(A) Crystal Project and the Customer entered into the Services Agreement (defined below) whereby Crystal Project agrees to provide certain Subscription Service which may require Crystal Project to process Customer Personal Data as a processor on behalf of the Customer.
(B) This Data Processing Agreement (“DPA”) sets out the terms, requirements, and conditions on which Crystal Project will process Customer Personal Data when providing its Subscription Service (as defined below).
IT IS HEREBY AGREED AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this DPA unless otherwise expressly specified.
1.1 Definitions:
- Business Purposes: the purpose specifically identified in ANNEX A to this DPA.
- Consent, controller, processor, data subject, personal data, supervisory authority, processing and appropriate technical and organisational measures: have the meanings given to them in the applicable Data Protection Legislation.
- Crystal Project: Crystal Project, Inc. incorporated in Oregon, United States of America and having its principal place of business at 9450 SW Gemini Dr PMB 72836, Beaverton 97008, Oregon and any entity which directly or indirectly controls, is controlled by, or is under common control with Crystal Project, Inc.
- Customer: means the person or entity using the Subscription Service and identified in the applicable statement or order form as the Crystal Project customer.
- Customer Personal Data: (a) any personal data provided by the Customer to Crystal Project to allow Crystal Project or its sub-processors to provide the Subscription Service to the Customer or (b) any personal data accessed by or processed by Crystal Project or its sub-processors to provide the Subscription Service to the Customer.
- Data Protection Legislation: all data protection and privacy legislation in force from time to time applicable to the respective party in its role in the processing of Customer Personal Data under the Services Agreement, including, where applicable, EU & UK Data Protection Law; and all other legislation and regulatory requirements in force from time to time which apply (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant regulatory authority and which are applicable to a party to this DPA.
- EU & UK Data Protection Legislation: means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR") and (ii) the United Kingdom’s Data Protection Act 2018 and the GDPR as it forms part of the law of the United Kingdom (“UK GDPR”), including by virtue of Section 3 of the European Union (withdrawal) Act 2018, as any of the forgoing may be amended from time to time.
- Services Agreement: means the contract between Crystal Project and the Customer for the supply of the Subscription Service.
- Subscription Service: means the services detailed in the Services Agreement.
- Standard Clauses: means the EU SCCs and/or the UK IDTA, as well as any other contract-based mechanism for transfer of Personal Data permitted under EU & UK Data Protection Legislation.
- EU SCCs: means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision from time to time.
- UK IDTA: means the international data transfer agreement issued by the UK Information Commissioner from time to time.
- Users: Customer's employees, representatives, consultants, contractors or agents who are authorized to use the Subscription Service for the benefit of Customer and who have been supplied user identifications and passwords by Customer (or by Crystal Project at Customer’s request).
1.2 This DPA is subject to the terms of the Services Agreement and is incorporated into the Services Agreement. Interpretations and defined terms set forth in the Services Agreement apply to the interpretation of this DPA
1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.4 A reference to writing or written includes email but excludes fax.
1.5 In the case of conflict or ambiguity between:
a. any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
b. any of the provisions of this DPA and the provisions of the Services Agreement, the provisions of this DPA will prevail; and
c. any of the provisions of the Standard Clauses and this DPA, the Standard Clauses shall prevail.2.
2. ROLE OF THE PARTIES
2.1 The parties agree and acknowledge that for the purpose of the Data Protection Legislation:
a. the Customer is the controller of the Customer Personal Data;
b. Crystal Project is a processor of the Customer Personal Data when it processes the Customer Personal Data on behalf of the Customer for the Business Purposes; and
c. the Customer remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Crystal Project.
2.2 By entering into the Services Agreement, the Customer agrees to the terms of this DPA.
3. PROCESSING OF CUSTOMER PERSONAL DATA
3.1 ANNEX A describes the subject matter and duration of the processing by Crystal Project, the nature and purpose of the processing by Crystal Project, and the types of personal data and categories of data subjects processed by Crystal Project.
