- Master Subscription Agreement
- Service Level Agreement
- Sub-processor List
- Data Processing Addendum
- Technical and Organizational Measures
Data Processing Addendum
Effective as of: November 1, 2022
This Data Processing Addendum (“DPA”) supplements and is incorporated into the agreement referencing this DPA (“Agreement”) entered into by the applicable HackerRank entity (together with its Affiliates, “HackerRank”) and the customer entering into that Agreement (“Customer”) (HackerRank and Customer being the “parties” under this DPA). This DPA applies if and to the extent HackerRank processes personal data in connection with Customer’s use of the Services under the Agreement.
- “Data Protection Laws” means all data protection and privacy laws applicable to a party in its respective role with respect to personal data under the Agreement, including, where each is applicable: (i) the the California Consumer Privacy Act of 2018, as may be amended, including as amended by the California Privacy Right Act (“CCPA”); (ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (iii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018; (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its ordinances; and (v) the laws of any state of the United States governing protection and/or privacy of personal data or personal information.
- “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently available at:
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data that is personal data transmitted, stored, or otherwise processed by HackerRank.
- “Services” means as defined in the Agreement.
- “Sub-processor” means any other processor engaged by HackerRank to process personal data in connection with the Services.
- “UK Addendum” means the UK Addendum to the SCCs, issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, currently available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
- Terms Defined by Law: As used in this DPA, the terms “controller,” “data subject,” “natural person,” “personal data,” “processing” (and derivatives thereof), “processor” and their equivalent terms used in applicable Data Protection Laws, will each have the meaning given to it by applicable Data Protection Laws or, if not defined by applicable Data Protection Laws, each will have the meaning given to it by the GDPR.
- Equivalent Terms: Where the CCPA or other Data Protection Laws that use the following terms apply to this DPA, references in this DPA to: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; and “personal data” includes “Personal Information,” in each case as the latter is defined by the CCPA or the applicable Data Protection Law.
- Capitalized Terms: Capitalized terms not defined in this DPA will have the same meaning as in the Agreement.
2. Roles of the Parties
2.1. Controller and Processor. The parties acknowledge and agree that: (a) Customer will determine the purposes and means of the processing of personal data; (b) HackerRank will process personal data on behalf of Customer. To the extent applicable, for the purposes of GDPR, UK GDPR, and other Data Protection Laws using these terms, Customer is the “controller” of personal data and HackerRank is the “processor” of personal data on behalf of Customer. To the extent applicable, for the purposes of the CCPA, Customer is a "business" and HackerRank is the "service provider.”
2.2. Scope of DPA. DPA applies to, and references to personal data within this DPA refer to, personal data of which Customer is the controller and HackerRank is the processor.
3. Description of Processing
Schedule 1 (Details of Processing) of this DPA sets forth details of HackerRank’s processing of personal data.
4. Obligations of the Parties
4.1. Customer Instructions.
(a) HackerRank will process personal data only: (i) in accordance with Customer’s documented, reasonable, and lawful instructions; or (iii) as otherwise agreed upon by the parties or as required by applicable law and, if required by law, HackerRank will notify Customer in writing of that legal requirement before processing unless the law prohibits this on important grounds of public interest.
(b) The parties agree that the Agreement (including this DPA) and the performance of HackerRank’s obligations thereunder sets out Customer’s instructions to HackerRank for the processing of personal data and that processing outside the scope of the Agreement, if any, requires prior written agreement of the parties.
(c) HackerRank will immediately inform Customer if, in HackerRank’s opinion, processing instructions given by Customer infringe on applicable Data Protection Laws.
4.2. Purpose Limitation. HackerRank will process personal data only for the purpose of providing the Services to Customer as described in the Agreement, unless it receives further instructions from Customer.
