This Data Processing Addendum (“DPA”) forms part of the Kizuna Platform Terms of Use or other written agreement between Kizuna Solutions Inc. (“Kizuna”) and the customer identified in that agreement (“Customer”) (together, the “Agreement”).

If there is any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA will control to the extent of the conflict.

1. Scope and Relationship to the Agreement

1.1 Purpose. This DPA governs Kizuna’s Processing of Personal Data on behalf of Customer when Kizuna acts as a Processor or Service Provider in providing the Services under the Agreement.

1.2 Incorporation. This DPA is incorporated into and forms part of the Agreement. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or, where applicable, under Data Protection Laws.

1.3 Roles.
(a) For Personal Data that Customer or its providers submit to or route through the Platform (including Candidate Data and Report Artifacts), Customer is the Controller (or “Business” under applicable U.S. state privacy laws) and Kizuna is the Processor (or “Service Provider”).
(b) If Customer is itself a processor with respect to certain Personal Data, Customer represents that its relevant controller has authorized Customer to appoint Kizuna as a subprocessor and that the terms of this DPA are sufficient to flow down the controller’s requirements.

1.4 Independent Controller Activities. This DPA applies only to Processing where Kizuna acts as Processor/Service Provider. Where Kizuna independently determines purposes and means of Processing (for example, for Site analytics, account administration, security logging, or compliance with law), Kizuna acts as an independent controller as described in the Privacy Policy, and this DPA does not apply to those activities.

2. Definitions

For purposes of this DPA:

2.1 “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (as applicable) the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR and UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and any similar national or state privacy laws (such as the California Consumer Privacy Act as amended by the CPRA), in each case as amended or replaced from time to time.

2.2 “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by Kizuna on behalf of Customer under the Agreement and is protected under Data Protection Laws.

2.3 “Processing,” “Controller,” “Processor,” “Data Subject,” “Personal Data Breach,” and “Supervisory Authority” have the meanings given to them in the GDPR.

2.4 “Customer Data” has the meaning given in the Agreement and includes the Personal Data that Kizuna Processes on behalf of Customer.

2.5 “Candidate” means an individual whose background-related records are processed in the Platform at Customer’s direction (for example, a job applicant, employee, contractor, or volunteer).

2.6 “Candidate Data” means Personal Data relating to Candidates that Customer or its providers submit to or route through the Platform, including Report Artifacts and Candidate Context submissions.

2.7 “Report Artifacts” means background-check files and related records that Customer or its providers make available to the Platform, such as PDFs, XML/JSON payloads, adjudication codes, offense descriptions, and court-record text. Report Artifacts are not created or furnished by Kizuna.

2.8 “Services” means the Platform and any related services provided by Kizuna under the Agreement.

2.9 “Subprocessor” means a third party engaged by Kizuna to Process Personal Data on Kizuna’s behalf in connection with the Services.

2.10 “Security Incident” means any confirmed unauthorized access to, or acquisition, disclosure, or loss of Customer Data processed by Kizuna in connection with the Agreement, and, for European Data, includes any “personal data breach” as defined in European Data Protection Laws.

2.11 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for international transfers of personal data adopted by the European Commission in Decision (EU) 2021/914 (as amended, replaced, or superseded from time to time).

2.12 “UK Addendum / IDTA” means, as applicable, the UK International Data Transfer Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA), as issued and updated by the UK Information Commissioner’s Office.

2.13 “Aggregated and De-identified Data” means data that has been derived from Customer Data and that has been aggregated and/or de-identified such that it cannot reasonably be used to identify any individual or Customer and is no longer Personal Data under Data Protection Laws.

3. Details of Processing and Instructions

3.1 Subject Matter. Kizuna Processes Personal Data only to provide the Services, including background-check workflow tools, risk and desistance scoring, policy execution, and related analytics and administrative functionality, as described in the Agreement and in Annex 1.

3.2 Duration. Processing lasts for the duration of the Subscription Term and any additional period during which Kizuna retains Personal Data in accordance with the Agreement, this DPA, and applicable law.