3.2 Crystal Project will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes (unless Crystal Project is required to process the Customer Personal Data by applicable law in which case Crystal Project will inform the Customer in writing of that legal requirement before undertaking the processing required by applicable law, unless applicable law prohibits Crystal Project from notifying the Customer). This includes the transfer of Customer Personal Data to any country or territory, subject to the adherence of Standard Contractual Clauses (SCCs) in cases where such transfers are made to countries outside of the EU/EEA and the UK. This DPA sets out the documented instructions from the Customer and any additional or alternative instructions shall be jointly agreed between the parties in writing. The Customer consents the transfer of Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services as detailed in ANNEX A.
Crystal Project shall be responsible to take necessary steps. including but not limited to, having appropriate technical and organizational measures in place and entering into necessary agreements in compliance with the applicable Data Protection Legislation in case of such transfers.
3.3. Crystal Project will ensure that persons authorised to process the Customer Personal Data have committed themselves to appropriate obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
3.4 Crystal Project will assist the Customer, at the Customer’s sole cost and expense, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the rights of data subjects.
3.5 Where applicable, Crystal Project will assist the Customer, at the Customer’s sole cost and expense, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR taking into account the nature of processing and the information available to Crystal Project.
3.5 Where applicable, Crystal Project will assist the Customer, at the Customer’s sole cost and expense, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR taking into account the nature of processing and the information available to Crystal Project.
3.6 In the event of any transfer of Customer Personal Data from the European Union, the European Economic Area, and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Legislation of the foregoing territories, such transfers shall be governed by the Standard Contractual Clauses (SCCs), as appropriate, to ensure that the level of data protection afforded to the data subjects is not undermined.
4. SECURITY
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Crystal Project will implement the technical and organisational measures detailed at ANNEX B.
4.2 The Customer has assessed the level of security appropriate to the processing by Crystal Project and agrees that the security measures set out in ANNEX B are consistent with such assessment.
4.3 The Customer shall take appropriate technical and organisational measures to protect the security of the Customer Personal Data, including ensuring that Customer Personal Data is securely transferred to Crystal Project.
5. SUB-PROCESSORS
5.1 The Customer acknowledges and agrees that Crystal Project may engage sub-processors in connection with the provision of the Services.
5.2 Crystal Project will ensure that its contract with any sub-processor imposes on the sub-processor obligations that are substantially similar to the obligations to which Crystal Project is subject under this DPA.
5.3 A list of sub-processors, current as of the Effective Date, is detailed at ANNEX A. Crystal Project will notify the Customer prior to granting any sub-processor not detailed ANNEX A with access to the Customer Personal Data (and such notice may be sent by email, or may be made by way of general public notification on our website or through other reasonable public means) (“New Sub-Processor”).
5.4 If the Customer reasonably objects to Crystal Project’s use of a New Sub-Processor on justifiable grounds that this New Sub-Processor will not be able to comply with the terms of this DPA, the Customer shall notify Crystal Project in writing and within ten (10) days after receipt of Crystal Project’s notice. Customer’s failure to object in writing within such time period shall constitute approval to use the New Sub-Processor. The Customer acknowledges that the inability to use a particular New Sub-Processor may result in delay in performing the Subscription Service and/or inability to perform the Subscription Service, or fees payable for the Services may require to be increased, and accordingly the parties hereby agree that Crystal Project may, upon written notice to the Customer, terminate performance of the Subscription Service in whole or in part (and the Services Agreement) or increase the prices for delivery of the Subscription Service.
5.5 Crystal Project will be responsible for the material defaults of its sub-processors in the performance of obligations under this DPA.
6. INFORMATION AND AUDITS
6.1 Crystal Project agrees to:
a. make available to the Customer, at the Customer’s sole cost and expense, all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA; and
b allow for and reasonably contribute to audits conducted by the Customer subject to the following requirements:
i. Customer must provide at least sixty (60) days written notice to Crystal Project of an intended audit;
ii. Customer may perform such audits once per year unless otherwise agree between the parties in writing;
iii. Customer may use a third party to perform the audit on its behalf, provided the third party executes a confidentiality agreement acceptable to Crystal Project;
iv. audits must be conducted during regular business hours and must not unreasonably interfere with Crystal Project’s business activities;
v. Crystal Project shall not be required to breach any duties of confidentiality owed to its employees or any third parties; and
vi. the audits shall be conducted at the Customer’s sole cost and expense.