5. Security of Processing
5.1. Technical and Organization Measures. HackerRank will implement at least the technical and organizational measures described at the following webpage (“Technical and Organizational Measures”) to ensure the security of personal data, which includes protecting personal data against Security Incidents:
5.2. Technical and Organizational Measures Assessment and Updates. In assessing the appropriate level of personal data security, the parties will take account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects. The parties acknowledge and agree that Technical and Organizational Measures are subject to technical progress and development such that HackerRank may occasionally update or modify its Technical and Organizational Measures, provided that any update and/or modification does not materially diminish the overall security of the Services or the protection afforded to personal data.
5.3. Confidentiality of Processing. HackerRank will grant access to personal data to its personnel only to the extent necessary for implementing, managing, or monitoring the Services provided to Customer. HackerRank will ensure that its personnel authorized to process personal data have committed themselves to maintaining confidentiality or are under an appropriate statutory obligation of confidentiality with respect to personal data.
6. Sensitive Data
The Services are not intended for the processing of sensitive data, sensitive personal information, or special categories of personal data (as each is defined by applicable Data Protection Laws). Customer will not provide (or cause to be provided) any sensitive data, sensitive personal information, or special categories of personal data to HackerRank for processing under the Agreement, unless the parties otherwise agree in writing.
7. Documentation and Compliance
7.1. Compliance With Data Protection Laws. Each party will comply with and be able to demonstrate its compliance with all Data Protection Laws applicable to that party in its performance under this DPA.
7.2. Inquiry Response. HackerRank will deal promptly and adequately with inquiries from Customer about the processing of personal data.
7.3. Audit Rights. HackerRank will maintain and make available to Customer information reasonably necessary to demonstrate HackerRank’s compliance with this DPA. To the extent permitted by applicable Data Protection Laws, Customer may conduct an audit of processing under this DPA by itself or through an independent auditor (subject to reasonable confidentiality obligations) and Customer’s request, HackerRank will permit and contribute to audits of the processing activities covered by this DPA at reasonable intervals or if there are reasonable indications of HackerRank’s non-compliance with this DPA. Any audit under this DPA may be conducted upon at least 30 days prior written notice to HackerRank, at Customer’s sole expense, and during normal business hours. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls.
7.4. Audit Terms. Customer may request an audit of processing activities conducted under this DPA, upon at least 30 days prior written notice to HackerRank. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls. Audits will be conducted at Customer’s sole expense and during normal business hours. Any audits conducted in accordance with the SCC’s will be subject to the audit terms of this DPA.
8.1. General Authorization. HackerRank has Customer’s general authorization to engage the Sub-processors listed on HackerRank’s Sub-processor page, available at:
8.2. Sub-processor Changes. If HackerRank replaces or adds new Sub-processors, HackerRank will make commercially reasonable efforts to provide Customer with notice of the replacement or addition at least 30 days prior to, but will in any case provide notice at least 10 days prior to, the Sub-processor addition or replacement. HackerRank will provide notice by maintaining an updated list of Sub-processors on HackerRank’s Sub-processor page noted above and also by email if Customer subscribes to receive updates by email via the page noted above.
8.3. Sub-processor Objections. Customer may object to the appointment or replacement of a Sub-processor prior to the appointment or replacement, provided that the objection is in writing and based on reasonable grounds related to data protection. If Customer objects to the appointment of a new Sub-processor, HackerRank and Customer will discuss commercially reasonable alternative solutions in good faith. If the HackerRank and Customer cannot reach a resolution within 30 days after the date HackerRank receives Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to HackerRank, without prejudice to fees owed for the time period unaffected by the discontinuation. If Customer does not raise an objection prior to HackerRank replacing or adding a Sub-processor, Customer will be deemed to have authorized the new Sub-processor.
8.4. Sub-processor Obligations. Where HackerRank engages Sub-processors, it will do so by way of a contract which imposes on the Sub-processor, in substance, the same personal data protection obligations as the ones imposed on HackerRank under this DPA. HackerRank will ensure that each Sub-processor complies with the obligations to which HackerRank is subject pursuant to this DPA and applicable Data Protection Laws.
