这是官方消息!G-P Gia™ 现在可供所有人使用。大规模提供机构人工智能,以实现全球人力资源合规性。现在就试试吧​​ 
放弃 H-1B 签证。使用 G-P 专业雇主™ 获取顶尖人才。​​ 
G-P 徽标​​ 
申请提案​​ 

MSA 隐私语言​​ 

最后更新:6 月26 、2026​​ 

数据保护附录​​ 

Customer and G-P are Parties to a Master Agreement or into an agreement with similar nature and purpose (hereinafter “Master Agreement”). This DPA supplements the terms and conditions in the Master Agreement and is incorporated therein. In the event of a conflict between this DPA, and any other agreement between the Parties on the issues set forth herein, this DPA shall prevail. If Customer already has an executed data protection addendum in effect with G-P, then that agreement shall prevail over this DPA, and this DPA shall have no force or effect, unless otherwise agreed in writing by Customer and G-P.​​ 
 

1. DEFINITIONS​​  

此处未定义的术语具有总协议中规定的含义。本 DPA 中的下列词语具有以下含义:​​ 
1.1 “​​ Authorized User​​ ” means an individual permitted by Customer who may include either or a Customer’s employee and/or contractor, to access and use the GPP on behalf of the Customer, pursuant the execution of the Master Agreement.​​ 
1.2 “​​ Customer Data​​ ” means any Personal Data related to any Authorized User or identifiable natural person that is transferred, processed, or stored by G-P on behalf of Customer in connection with the Services for the use of the GPP by the Customer.​​ 
1.3 “​​ Data Protection​​  Laws​​ ” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, but not limited to, GDPR, UK GDPR, Swiss Data Protection Laws, US Privacy Laws (including state and federal laws), and Brazil LGPD.​​ 
1.4 “​​ 专业雇主​​ ” means Employer of Record.​​ 
1.5 “​​ 《通用数据保护条例》​​ ” means the General Data Protection Regulation (EU) 2016/679.​​ 
1.6 “​​ GPP​​ ” means G-P’s proprietary software , including without limitation, the software, the mobile version, any software contained therein, and any data made available through the use of either G-P’s proprietary software or the third party services, including their updates, upgrades, platform as a service and, documentation.​​ 
1.7 “​​ EEA​​ ” means the European Economic Area.​​ 
1.8 “​​ LGPD​​ "指巴西第13.709 号法律,即《个人数据保护普通法》,可能会被修订、取代或替换。​​ 
1.9 “​​ 隐私政策​​ ” means G-P´s privacy policy, as updated from time to time, available at​​   
1.10 “​​ Professionals´ Data​​ ” means Professionals´ Personal Data processed by G-P in the course of the provision of EOR services to Customer.​​ 
1.11 "​​ Restricted Transfer"​​  means any transfer of Personal Data to a country outside the EEA, the United Kingdom, Switzerland or Brazil that is not subject to an adequacy decision under the applicable Data protection Laws, and therefore requires appropriate safeguards under applicable data protection laws.​​ 
1.12 “​​ Services”​​  mean​​  the services​​  to be provided by G-P to the Customer under the Master Agreement which may include the provision of EOR services and the access and use of GPP.​​ 
1.13 "​​ Standard Contractual Clauses"​​  或​​  "SCCs"​​  mean (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at​​   ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum (“UK Addendum”) to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such UK Addendum may be revised under Section 18 therein ("UK SCCs"); (iii) where the Swiss Data Protection Laws apply, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection Authority and Information Commissioner´s Office (the "Swiss SCCs); where the Brazilian LGPD applies, the applicable sstandard contractual clauses, attached to Resolution CD/ANPD No. 19/2024 promulgated by the Brazilian National Data Protection Authority (“ANPD”), as they may be amended from time to time (“Brazil SCCs”).​​ 
1.14 “​​ Swiss Data Protection Laws​​ ” or​​  “FADP”​​  means (i) Swiss Federal Data Protection Act (“​​ FDPA​​ ”); (ii) The Ordinance on the Federal Act on Data Protection (“​​ FODP​​ “); and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.​​ 
1.15 “​​ UK Addendum​​ ” means the United Kingdom international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner.​​ 
1.16 “​​ UK Data Protection Laws”​​  mean the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2019 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws").​​ 
1.17 “​​ US Privacy Laws​​ ” means applicable United States (US) state laws, orders, regulations and regulatory guidance relating to the Processing of Personal Data including without limitation: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; (e) the Utah Consumer Privacy Act; and (f) all similar state laws.​​ 
1.18 "​​ Controller" "Data Subject", "Personal Data", “Personal Information” “Data Breach”, "Processor", "Process/Processing", “Restricted Transfer”, “Service Provider”​​  和/或任何其他类似术语和概念应具有数据保护法中定义的含义。​​ 
 
