addendum as applicable shall prevail.

5.4   If the EU SCC or UK Addendum are deemed invalid by a governmental or judicial entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified approach with respect to such Transferred Personal Data which is in compliance with European Data Protection Laws.

5.5   Where the European Commission or other relevant supervisory authority issues new, updated or replacement EU SCC, or the UK Addendum is updated or replaced, then Indeed Flex may notify Client in writing thereof and the parties shall replace the EU SCC or UK Addendum as appropriate and make any other necessary amendments to this DSA.

6. Data Subject Requests

Each Party is separately responsible for processing its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the Parties, including requests to opt-out from the Sale of Personal Information pursuant to CCPA, the parties will collaborate to honor such objections or opt-out requests.

7. Compliance Cooperation

Both Parties agree to reasonably cooperate and assist each other in relation to any regulatory inquiry, complaint or investigation concerning the Controller Personal Data shared between the Parties.

8. Allocation of Costs

Each Party shall perform its obligations under this DSA at its own cost, except as otherwise specified herein.

9. Liability

9.1  Except for 9.2 below, the liability of the Parties under or in connection with this DSA will be subject to the exclusions and limitations of liability in the Primary Agreement.

9.2  The Parties agree that it shall each be separately liable for, inter alia, any costs, damages, fines, penalties that may arise from that Party’s failure to comply with Applicable  Data Protection Laws.

10. Severability

Each and every provision of this DSA is severable and distinct from the others and if at any time any provision of this is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction, that will not affect or impair the legality, validity or enforceability in that jurisdiction of any other provision of this DSA.

11. Governing Terms

11.1 This DSA represents the entire agreement between the Parties in relation to its subject-matter and all previous representations, agreements and statements are hereby excluded.

11.2 For avoidance of doubt and without prejudice to the rights of any data subjects thereunder, this DSA and any Standard Contractual Clauses (or other data transfer agreements) that the Parties or their affiliates may enter into in connection with the services provided pursuant to the Primary Agreement will be considered part of the Primary Agreement and the liability terms set forth in the Primary Agreement will apply to all claims arising thereunder.

11.3 In the event of any conflict or ambiguity between terms of this DSA and terms of the Primary Agreement, the terms of the DSA shall prevail. In the event of any conflict or ambiguity between terms of this DSA and terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail. All other terms and conditions within the Primary Agreement remain unchanged and in full force and effect.

12. Notices and Variation

All notices, consents, demands, and other communications required or permitted to be given by either Party under this DSA shall be in writing. No amendment to this DSA will be effective unless in writing and signed by both Parties.

13. Governing Law and Jurisdiction

The jurisdiction of this DSA shall be the jurisdiction of the Primary Agreement. In the event there is no jurisdiction clause in the Primary Agreement, any dispute or claim in connection with this DSA shall be governed by and construed in accordance with:

    1. in the case of the contracting Indeed Flex entity being in the US, the laws of the state of Texas,
    2. in the case of the contracting entity being in the UK, the laws of the United Kingdom;
    3. and in the case of the contracting Indeed Flex entity being outside the US or the UK, the laws of Ireland.

 

Appendix A

(Annex I of the Standard Contractual Clauses)

A. LIST OF PARTIES

  DATA EXPORTER(S):   DATA IMPORTER(S):
 Name: Syft Online Limited T/A Indeed Flex   Name: Client
 Address: 20 Farringdon Road, London, EC1M 3HE, UK   Address:  
Contact person’s name, position and contact details: Privacy Office: [email protected] Contact person’s name, position and contact details:  
Activities relevant to the data transferred under these Clauses: Indeed Flex offers business flexible staffing and workforce management services through the Indeed Flex website, web application, and mobile applications. The platform addresses key challenges such as scheduling, time and attendance, payroll, and staffing vendor management. Activities relevant to the data transferred under these Clauses: Client is looking to engage temporary staff on an ad-hoc basis to meet their particular requirements, such as covering events.
Signature:     Signature:    
Name (printed):    Name (printed):  
Date:   Date:   
Role:  Controller Role: Controller 

 

 

B. Descriptions of Transfer

Categories of data subjects whose personal data is transferred

The personal data transferred concern the following categories of data subjects: Indeed Flex employees (Flexers) engaged by the Client as external temporary staff as described in the Flex Client Terms of Service or fully executed staffing agreement (as applicable) and users of the Indeed Flex service.

The personal data processed by the Data Importer relates to employees of Indeed Flex (Flexers) who are engaged by the Client as external temporary staff.
Categories of data subjects whose personal data is transferred

Data relating to employees and users of Indeed Flex provided to the Data Importer by and at direction of Indeed Flex for the purposes of providing the Services under the Primary Agreement and may include the following categories of data:

X  Names             X  professional summary     X email addresses          X past jobs      X  postal addresses      X  experience    X telephone numbers     X role      X photographs        X  rating for role     X usernames   
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Not Applicable
The frequency of the transfer (e.g. whether the data transfer is a one-off or continuous basis)
Continuous
Nature of processing
As set out in the Agreement unless otherwise required by law.
Purpose(s) of the data transfer and further processing
The Parties will process the Controller Personal Data as part of the Controller Services in accordance with the Primary Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The applicable term of the Primary Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Not Applicable

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs:
The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be Irish Data Protection Commission
With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”).
With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

 

APPENDIX B (UK Addendum)

UK STANDARD CONTRACTUAL CLAUSES

  1. The UK SCCs Addendum is available at: https://hrtechprivacy.com/uk-scc
  2. For the purposes of entering the UK SCCs Addendum:
    The information contained in Appendix A of this Addendum shall be deemed to apply to Tables 1, 2 and 3 of the UK Standard Contractual Clauses; and
    The information contained in Appendix C of this Addendum shall be deemed to apply to the final row (Annex II) of Table 3 of the UK Standard Contractual Clauses.

 

APPENDIX C

(Annex II of the Standard Contractual Clauses)
 Technical and Organisational Security Measures

In accordance with the DSA and the Primary Agreement, Client will adopt and maintain appropriate (including organizational and technical) security measures in dealing with Data (including but not limited to Personal Data) in order to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of any Data (including Personal Data), in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing. In determining the technical and organizational security measures required under the DSA and the Primary Agreement, Client will take account of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Client  will, at a minimum, implement robust security measures, including encryption, access controls, and incident management policies, to protect data integrity and confidentiality.

INCIDENT MANAGEMENT – Client will conduct risk assessments, manage data incidents effectively, and report breaches involving Controller Personal Data within 48 hours.