6.2 Crystal Project will inform the Customer if, in its opinion, an instruction from the Customer infringes Data Protection Legislation and this may prevent or hinder Crystal Project’s ability to comply with this Section 6.
7. TERM AND TERMINATION
7.1 This DPA shall have legal effect from the date on which the Services Agreement has become legally effective (“Effective Date”).
7.2 Subject to Sections 7.3 and 7.4, this DPA shall remain in full force and effect until:
a. the Services Agreement expires or is terminated; or
b. Crystal Project ceases to provide the Subscription Service; or
c. Crystal Project issues written notice of termination, (“Term”)
7.3 Without affecting any other right or remedy available to it, either party may terminate this DPA with immediate effect by giving written notice to the other party if the other party commits a material breach of any term of this DPA and (if such breach is remediable) fails to remedy that breach within a period of fourteen (14) days after being notified in writing to do so.
7.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations, the parties may agree to suspend the processing of the Customer Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Personal Data processing into compliance with the Data Protection Legislation within one (1) month, either party may terminate this DPA and the Services Agreement on not less than thirty (30) working days on written notice to the other party.
7.5 If applicable, the parties agree that this DPA supersedes, replaces and terminates any previous data processing agreement entered into between the parties with effect from the Effective Date.
8. DATA RETURN AND DESTRUCTION
8.1 At any point throughout the Term, individual Users can permanently delete their account and all Customer Personal Data stored on the account, via their account settings.
8.2 Upon cessation of the Subscription Service, the Customer may request deletion of User accounts and Customer Personal Data stored on such accounts.
8.3 Where applicable law, regulation or government requirements prevents Crystal Project from returning or destroying all or part of a User account or Customer Personal Data, Crystal Project shall not be required to do so.
9. CONTROLLER RESPONSIBILITIES
9.1 The Customer warrants, represents, acknowledges and agrees that:
a. the Customer shall comply with all applicable requirements of the Data Protection Legislation;
b. Crystal Project's expected use of the Customer Personal Data for the Business Purposes and as specifically instructed by the Customer shall at all times comply with the Data Protection Legislation;
c. the Customer shall have sole responsibility for the Customer Personal Data shared with Crystal Project, including but limited to, its accuracy, reliability, availability and ongoing security;
d. the transfer and sharing of the Customer Personal Data with/to Crystal Project is lawful and the Customer has a legal basis under the Data Protection Legislation for the transfer and sharing of the Customer Personal Data with Crystal Project, including, but not limited to, collecting and maintaining valid consents where relevant;
e. it shall promptly notify Crystal Project of any action Crystal Project must take to assist it with ensuring compliance with its obligations under Data Protection Legislation, including with request to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
f. the Customer Personal Data is necessary, adequate, relevant, accurate and up-to-date and it will notify Crystal Project promptly of any changes to the Customer Personal Data.
9.2 This Section 9 is in addition to, and does not relieve, remove or replace, the Customer of its obligations and liabilities under the Data Protection Legislation.
9.3 The Customer shall indemnify and hereby does indemnify Crystal Project against all costs, claims, damages or expenses incurred by Crystal Project or for which Crystal Project may become liable due to any failure by the Customer to fulfill its obligations under this DPA and/or the Data Protection Legislation. Notwithstanding the foregoing, the total liability of the Customer under this Section 9.3 shall be limited to the amount equivalent to the fees paid by the Customer to Crystal Project under the Services Agreement in the twelve (12) months preceding the claim. Any limitation of liability set forth in the Services Agreement will not apply to this Section 9.3, except for the aforementioned cap on liability as stated in this Section.
9.4 Crystal Project’s total liability to the Customer shall not exceed the total value of the fees paid for the Subscription Service in the previous twelve (12) month period immediately preceding the date of any incident resulting in a claim. Crystal Project shall not be liable to the Customer for any indirect or consequential damage or loss suffered by the Customer that arises under or in connection with this DPA. Nothing in DPA shall operate to exclude or limit either party’s liability for any liability which cannot be excluded or limited under applicable law.
10. GENERAL
10.1 No variation of this DPA shall be effective unless it is in writing and signed by Crystal Project or its authorized representatives.
10.2 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions within the Services Agreement; provided, however, to the extent of a conflict between the forgoing and the Standard Clauses, the Standard Clauses shall control with respect to matters that are covered by those Standard Clauses.