 

2. INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP​​  

2.1​​  缔约方的作用。​​  When G-P provides the Customer with EOR services, G-P assumes the role of the legal employer for any individuals selected by the Customer (“Professional(s)”) to be hired. With regard to such Professionals‘ Personal Data, G-P is an independent Controller during the course of the employment relationship. Regarding Professional´s Personal Data collected and used by the Customer for its own purposes, Customer is also an independent Controller with independent privacy obligations. When delivering the EOR services, the exchange of Professionals’ Personal Data between G-P and the Customer is under an independent Controller-to-Controller relationship and the provisions of this section 2 (“Independent Controller-Controller Relationship”), shall apply. In no event will the Parties Process Personal Data under this DPA as joint Controllers.​​ 
2.2​​  责任与鸣谢​​ . The Parties in their capacity as Controllers shall:​​ 
2.2.1 Comply with the applicable Data Protection Laws in relation to the Processing of Professionals´ Personal Data.​​ 
2.2.2 Process and share the Professionals´ Personal Data fairly and lawfully for the purpose of (as the case may be) performing or receiving the EOR Services for its own legitimate interests.​​ 
2.2.3 Ensure a lawful Processing ground applies to any sharing of Professional´s Personal Data between the Parties.​​ 
2.2.4 Assist each other in complying with their respective obligations under Data Protection Laws, including, but not limited to, assisting each other if a Data Breach occurs, responding to Data Subjects and/or regulators’ requests.​​  
 