3.3 Nature and Purpose. Processing includes operations such as receiving, hosting, structuring, classifying, analyzing, scoring, aggregating, and displaying Personal Data in order to provide decision-support tools, workflows, and audit capabilities to Customer, as further described in Annex 1.

3.4 Categories of Data Subjects and Data. Categories of Data Subjects and Personal Data are described in Annex 1 (for example: Candidates, Customer personnel, and limited contact/usage information for Authorized Users).

3.5 Customer Instructions. Kizuna will Process Personal Data only on documented instructions from Customer, including:
(a) the Agreement and this DPA;
(b) Customer’s configuration and use of the Platform; and
(c) any other written instructions provided by Customer and accepted by Kizuna.

If Kizuna believes an instruction violates Data Protection Laws, it will inform Customer without undue delay and may decline to follow that instruction.

3.6 Aggregated and De-identified Data (Instruction). Kizuna may create and use Aggregated and/or De-identified Data derived from Customer Data for analytics, security, research, model evaluation, and product improvement, as described in the Agreement and Privacy Policy. Aggregated and De-identified Data will not be used to identify any individual or Customer, and, to the extent it no longer constitutes “personal data” or “personal information” under applicable Data Protection Laws, it falls outside the scope of this DPA. Customer expressly instructs and authorizes Kizuna to create and use such Aggregated and De-identified Data, including after termination of the Subscription Term.

4. Kizuna’s Obligations as Processor

4.1 Compliance with Laws. Kizuna will Process Personal Data in compliance with Data Protection Laws applicable to Kizuna’s role as Processor.

4.2 Confidentiality. Kizuna will ensure that persons authorized to Process Personal Data are bound by a duty of confidentiality (contractual or statutory) and receive appropriate training on data protection and security.

4.3 Security Measures. Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing, as well as the risks to Data Subjects, Kizuna will implement and maintain appropriate technical and organizational measures to protect Personal Data as described in Annex 2 and as required by Article 32 GDPR.

4.4 Security Incidents.
(a) Kizuna will notify Customer without undue delay after becoming aware of a Security Incident involving Personal Data.
(b) Such notice will include information reasonably available to Kizuna at the time to assist Customer in meeting any reporting obligations under Data Protection Laws.
(c) Kizuna will take reasonable steps to contain, investigate, and remediate any confirmed Security Incident and will reasonably cooperate with Customer in connection with any legally required notifications.

4.5 Assistance with Data Subject Rights. Taking into account the nature of the Processing, Kizuna will provide reasonable assistance, at Customer’s request, to enable Customer to respond to Data Subject requests to exercise rights under Data Protection Laws (for example, access, deletion, restriction, portability), to the extent such requests relate to Personal Data Processed by Kizuna.

4.6 Assistance with Impact Assessments. Kizuna will provide reasonable cooperation and assistance, at Customer’s request, with data protection impact assessments, privacy or algorithmic impact assessments, and prior consultations with Supervisory Authorities to the extent required by Data Protection Laws and only insofar as they relate to Kizuna’s Processing of Personal Data and the information available to Kizuna.

4.7 Records and Documentation. Kizuna will maintain records of its Processing activities as required by Article 30 GDPR, to the extent applicable to Kizuna, and will make such records available to Supervisory Authorities upon request.

4.8 No Sale or Cross-Context Advertising. In its capacity as Processor/Service Provider, Kizuna will not sell Personal Data or share it for cross-context behavioral advertising, as those terms are defined under applicable U.S. state privacy laws.

5. Customer’s Obligations

5.1 Lawful Instructions. Customer will ensure that its instructions to Kizuna regarding Personal Data are lawful and that the Processing contemplated by the Agreement and this DPA has a valid legal basis and complies with Data Protection Laws.

5.2 Notices and Consents. Customer is solely responsible for:
(a) providing all required notices to Data Subjects;
(b) obtaining any necessary consents, authorizations, or certifications; and
(c) ensuring it is entitled to transfer the Personal Data to Kizuna for Processing under the Agreement, including any obligations under employment, fair-chance, or sector-specific laws.