8.5. Sub-processor Responsibility. HackerRank will remain fully responsible to Customer for the performance of the Sub-processor’s obligations in accordance with its contract with HackerRank.
9. International Transfers
9.1. Transfer of Data. HackerRank may transfer and process Customer personal data to and in the United States and anywhere else in the world where HackerRank, its Affiliates, or its Sub-processors maintain data processing operations. HackerRank will transfer personal data solely in performance of its obligations under the Agreement.
9.2. Transfer Mechanism; SCCs. If HackerRank transfers personal data to or through the Services, either directly or by onward transfer, from the European Economic Area or Switzerland to the United States or any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection to personal data, then that transfer will be governed by and made pursuant to the SCCs.
9.3. SCC Schedule. Schedule 2 to this DPA sets forth certain details of HackerRank’s processing of personal data in accordance with the SCCs, if and to the extent the SCCs apply.
10. Assistance to Customer
10.1. Notification of Data Subject Requests. HackerRank will promptly notify Customer of any request it receives from a data subject. HackerRank will not respond to the request itself except as reasonably appropriate (for example, to confirm receipt or direct the data subject to contact Customer) or as may be legally required or authorized by Customer.
10.2. Assistance. HackerRank will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing, and in accordance with Customer’s lawful instructions.
10.3. Assessments and Consultations. Taking into account the nature of the processing and the information available to HackerRank in each case, HackerRank will assist Customer in complying with any of Customer’s obligations required by applicable Data Protection Laws with respect to the following: (a) the obligation to carry out an assessment of the impact of HackerRank’s processing of personal data; (b) the obligation to consult with regulatory authorities that may be required; and (c) the obligation to ensure that personal data is accurate and up to date.
10.4. Where HackerRank is a Controller. For clarity, nothing in the DPA will restrict or prevent HackerRank from responding to a data subject or data protection authority requests in relation to personal data for which HackerRank is a controller (as opposed to the processor).
11. Security Incidents
11.1. Security Incident Notification. If HackerRank becomes aware of a Security Incident, HackerRank will notify Customer without undue delay, and in any case, within seventy-two (72) hours after becoming aware of the Security Incident. HackerRank may send notification of a Security Incident by any notification means set forth in the Agreement or, in any case, by email to the administrator contact that Customer designates in Customer’s account within the Services.
11.2. Notification Details. HackerRank’s notification of a Security Incident will at least contain a description of:
(a) the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects and records concerned;
(b) the details of a contact point where more information concerning the Security Incident can be obtained; and
(c) the likely consequences and the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects.
If, and to the extent, HackerRank is not reasonably able to provide all the information at the same time, HackerRank’s initial notification will contain the information then available and it will provide further information without undue delay as it becomes available.
11.3. Reporting Assistance. HackerRank will provide reasonable assistance to Customer in the event Customer is required by applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
11.4. Mitigation. HackerRank will take reasonable steps to investigate and, as necessary, address and mitigate an actual or threatened Security Incident. HackerRank’s notification or addressing of, or response to, a Security Incident will not be construed as an acknowledgment by HackerRank of any fault or liability with respect to the Security Incident.
12. Return or Deletion of Personal Data.
Following termination of the Agreement, HackerRank will, at the choice of Customer, delete or return to Customer all personal data processed by HackerRank, except to the extent applicable law requires the retention of any personal data. In the event Customer does not notify HackerRank of their preferred choice within 30 days following termination of the Agreement, HackerRank will dispose of Customer’s data in accordance with HackerRank’s standard data purge cycle. Until the personal data is deleted or returned, it will remain subject to the terms of this DPA.
13. Relationship to Agreement.
13.1. Governing Law. This DPA will be governed by, and construed in accordance with, the governing law of the Agreement, and any dispute between the HackerRank and Customer will be subject to the exclusive jurisdiction of the forum set forth on the Agreement, unless otherwise required by applicable Data Protection Laws.