3. CONTROLLER – PROCESSOR RELATIONSHIP​​ 

3.1​​  Roles of the Parties​​ . G-P also offers various software as a service products via GPPthrough which G-P enables Customer to manage the relationship with those Professionals. When G-P provides Customer with access to GPP, G-P is the Processor for the account related Personal Data uploaded to the GPP by the Customer´s appointed Authorized Users of  GPP  and the Customer is the Controller of such data and, the provisions of this section 3 (“Controller-Processor Relationship”), shall apply.​​ 
3.2​​  Instructions.​​  G-P will process Customer Data in accordance with Customer’s documented instructions.  Customer agrees that this DPA, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to G-P regarding the Processing of Customer Data.  Any additional or alternate instructions must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions.  Customer will ensure that its instructions comply with applicable Data Protection Laws. Customer acknowledges that G-P is not responsible for determining which laws are applicable to Customer’s business. Customer will ensure that G-P’s Processing of Customer Data, when done in accordance with Customer’s instructions, will not cause G-P to violate any applicable law, including applicable Data Protection Laws. However, if G-P is of the opinion that a Customer instruction infringes applicable Data Protection Laws, G-P shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.​​  
3.3​​  处理细节​​ .处理的主题事项、持续时间、性质和目的以及客户资料和资料主体的类型详见附件 I。​​   
3.4​​  合规。​​  Customer and G-P agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to G-P.  For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for G-P to Process Customer Data as directed by Customer.​​ 
3.5​​  分处理器​​ . Customer authorizes G-P to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services.  Subprocessors may include third parties or any member of the G-P group of companies. G-P may continue to use those Subprocessors already engaged by G-P as of the date of this DPA, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, G-P shall be liable to the Customer for the performance of the Subprocessor’s obligations. G-P shall notify Customer of any changes to its list of Subprocessors through GPP. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and G-P cannot reasonably accommodate Customer’s objection, the Parties will discuss Customer’s concerns in good faith with a view to resolving the matter.​​ 
3.6​​  技术和组织安全措施​​ . Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data, G-P shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data, as detailed in Annex II attached hereto.  G-P will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.​​  
3.7​​  保密性​​ G-P应确保获授权访问客户数据的人员 (i) 已承诺保密或负有适当的法定保密义务,并且 (ii) 仅在G-P的书面指示下访问客户数据,除非适用法律要求这样做。​​ 
3.8​​  个人数据泄露。​​  G-P will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach​​ .​​ 
3.9​​  删除个人数据。​​   终止使用服务(无论出于何种原因)后, G-P应在合理可行的范围内尽快退还或删除存储在 GPP 中的客户数据,除非适用法律要求将客户数据存储更长时间。 对于此类保留,本 DPA 的规定应继续适用于此类客户数据。​​ 
3.10​​  数据当事人请求​​ .  G-P shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. Customer is responsible for responding to such requests. G-P will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the GPP.​​  
3.11​​  第三方要求​​ 如果G-P收到任何第三方提出的请求,或任何有管辖权的法院、仲裁庭、监管机构或政府机构的命令,而G-P须遵守该等请求或命令,且该等请求或命令与本协议项下客户数据的处理有关, G-P将立即将该请求转交给客户。 除非法律强制要求,否则未经客户事先授权, G-P不会回应此类请求。 除非法律禁止,否则G-P将在披露客户数据之前事先通知客户,并将与客户合理合作,将此类披露的范围限制在法律要求的范围内。​​   
3.12​​  数据保护影响评估和事先咨询​​ 在数据保护法律要求的范围内, G-P应向客户提供合理的协助,以便就G-P进行的客户数据处理进行数据保护影响评估,和/或与监管机构进行任何必要的事先磋商。 G-P保留向客户收取合理费用的权利,以提供此类帮助。​​ 
3.13​​  审计。​​   Customer may audit G-P compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001 certification, SOC2 certificate), within twelve (12) months as of the date of Customer’s request. Alternatively, in the event the documentation provided subject to this Section 3.13 is not sufficient for the purpose of demonstrating compliance, the Customer may conduct its own audit in addition to the provided third party certifications or reports, provided that such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting G-P’s day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense; v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or Processing activities contemplated hereunder; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon G-P’s reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. Notwithstanding the forgoing, no audit right is granted after termination of the Master Agreement, except for legal obligations that will have to be demonstrated by the Customer. Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR services company, agency, a related organization or consultant. Nothing in this DPA will require G-P to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other G-P’s customer; (ii) G-P’ internal accounting or financial information; (iii) any trade secret of G-P or its affiliates; (iv) any information that, in G-P’ reasonable opinion, could compromise the security of any G-P’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.​​ 
3.14​​  美国隐私法。​​  Under this section 3, the Parties agree that G-P is a “Service Provider” or “Processor” as such terms are defined under applicable US Privacy Laws. Accordingly, to the extent US Privacy Laws apply to the Processing of Customer Data by G-P, G-P shall not (a) retain, use, or disclose any Customer Data outside the direct business relationship between G-P and Customer, or for any purpose other than for the purpose set out in Annex I attached hereto, and G-P shall only Process Customer Data only as long as it provides services to the Customer; (b) sell any Customer Data; (c) share any Customer Data; or (d) combine the Customer Data that G-P receives from, or on behalf of, Customer with “personal data” (as such term or equivalent is defined under applicable Data Protection Laws) that it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, provided that G-P may combine Customer Data if it is within the scope of providing the services to Customer. Where applicable, each Party shall notify the other party if it makes a determination that it can no longer meet its obligations under US Privacy Laws.​​ 
 

