CPRA Data Processing Addendum

CPRA Data Processing Addendum

This CPRA Data Processing Addendum (“CDPA”) replaces the CCPA Data Processing Addendum, amends the terms
and forms part of the Lever Terms of Service or other agreement governing your use of the applicable Lever cloud
product(s) (“Services”) (collectively, the “Agreement”) by and between you (the “Customer”) and Lever, Inc. (“Lever”). This
CDPA shall apply to “Personal Information” of a “Consumer” as those terms are defined under the California Privacy
Rights Act of 2020 (“CPRA”) (referred to hereafter as “Customer Data”), that Lever processes in the course of providing
Customer the Services under the Agreement.

This CDPA shall be effective the later of: (a) the date Lever receives a complete and executed CDPA from the Customer
indicated in the signature block below in accordance with the instructions under Sections 1 and 2 (the “Effective Date”) or
(b) January 1, 2023.

Lever understands the terms in this CDPA and agrees to comply with them. In the event of any conflict between the Order
Form, the CDPA and/or the Agreement, the following order of precedence shall apply (in descending order): (1) the CDPA
(if applicable), (2) the Agreement, and (3) the Order Form. There will be no force or effect to any different terms of any
related purchase order or similar form even if signed by the parties after the date hereof.

1 Instructions.
This CDPA has been pre-signed on behalf of Lever. To enter into this CDPA, Customer must:
1.1 Be a customer of the Services;
1.2 Complete the signature block below by signing and providing all items identified; and
1.3 Submit the completed and signed CDPA to Lever as instructed (either to privacy@employinc.com or to your
assigned Customer Success Manager).

2 Effectiveness
2.1 This CDPA will only be effective (as of the Effective Date) if executed and submitted to Lever accurately and in full
accordance with Section 1 above and this section. If you make any deletions or other revisions to this CDPA, it
will be null and void.
2.2 Customer signatory represents to Lever that he or she has the legal authority to bind the Customer and is lawfully
able to enter into contracts (e.g., is not a minor).
2.3 This CDPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the
terms of this CDPA.

3 Data Processing
3.1 Customer’s Role. The Customer is a for profit entity that determines the purpose and means of processing
Customer Data. Customer will provide Customer Data to Lever solely for the purpose of Lever performing the
Services.
3.2 Lever’s Role. Lever shall provide the Services and process any Customer Data in accordance with the
Agreement. Lever may not retain, use, or disclose Customer Data for any other purpose other than for providing
the Services and in performance of the Agreement.
3.3 Data Processing, Transfers and Sales. Lever will process Customer Data only as necessary to perform the
Services, and will not, under any circumstances, collect, use, retain, access, share, transfer, or otherwise process
Customer Data for any purpose not related to providing such Services. Lever will refrain from taking any action
that would cause any transfers of Customer Data to or from Lever to qualify as “selling personal information” as
that term is defined under the CCPA.
3.4 Sub-Service Providers. Notwithstanding the restrictions in Section 3.3, Customer agrees that Lever may engage
other Service Providers (as defined under the CCPA), to assist in providing the Services to Customer (“Sub-
Service Providers”). A list of Lever’s Sub-Service Providers can be found at www.lever.co/subprocessors.
3.5 Security. Lever will use commercially reasonable security procedures that are reasonably designed to maintain an
industry-standard level of security, prevent unauthorized access to and/or disclosure of Customer Data. An outline
of Lever’s minimum security standards can be found at https://www.lever.co/security-exhibit/.
3.6 Retention. Lever will retain Customer Data only for as long as the Customer deems it necessary for the permitted
purpose, or as required by applicable laws. At the termination of this CDPA, or upon Customer’s written request,
Lever will either destroy or return Customer Data to the Customer, unless legal obligations require storage of the
Customer Data.
3.7 Consumer Rights Requests. Lever provides Customer with tools to enable Customer to respond to a Consumer
Rights’ requests to exercise their rights under the Data Protection Laws. See https://help.lever.co/hc/en-
us/articles/360003802252-How-can-I-collect-respond-to-data-requests-in-Lever-. To the extent Customer is
unable to respond to Data Subject’s request using these tools, Lever will provide reasonable assistance to the
Customer in responding to the request.
3.8 Assistance with Consumers’ Rights Requests. If Lever, directly or indirectly, receives a request submitted by a
Consumer to exercise a right it has under the CCPA in relation to that Consumer’s Customer Data, it will provide
a copy of the request to the Customer. The Customer will be responsible for handling and communicating with
Consumers in relation to such requests.

4 Assessments & Third-Party Certifications
4.1 Impact Assessment Assistance. Taking into account the nature of the Processing and the information available,
Lever will provide assistance to Customer in complying with its obligations under Applicable Law (inclusive)
(which address obligations with regard to security, breach notifications, data risk assessments, and prior
consultation). Upon request, Lever will provide Customer a list of processing operations.
4.2 Certification/SOC Report. In addition to the information contained in this CDPA, upon Customer’s request, and
subject to the confidentiality obligations set forth in the Agreement place, Lever will make available the following
documents and information regarding the System and Organization Controls (SOC) 2 Report (or the reports or
other documentation describing the controls implemented by Lever that replace or are substantially equivalent to
the SOC 2), so that Customer can reasonably verify Lever’s compliance with its obligations under this CDPA.

5 Enforceability
5.1 Enforceability of the CDPA. Any provision of this CDPA that is prohibited or unenforceable shall be ineffective to
the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The parties
will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then
incorporate such substitute provision into this CDPA.

6 Liability
6.1 To the extent permitted by applicable laws, liability arising from claims under this CDPA will be subject to the
terms of the Agreement.

7 Signatures
Facsimile or scanned signatures and signed facsimile or scanned copies of this CDPA shall legally bind the
parties to the same extent as originals. This DPA is executed, accepted and agreed by the authorized
representative party from Lever and Customer side as of the Effective Date per below:

Lever, Inc. (“Lever”)Customer: __________________
Signature: _________________________Signature: _________________________
Name: ____________________________Name: ____________________________
Title: _____________________________Title: _____________________________
Date: _____________________________Date: _____________________________
Email: _____________________________Email: _____________________________