5.3 Accuracy and Lawfulness. Customer is responsible for the quality, accuracy, and lawfulness of Personal Data and for how it acquires Personal Data (including data from CRAs or other third-party providers).

5.4 Configuration and Deployment. Customer is solely responsible for its use of the Services, including:
(a) configurations, workflows, and decision logic;
(b) the weight or role of any risk/desistance outputs; and
(c) compliance with any laws governing automated decision tools or AI in hiring or employment in Customer’s deployment of the Services.

6. Subprocessors

6.1 Authorization. Customer provides Kizuna a general written authorization to engage Subprocessors to Process Personal Data in connection with the Services, subject to this Section 6 and Data Protection Laws.

6.2 Subprocessor List and Updates.
(a) Kizuna maintains a list of current Subprocessors on its public Subprocessors page (as referenced in the Privacy Policy and Platform Terms).
(b) Kizuna will update that page to reflect any intended addition or replacement of a Subprocessor and, where required by contract, will provide advance notice (for example, via email subscription or in-product notice) before Personal Data is Processed by the new Subprocessor.

6.3 Customer Objection. If Customer has a reasonable, documented basis to object to a new Subprocessor relating to data protection, Customer must notify Kizuna within the objection period stated on the Subprocessors page (or, if not stated, within thirty (30) days of notice). The parties will work in good faith to address the objection, for example by adjusting configuration or using a different Subprocessor. If the parties cannot reach a resolution, Customer may suspend or terminate the affected Services, as its sole remedy, subject to any applicable notice and refund provisions in the Agreement.

6.4 Flow-Down Obligations. Kizuna will impose written data protection terms on Subprocessors that are no less protective of Personal Data than this DPA, as required by Article 28(4) GDPR. Kizuna remains responsible for Subprocessors’ performance of their obligations to the same extent Kizuna would be responsible if performing the services directly.

7. International Data Transfers

7.1 General. Customer acknowledges that Kizuna is headquartered in the United States and that Personal Data may be Processed in the United States and other jurisdictions where Kizuna or its Subprocessors have operations, subject to appropriate safeguards under Data Protection Laws.

7.2 Transfers from the EEA/Switzerland.
(a) To the extent Kizuna Processes Personal Data subject to GDPR or the Swiss FADP in a country that does not provide an adequate level of protection (as determined by the European Commission or relevant authority), the parties agree that the Standard Contractual Clauses (Module 2: controller-to-processor) form part of this DPA by reference, with Customer as “data exporter” and Kizuna as “data importer”.
(b) Where Kizuna engages Subprocessors in such third countries, the relevant SCC module (typically Module 3: processor-to-processor) will apply between Kizuna and those Subprocessors, or equivalent protections will be put in place.
(c) The parties incorporate by reference the SCCs as published and updated by the European Commission; the annexes are deemed completed with the information in Annex 1 and Annex 2 of this DPA. If there is any direct conflict between the SCCs and this DPA, the SCCs will prevail for the relevant cross-border transfer.

7.3 Transfers from the United Kingdom. For Personal Data subject to UK GDPR that is transferred out of the UK to a country without adequacy, the parties agree that either:
(a) the UK Addendum to the EU SCCs; or
(b) the IDTA,

as issued and updated by the UK Information Commissioner’s Office, will apply (as selected by Kizuna acting reasonably) and is incorporated by reference into this DPA, with the tables/completion based on the information in Annex 1 and Annex 2.

7.4 Other Mechanisms. Nothing in this DPA prevents the parties from relying on additional or alternative transfer mechanisms recognized under Data Protection Laws (for example, adequacy decisions or certification schemes) where applicable.

8. Data Subject Requests and Government Requests

8.1 Requests from Data Subjects. If Kizuna receives a request directly from a Data Subject relating to Personal Data that Kizuna Processes on behalf of Customer, Kizuna will (where reasonably identifiable as Customer-related data) promptly notify Customer and, unless legally prohibited, direct the Data Subject to submit the request to Customer. Kizuna will not respond to such requests except on Customer’s documented instructions or where required by law.