4. INTERNATIONAL DATA TRANSFERS​​ 

4.1​​  适当的保护​​ . G-P is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors.  When making such transfers to a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Personal Data according to Data Protection Laws, G-P shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Master Agreement.​​ 
4.2​​  Data Privacy Framework.​​  Professionals​​  and Customer Data are stored in GPP which is hosted in U.S. G-P is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). G-P´s certification can be confirmed publicly on the DPF website​​   . The EU-U.S. Data Privacy Framework was considered adequate by the European Commission, being a lawful data transfer mechanism pursuant to Article 45 of the GDPR, the UK GDPR, and the FADP, respectively. If the DPF Framework(s) are invalidated, suspended, or otherwise no longer recognized as providing adequate protection for international data transfers, the Processor agrees to enter into and comply with the SCCs issued or approved by the European Commission, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable. The Parties shall cooperate in good faith to implement any supplementary measures required to ensure an essentially equivalent level of protection for the transferred data.​​ 
4.3​​  标准合同条款。​​  The Parties agree that when the transfer of personal data from Customer (as "data exporter") to G-P (as "data importer") is a Restricted Transfer and applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:​​ 
a. In relation to transfers of Personal Data  that is protected by the GDPR, the EU SCCs shall apply, completed as follows:​​ 
i. Modules One and Two shall apply;​​ 
ii. in Clause 7, the optional docking clause will apply;​​ 
iii. in Clause 9 of Module Two, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 3.5 of this DPA;​​ 
iv. in Clause 11, the optional language will not apply;​​ 
v. in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Master Agreement;​​ 
vi. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;​​ 
vii. in Clause 18(b), disputes shall be resolved before the courts of Ireland;​​ 
viii. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and​​ 
ix. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA;​​ 
x. Annex III of Module Two of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this DPA.​​ 
b. In relation to transfers of personal data protected by the UK Data protection Laws or the Swiss Data Protection Laws , the EU SCCs as implemented under sub-paragraphs (a) above will apply with the following modifications:​​ 
i. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);​​ 
ii. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);​​ 
iii. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);​​ 
iv. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);​​ 
v. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);​​ 
vi. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);​​ 
vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and​​ 
viii. with respect to transfers to which UK Data Protection Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss Data Protection Laws apply, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.​​ 
ix. In relation to data that is protected by the UK GDPR, the EU SCCs will apply as follows: (i) apply as completed in accordance with the paragraphs (i) to (viii) above; and (ii) be deemed amended as specified by Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of this DPA. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".​​ 
c. In relation to transfers of personal data protected by the Brazil LGPD, either directly or via onward transfer, to a country outside of Brazil that is not subject to an adequacy decision issued by the ANPD, the Brazil SCCs will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:​​ 
i. Clause 2 of the Brazil SCCs is satisfied by the information set forth in Annex I, which describes the data transfer;​​ 
ii. In Clause 3 of the Brazil SCCs, Option B shall apply, with onward transfers permitted in accordance with Section 3.5 (“Subprocessors”) of this DPA. The subject matter, nature, and duration of processing are set forth at Annex I of this DPA;​​ 
iii. Clause 4 of the Brazil SCCs is satisfied by the information set forth in Annex I of this DPA. Where G-P is a Controller, it will be the “Designated Party”, as defined in the Brazil SCCs, and for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting) of the Brazil SCCs. Customer remains responsible for compliance with Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 Incident Reporting) of the Brazil SCCs for any personal data of which it may otherwise be Controller;​​ 
iv. In Clause 9 of the Brazil SCCs, the optional docking clause will not apply; and​​ 
v. Section III (Security Measures) of the Brazil SCCs will be deemed completed with the information set forth in Annex II of this DPA.​​ 
4.4​​  Unforeseen Data Transfers​​ . If, in the course of providing the Services, either Party identifies that a transfer of Personal Data occurs or is likely to occur that is not already addressed by the mechanisms set forth in Sections 4.1 through 4.3 of this DPA, the Parties shall promptly notify each other and shall cooperate in good faith to implement, without undue delay, such additional transfer mechanisms or supplementary measures as may be required under applicable Data Protection Laws to ensure the lawfulness of such transfer. Neither Party shall be required to proceed with any such unforeseen transfer until the appropriate mechanism has been agreed and put in place.​​ 
 

