Data Processing Agreement (DPA) –
‍SalaryX, Inc.

This Data Processing Agreement (“Agreement” or “DPA”) is entered into between SalaryX, Inc., a Delaware corporation with its principal place of business at 128 Arch Street, Boston, MA 02110 (“Controller”), and its vendors, subcontractors, and service providers (“Processor”), including but not limited to Simplici, in connection with the provision of services under which Processor may process Personal Data on behalf of Controller.

1. Definitions

For purposes of this Agreement:
- “Controller” means SalaryX, Inc., which determines the purposes and means of the processing of Personal Data.
- “Processor” means any third party engaged by Controller to process Personal Data on its behalf.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- “Sub-processor” means any third party engaged by Processor to process Personal Data on behalf of Controller.

2. Purpose and Scope

Processor shall process Personal Data solely for the purpose of providing services to Controller as described in the underlying service agreements and only in accordance with the documented instructions of Controller. Processor shall not process Personal Data for any other purpose without the prior written consent of Controller.

3. Categories of Data and Data Subjects

The categories of Personal Data processed may include, but are not limited to:
- Identity information (name, address, date of birth, contact details)
- Employment-related data (work history, certifications, eligibility)
- Biometric identifiers (where applicable and with consent)
- Government-issued identifiers (e.g., SSN, driver’s license, passport)
- Background check and verification data

The categories of data subjects include employees, contractors, job applicants, and other individuals whose data is processed by Controller.

4. Obligations of Processor

Processor agrees to:
- Process Personal Data only on documented instructions from Controller.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
- Assist Controller in fulfilling its obligations to respond to requests by data subjects under applicable laws.
- Notify Controller without undue delay after becoming aware of a Personal Data breach.
- Make available all information necessary to demonstrate compliance with this Agreement and applicable law.

5. Use of Sub-Processors

Processor may engage sub-processors to perform specific processing activities on behalf of Controller, provided that:
- Processor enters into a written agreement with each sub-processor imposing data protection obligations equivalent to those set out in this Agreement.
- Processor remains fully liable to Controller for the performance of the sub-processor’s obligations.
- Processor informs Controller of any intended changes concerning the addition or replacement of sub-processors.

6. Security and Compliance

Processor shall implement and maintain industry-standard technical and organizational security measures appropriate to the risk of processing. These measures shall include, but are not limited to:
- Encryption of Personal Data at rest and in transit
- Access control and authentication mechanisms
- Regular security assessments and vulnerability testing
- Logging and monitoring of processing activities
- Secure data deletion and disposal processes

7. Data Breach Notification

Processor shall notify Controller without undue delay and in no event later than 72 hours after becoming aware of a Personal Data breach. The notification shall include, at a minimum:
- A description of the nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its possible adverse effects

8. Data Retention and Deletion

Processor shall retain Personal Data only for as long as necessary to fulfill the purpose of processing and in accordance with Controller’s documented instructions. Upon termination or expiration of the services, Processor shall, at Controller’s choice, return or securely delete all Personal Data, unless retention is required by applicable law.

9. Audit and Compliance

Controller or its appointed auditor may, on reasonable notice and during regular business hours, audit Processor’s compliance with this Agreement. Processor agrees to cooperate fully and provide necessary documentation and access to demonstrate compliance.

10. Liability

Each party shall be liable for damages arising from breaches of this Agreement to the extent such breaches are attributable to that party. Processor shall indemnify Controller against any claims, damages, or fines resulting from its failure to comply with its obligations under this Agreement.

11. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, United States. Any disputes arising out of or relating to this Agreement shall be subject to the exclusive jurisdiction of the state and federal courts located in Delaware.

12. Contact Information

If you have any questions or concerns regarding this Agreement or the processing of Personal Data, please contact:
Privacy Office 
SalaryX, Inc. 
128 Arch Street, Boston, MA 02110 
Email: Privacy@salaryx.co