Where a Data Subject Request relates to the accuracy or completeness of background-check content contained in a consumer report or similar source file, Kizuna will, where reasonably possible, direct the requester to Customer or the originating Consumer Reporting Agency, and Customer will be responsible for responding in accordance with the FCRA, DPPA, GLBA, and any applicable exemptions under state privacy laws. Kizuna is not responsible for correcting source data supplied by third-party providers.

8.2 Requests from Authorities. If a public authority (including law enforcement) demands access to Personal Data Processed on behalf of Customer, Kizuna will, unless prohibited by law, notify Customer promptly and will challenge unlawful or overbroad demands where reasonable under the circumstances. Kizuna will limit any disclosure to the minimum amount necessary to comply with applicable law.

9. Deletion or Return of Personal Data

9.1 End of Services. Within a reasonable period after termination or expiration of the Services (or earlier upon Customer’s written request), Kizuna will, at Customer’s choice and to the extent technically feasible:
(a) return Personal Data to Customer; or
(b) delete Personal Data,

in each case except where Kizuna is required by law to retain Personal Data.

9.2 Backups and Logs. For disaster recovery and security purposes, some Personal Data may remain in backups or logs for a limited retention period consistent with Kizuna’s internal retention schedules. During that period, Kizuna will continue to protect such data in accordance with this DPA and will not actively Process it except as necessary for security, compliance, or restoration from backup.

9.3 Aggregated/De-identified Data. Kizuna may retain and use Aggregated and De-identified Data derived from Customer Data after termination, provided that such data no longer identifies Customer or any Data Subject.

10. Audit and Information Rights

10.1 Documentation and Reports. Upon Customer’s reasonable request, Kizuna will make available information necessary to demonstrate compliance with this DPA, which may include:
(a) responses to reasonable security and privacy questionnaires;
(b) summaries of relevant policies; and
(c) third-party audit reports or certifications (for example, SOC 2, ISO 27001), where available.

10.2 Audits. To the extent required by Data Protection Laws, Customer (or an independent third-party auditor mandated by Customer) may conduct an audit, including inspection, of Kizuna’s relevant facilities, systems, and documentation that Process Personal Data, subject to the following conditions:
(a) audits occur no more than once in any twelve (12) month period, unless required by a Supervisory Authority or following a Security Incident;
(b) Customer provides at least thirty (30) days’ prior written notice with an audit plan;
(c) audits are conducted during normal business hours and in a manner that does not unreasonably interfere with Kizuna’s operations;
(d) auditors are bound by confidentiality obligations acceptable to Kizuna; and
(e) Customer bears all audit costs (unless the audit reveals a material breach by Kizuna).

Kizuna may satisfy audit obligations by providing current third-party audit reports and certifications where those provide substantially similar information.

11. U.S. State Privacy / Service Provider Terms

11.1 Service Provider / Processor Status. With respect to Personal Data subject to U.S. state consumer privacy laws (for example, CCPA/CPRA), Kizuna acts as a service provider or processor (as applicable) and will:
(a) Process such Personal Data solely for the business purposes described in the Agreement and this DPA;
(b) not sell or share such Personal Data;
(c) not retain, use, or disclose such Personal Data for any purpose other than performing the Services or as otherwise permitted by law; and
(d) not combine such Personal Data with Personal Data it receives from other sources except as permitted by those laws (for example, to detect security incidents or improve the Services).

Customer’s disclosure of Personal Data to Kizuna under the Agreement and this DPA is not a “sale” or “sharing” of Personal Data as those terms are defined under the CCPA/CPRA, because Kizuna acts solely as a service provider/processor and is contractually prohibited from using Personal Data for any purpose outside the direct business relationship with Customer.

11.2 Certifications. Kizuna certifies that it understands and will comply with the restrictions in Section 11.1 for Personal Data subject to such laws.

12. Miscellaneous

12.1 Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA prevails solely with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the SCCs or UK Addendum/IDTA for a given cross-border transfer, the SCCs or UK Addendum/IDTA will control.