13.2. Term. This DPA will remain in effect for as long as HackerRank processes personal data on behalf of Customer.
13.3. Order of Precedence. In the event of any conflict or inconsistency between this DPA and any other part of the Agreement, the provisions of first the SCCs and then of this DPA will prevail over any provisions of any documents of the Agreement to the contrary.
13.4. Agreement Unchanged. Except for any modifications to the Agreement as may be made by this DPA, the Agreement remains unchanged and in full force and effect.
13.5. No Third-Party Beneficiaries. No one other than the parties to this DPA and their successors and permitted assigns will have any right to enforce any terms of this DPA, but without prejudice to the rights available to data subjects under applicable Data Protection Laws or this DPA (including the SCCs).
14. Jurisdiction-Specific Terms
14.1. California. Where HackerRank’s processing of personal data is subject to the CCPA as personal information under the CCPA, the following terms will apply to supplement the DPA and will control over any conflicting provisions of the DPA:
(a) Each party will comply with its obligations under the CCPA.
(b) Any data subject rights and HackerRank’s obligations with respect to those data subject rights, as described in this DPA, also apply to Consumer rights under the CCPA.
(c) The parties intend for HackerRank’s provision of the Services and the exercise of its rights under the Agreement or as permitted by the CCPA to constitute a “business purpose” under the CCPA.
(d) HackerRank will not “sell” or “share” personal information, as each term is defined by the CCPA.
(e) HackerRank will not retain, use, or disclose personal information outside of the direct business relationship between HackerRank and Customer.
(f) HackerRank will not combine personal information controlled by Customer with personal information HackerRank receives from other customers, except as may permitted by the Agreement or applicable Data Protection Laws.
(g) HackerRank will take steps to ensure that Sub-processors or any other person engaged by HackerRank to assist in the processing of personal information are “Service Providers” under the CCPA, and HackerRank will enter into a written agreement with each service provider obligating the service provider to the applicable requirements under the CCPA.
(h) HackerRank will notify Customer if HackerRank makes a determination that it can no longer meet its obligations under the CCPA.
(i) Customer will have the right, upon notice to HackerRank, to take reasonable and appropriate steps to stop and remediate any unauthorized use of personal information and to help to ensure that HackerRank uses the personal information in a manner consistent with Customer’s obligations under the CCPA.
14.2. United Kingdom. Where HackerRank’s processing of personal data is subject to UK GDPR, the UK Addendum to the SCCs included with this DPA will apply.
DETAILS OF PROCESSING
|1. Categories of Data Subjects.||The categories of data subjects whose personal data may be processed are:
(a) Customer’s employees and contractors
(b) Candidates for employment invited to use the Services by Customer
(c) Other persons designated by Customer to use the Services in connection with Customer’s use under the Agreement
|2. Categories of Personal Data Processed.||HackerRank may process the following categories of personal data in providing the Services:
(a) Identifiers: Including first and last name, username, email address, business title, contact information, HackerRank password, country, and photograph if using certain features that provide for photographs.
(b) Internet or other electronic network activity information: Technical data to the extent relating to a data subject in the form of IP address and the features accessed and interactions taken with respect to the Services.
(c) Results: Results of a Candidates’ ranking or scoring to the extent they relate to a data subject in connection with use of features of the Services.
(d) Provided data: Any other personal data that a data subject provides to HackerRank when signing up for, using, or requesting support for the Services or that Customer requests the data subject provide in connection with Customer’s use of the Services (such as personal data Customer requests of a Candidate in connection with an assessment).
|3. Sensitive Data.||HackerRank does not intentionally, and the parties do not anticipate that HackerRank will, collect or process any “special categories of personal data” or “sensitive personal information” (as each is defined by applicable Data Protection Laws) in connection with the use or provision of the Services.|
|4. Nature of Processing||HackerRank will process personal data in connection with the provision of HackerRank Services as set forth in the Agreement.|
|5. Frequency and Duration of Processing||Personal data is processed on a continuous basis until the data is deleted or returned to Customer in accordance with the Agreement.|
DETAILS OF STANDARD CONTRACTUAL CLAUSES
1. Module 2 (Controller to Processor). For transfers of personal data where the SCCs apply, the SCCs will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
- The “data exporter” is Customer; and
The “data importer” is HackerRank
- Module Two (Controller to Processor) of the SCCs will apply as set forth throughout the SCCs where Customer is a controller of personal data and HackerRank is the processor of personal data.