Annex A - Processing details and instructions from Customer
| Subject matter of processing | Until the Customer deletes all User accounts and/or requests that the Crystal Project completes such deletion. |
| Duration of processing | Until the Customer deletes all User accounts and/or requests that the Crystal Project completes such deletion. |
| Purpose(s) of processing | Purpose(s) of processing To allow Crystal Project to provide the Subscription Service to and on behalf of the Customer, including without limitation, to enable the Customer and the Users to use the Crystal SaaS platform which provides on-demand personality profiles, insights, and coaching for Customers and Users. Crystal personality profiles are created in two ways: (a) personality types are assessed using traditional personality questionnaires (i.e. DISC, Strengths, Myers-Briggs, Enneagram); and (b) personality types are predicted using machine-learning-enabled analysis of text samples (e.g. person’s writing style), job experience, and other publicly available data. |
| Nature of processing | Nature of processing All processing required to provide the Subscription Service, including in particular: (a) analysis of text samples, based on writing style and content within the samples, and related personal data, using natural language processing technology; (b) the collection and analysis of publicly available Back End Data (defined below) when requested by the Customer; (c) analysis of assessment responses using predictive statistical models; (d) hosting of User accounts and personality profiles stored in such User accounts via our hosting provider (described below); (e) creation and deletion of User accounts and personality profiles stored in such User accounts. |
| Type of personal data | Type of personal data All types of Customer Personal Data required to provide the Subscription Service, including: names; contact information; job title/role; employers; bios; text samples which are publicly available or provided by the Customer; LinkedIn URL (if relevant); email address (if relevant); responses to assessments. The predictions mainly use and analyse personal data that is of a corporate, business or professional nature (e.g. the types of information available on a LinkedIn profile) rather than personal data that is of a sensitive nature or related to the respondent’s private life outside of their profession. The assessments mainly pose questions to respondents in the form of high-level and general statements – and therefore the questions asked are not specific to the individual’s private life and are not intrusive. Additionally, the respondent’s answer to the statement is given by selecting a multiple choice list of answers (being a sliding scale between 'strongly agree' to ‘strongly disagree) without any additional information being captured. There is the option for our Customers to use additional Back End Data when conducting predictions. This Back End Data is derived from publicly available sources as collected by sub-processors, and the personal data categories which make up such Back End Data are: job, company, work history, industries, interests, skills, experience. |
| Categories of data subject | Respondents to assessments, respondents to predictions, Users. The Crystal platform allows Users to run assessments with email invitations and unique links. When a person completes the assessment, they are considered an assessment respondent. The Crystal platform provides functionality for Users to generate predictions for individuals based on text analysis. When a person is subject to a prediction, they are considered a prediction respondent. |
Approved Sub-Processors
| Name of sub-processor | Role of sub-processor and location |
| People Data Labs | Aggregate and return publicly available data via API: https://docs.peopledatalabs.com/docs/data-sources Supplier is based in US |
| Coresignal | Aggregate and return publicly available data via API: https://coresignal.com/data-transparency/ Supplier is based in US |
| Amazon Web Services | Hosting Provider Data centers based in US |
Approved International Transfers
Customer instructs Crystal Project (and authorises Crystal Project to instruct each sub-processor) to transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services (including outwith the UK or EEA). Without limitation to the generality of the foregoing sentence, the Customer instructs Crystal Project to transfer the Customer Personal Data to those sub-processors listed in this ANNEX A.
If any personal data transfer between the Customer and Crystal Project requires execution of Standard Clauses in order to comply with the EU & UK Data Protection Legislation, the parties will complete all relevant details in and execute appropriate Standard Clauses which shall form part of this DPA.
Annex B – Approved Security Measures
- Crystal Project personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Crystal Project personnel receive regular and appropriate training on data protection matters
- Crystal Project maintains written internal policies on data protection and security matters, including: access control, data management, information security roles and responsibilities, operations security;
- Crystal Project uses anti-malware protections, firewalls and anti-virus protections;
- Crystal Project uses separation of development, staging and production environments;
- Crystal Project uses back-ups;
- Crystal Project uses penetration testing;
Crystal is free to use with your friends and co-workers
Get Started Free
Why Crystal?
Personality
Content