12.2 Amendments. Kizuna may update this DPA from time to time to reflect changes in Data Protection Laws or new transfer mechanisms. If an update materially diminishes Customer’s protections under this DPA, Kizuna will provide prior notice and, where required by law, obtain Customer’s consent or provide a right to object.

12.3 Survival. Kizuna’s obligations under this DPA will survive termination of the Agreement for so long as Kizuna Processes Personal Data on behalf of Customer.

Annex 1 – Details of Processing

1. Data Exporter (Customer)

• Identity: Customer (as defined in the Agreement).

• Address: As specified in the applicable Order or Agreement.

• Role: Controller (or Processor acting on behalf of a Controller).
  
  

2. Data Importer (Kizuna)

• Identity: Kizuna Solutions Inc.

• Address: As set out on kizuna.solutions or in the Agreement.

• Role: Processor / Service Provider.
  
  

3. Subject Matter and Purpose of Processing
   
   

Kizuna Processes Personal Data solely as necessary to:

• Provide decision-support software that helps Customers display, organize, and review background-check data and related Candidate context they already lawfully possess;

• Execute Customer-configured adjudication policies, workflows, and documentation requirements (including individualized assessment notes and audit trails);

• Generate and present derived insights or categorizations (for example, flags, groupings, or risk/desistance indicators) to support human review and consistent application of Customer policies;

• Operate, secure, and troubleshoot the Platform (including logging, monitoring, and abuse/fraud prevention); and

• Produce Aggregated and De-identified Data for analytics, model validation, security, and research, as described in the Agreement and Privacy Policy.
  
  

Kizuna does not independently collect public-record or credit data about Candidates and does not compile or furnish consumer reports; all background-check content is supplied by Customer or its third-party providers (such as CRAs).

4. Duration of Processing

   
   

• Processing occurs for the duration of the Subscription Term under the Agreement; and

• For any additional retention period during which Kizuna stores Personal Data in accordance with the Agreement, this DPA, and applicable law (for example, limited backup/log retention and legally required record-keeping).
  
  

5. Categories of Data Subjects

Depending on Customer’s use of the Services, Personal Data may relate to:

• Candidates – individuals whose background-related records and context are processed in the Platform at Customer’s direction (e.g., job applicants, employees, contractors, volunteers).

• Customer personnel / Authorized Users – Customer’s employees or contractors who administer or use the Platform (including admins, HR/staffing users, and integration/technical users).

• Partner personnel – where a Reseller, CRA, or ATS/HRIS partner uses the Platform to support its own customers under a Partner or Reseller agreement.
  
  

6. Categories of Personal Data

The exact data elements depend on Customer configuration and integrations, but typically include the following:

6.1 Candidate Data (Report Artifacts & Context)

• Identifiers & contact data:

  • Name and aliases

  • Contact details (email, phone)

  • Customer-assigned candidate IDs and internal reference numbers

  • Limited identifiers in Report Artifacts (for example, partial dates of birth or government identifiers) where included in CRA reports and not redacted by Customer/CRA
    
    

• Background-check content (Report Artifacts):

  • Criminal-history and court-record text, offense descriptions, and case-level metadata

  • Adjudication codes and result fields provided by the CRA or Customer

  • Verification results for employment, education, and other screening components where present in CRA-provided reports

  • PDF or structured report payloads (for example, JSON/XML) that Customer or its CRA partners upload or authorize Kizuna to fetch via integration
    
    

• Candidate context & submissions:

  • Information Candidates voluntarily provide through Kizuna-hosted forms or portals at Customer’s request (for example, rehabilitation evidence, explanation of circumstances, or other contextual information about records)
    
    

• Employer annotations & decision records:

  • Internal tags, notes, status labels, flags, and decision outcomes recorded by Customer

  • Policy IDs, workflow step metadata, timestamps, and user IDs associated with the review, documentation, and audit trail
    
    

• Derived insights & inferences:

  • System-generated categorizations or signals based on Customer Data (for example, groupings of records, indicators related to potential risk/desistance, or cohort comparisons)

  • Aggregated and de-identified metrics about how Customer policies and workflows are configured and applied (used for analytics, model validation, and fairness research as described in the Agreement and Privacy Policy).
    