2. Specific Clauses. The following clauses of the SCCs will apply as set forth below:
- In Clause 7 of the SCCs, the Docking Clause will apply.
- In Clause 9 of the SCCs, Option 2 (general written authorization) will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 8.2 (Sub-processor Changes) of this DPA.
- In Clause 11 of the SCCs, the optional language will not apply.
- In Clause 17 of the SCCs, the SCCs will be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they will be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The parties agree that this will be the law of Ireland.
- In Clause 18(b) of SCCs, the parties agree that the courts of the EU Member State for resolution of disputes arising from the SCCs will be the courts of Ireland.
3. Appendix to SCCs. The Annexes to this DPA set forth information that populates the corresponding Annex to the SCCs.
A. LIST OF THE PARTIES:
Data Exporter: Customer
(i) Contact Information: The email address(es) designated by Customer as the administrator of Customer’s account within the Services.
(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Exporter is deemed to have signed the SCCs incorporated herein, including their Annexes.
(iii) Role: As set forth in Section 2 (Roles of the Parties) of this DPA.
Data Importer: Interviewstreet, Inc. d/b/a HackerRank
(i) Contact Information: HackerRank at email@example.com
(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Importer is deemed to have signed the SCCs incorporated herein, including their Annexes.
(iii) Role: As set forth in Section 2 (Roles of the Parties) of this DPA.
B. DESCRIPTION OF TRANSFER
The transfer of personal data is as described in Schedule 1 of this DPA.
C. SUPERVISORY AUTHORITY
(i) As applicable to the SCCs, the supervisory authority will be: (A) if Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer's compliance with the GDPR; or (B) if Customer is not established in an EU Member State but is within the extra-territorial scope of the GDPR, then (1) if Customer has appointed a representative, the supervisory authority of the EU Member State in which Customer's representative is established, or (2) if Customer has not appointed a representative, the supervisory authority of the EU Member State in which the data subjects are predominantly located.
(ii) With respect to personal data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority will be the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).
ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES
The technical and organizational measures are as described in the DPA.
ANNEX III: LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors: As authorized by the DPA.
UK ADDENDUM PROVISIONS
Where HackerRank’s processing of personal data is subject to Data Protection Laws of the United Kingdom (including the UK GDPR and Data Protection Act of 2018), the SCC terms above in this Schedule will apply, as supplemented or modified by the UK Addendum, as follows:
Part 1 (Tables)
- Table 1: Parties. In Table 1 of the UK Addendum:
The party details are as set forth in the foregoing Annex I to the SCCs.
- Table 2: Selected SCCs, Modules, and Selected Clauses. In Table 2 of the UK Addendum:
The version of the Approved EU SCCs (as defined by the UK Addendum) which this UK Addendum is appended to, detailed below, including the Appendix Information: The SCCs made part of the agreement between the parties hereto.
- Table 3: Appendix Information. In Table 3 of the UK Addendum:
(i) The list of parties is set forth in the foregoing Annex I to the SCCs;
(ii) The description of the transfer is set forth in the foregoing Annex I to the SCCs;
(iii) The technical and organizational measures are set forth in the foregoing Annex II of the SCCs; and
(iv) The list of sub-processors is set forth in the foregoing Annex III to the SCCs.
- Table 4: Ending this Addendum when the Approved Addendum Changes. In Table 4 of the UK Addendum:
The option “neither party” will be deemed selected.
Part 2 (Mandatory Clauses)
The SCCs are deemed amended as set forth in Part 2 of the UK Addendum.