    

6.2 Authorized User / B2B Data

• Account & identity data:

  • Name, business email, company, role/title, and account identifiers
    
    

• Configuration content:

  • Adjudication rules, risk/scoring parameters, decision matrices, workflow templates, and communications scripts created or configured within the Platform
    
    

• Integration credentials & technical data:

  • API keys, webhook tokens, OAuth tokens, and related configuration metadata for third-party integrations (for example, ATS/HRIS, CRA, SSO/IdP), as provided by Customer
    
    

• Usage, diagnostics & security logs:

  • Log and event data about how Authorized Users and integrations interact with the Platform (for example, request metadata, page views, IP addresses, timestamps, feature activation, and error diagnostics), used for security, capacity planning, and product improvement.
    
    

6.3 Special Categories & Sensitive Personal Information

• Kizuna does not require special categories of data (for example, health, union membership) for its own purposes and does not intentionally collect such data from Site or B2B users. These may appear only incidentally within CRA-generated Report Artifacts or Candidate Context submissions where Customer or its CRA has chosen to include them.

• Sensitive identifiers (such as government ID numbers or partial dates of birth) may appear within Report Artifacts, primarily to support Customer’s background-check workflows. Kizuna practices data minimization and avoids storing full SSNs in logs, diagnostics, or AI prompts wherever feasible.

• Account login credentials (usernames, hashed passwords, SSO/IdP identifiers, and related authentication tokens) for Platform and portal access are also considered sensitive and are used only for authentication, security, and access logging.
  
  

Customer is responsible for ensuring a lawful basis for any special categories or sensitive data it includes in Customer Data and for limiting such data to what is necessary for its use case.

7. Frequency and Duration of Processing
   
   

• Frequency: Continuous (as Customer and Authorized Users submit data, call APIs, or use the Platform).
  
  

• Retention: For each category of Personal Data, Kizuna retains the data only for as long as reasonably necessary to provide the Services, comply with Customer’s documented retention instructions, and meet legal and audit obligations, consistent with the retention descriptions in Kizuna’s Privacy Policy and applicable Agreements.
  
  
  

Annex 2 – Technical and Organisational Security Measures

Kizuna maintains a written information security program with safeguards appropriate to the risk, which currently include:

1. Access Control and Authentication

   • Role-based access control (RBAC) and least-privilege access to production systems.

   • Strong authentication for privileged access (for example, SSO and multi-factor authentication).
     
     

2. Encryption

   • Encryption of Personal Data in transit over public networks (for example, TLS 1.2+).

   • Encryption of Personal Data at rest using industry-standard algorithms (for example, AES-256 or equivalent).
     
     

3. Network and System Security

   • Use of reputable cloud infrastructure providers with robust physical and environmental security.

   • Network segmentation, firewalls, and security groups to restrict access.

   • Vulnerability management program, including regular patching and security assessments.
     
     

4. Logging and Monitoring

   • Centralized logging of key system events and access to Customer Data.

   • Monitoring and alerting for suspicious activity or potential Security Incidents.
     
     

5. Data Minimization and Segregation

   • Design choices that limit inclusion of full SSNs, full dates of birth, or full report PDFs in diagnostic logs and AI prompts to what is necessary for the requested operation.

   • Logical segregation of Customer environments within multi-tenant infrastructure.
     
     
     

6. Business Continuity and Disaster Recovery

   • Regular backups of critical systems and data.

   • Disaster recovery procedures designed to restore service within reasonable timeframes following major incidents.
     
     

7. Personnel and Training
   
   

   • Background checks on employees where legally permitted and appropriate for their role.

   • Ongoing security and privacy awareness training.
     
     

8. Vendor and Subprocessor Management

   • Security and privacy due diligence for Subprocessors.

   • Contractual obligations requiring appropriate security safeguards and incident notification.
     
     

Kizuna may update these measures from time to time, provided that such updates do not materially reduce the overall level of protection for Personal Data.