附件一​​  

数据处理说明​​ 
INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP DETAILS​​ 
(This section regards to the details of Personal Data that is being shared between the Parties in their capacities as Controllers)​​ 
政党​​ 
数据输出方:执行主协议的客户实体​​ 
Data Importer: Globalization Partners LLC.​​ 
各方联系方式​​ 
总协议中规定的详细联系方式。​​ 
与转让数据有关的活动​​ 
Activities related to the EOR Services.​​ 
Roles​​ 
Data Exporter: Controller.​​ 
Data Importer: Controller.​​ 
加工活动​​ 
The Personal Data processed / transferred may be subject to the following Processing activities: any operation with regard to Personal Data irrespective of the means applied and procedures, in particular the collecting, organizing, storage, holding, use, retrieval, consultation, archiving, transmission, blocking, erasing, or destruction of data, the operation and maintenance of systems, compliance, legal and audit functions.​​ 
处理期限​​ 
The term of the Master Agreement and on a continuous basis.​​ 
处理的性质和目的​​ 
Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the Processing is to provide the EOR Services in accordance with the Master Agreement.​​ 
Categories of Data Subjects​​ 
Professionals.​​ 
Types of Personal Data​​ 
Contact details (which may include name, address, email address, telephone, fax, emergency contact details, and associated local time zone information).​​ 
Employment details (which may include education, CV, job title, grade, demographic, location data, nationality and export compliance status, salary, bonus).​​ 
Data subjects' email content.​​ 
Details of services provided to or for the benefit of data subjects.​​ 
特殊类别数据(如适用)​​  
不适用​​ 
留任​​ 
个人数据的保留时间至少应与任何适用的法律规定的最短保留期限一致,并符合适用的时效法规和良好的商业惯例。​​ 
主管监督机构​​ 
The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).​​ 
向子处理程序的转移​​  
对于向处理者的转让,处理的主题、性质和期限与上述定义相同。​​ 
G-P隐私联系方式​​  
 
 
收件人:全球隐私办公室。​​  
 
 
 
CONTROLLER - PROCESSOR RELATIONSHIP DETAILS​​ 
(This section regards to the details of Personal Data that is being processed by G-P on behalf of the Customer)​​ 
政党​​ 
数据输出方:执行主协议的客户实体​​ 
Data Importer: Globalization Partners LLC.​​ 
各方联系方式​​ 
总协议中规定的详细联系方式。​​ 
与转让数据有关的活动​​ 
与专业雇主服务相关的活动以及作为服务提供给客户的 GPP 的使用。​​ 
Roles​​ 
Data Exporter: Controller​​ 
Data Importer: Processor​​ 
加工活动​​ 
处理/传输的个人数据可能会受到以下处理活动的影响:与个人数据有关的任何操作,无论采用何种手段和程序,特别是数据的收集、组织、存储、持有、使用、检索、咨询、存档、传输、阻止、清除或销毁,系统的运行和维护,合规、法律和审计功能。​​ 
处理期限​​ 
The term of the Master Agreement and on a continuous basis.​​ 
处理的性质和目的​​ 
Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the processing is to provide GPP as a Service to the Customer in accordance with the Master Agreement.​​ 
Categories of Data Subjects​​ 
Authorized Users of the GPP who may include Customer’s employees and/or contractors.​​ 
Types of Personal Data​​ 
联系方式(如电话号码和电子邮件)。​​ 
员工/承包商数据(例如职位名称和公司名称)。​​ 
使用数据(如有关授权用户设备的数据以及此类设备如何与 GPP 互动)。​​ 
位置数据(如从 IP 地址得出的位置)。​​ 
内容数据(如客户有关专业人员和相关通信的文件内容)。​​ 
凭证(如密码、密码提示以及用于验证和访问 GPP 账户的类似安全信息)。​​ 
Any Personal Data supplied by Authorized Users.​​ 
特殊类别数据(如适用)​​  
不适用​​ 
留任​​ 
个人数据的保留时间至少应与任何适用的法律规定的最短保留期限一致,并符合适用的时效法规和良好的商业惯例。​​ 
主管监督机构​​ 
The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).​​ 
向子处理程序的转移​​  
对于向处理者的转让,处理的主题、性质和期限与上述定义相同。​​ 
G-P隐私联系方式​​  
 
 
收件人:全球隐私办公室。​​  
 

附件 II​​ 

技术和组织措施​​ 

G-P has been certified and attested to confirm compliance with SOC 2 and ISO 27001 standards, by independent auditors. Such certifications demonstrate our commitment to securing Customer Data. G-P’s security program is designed to:​​ 

Protect the confidentiality, integrity, and availability of Customer Data in G-P’s possession or to which G-P has access;​​ 

防止客户数据的保密性、完整性和可用性受到任何预期的威胁或危害;​​ 

防止未经授权或非法访问、使用、披露、更改或销毁客户数据;​​ 

防止客户数据意外丢失、损毁或损坏;以及​​ 

按照G-P可能受监管的任何法规规定,保护信息安全。​​ 

以下描述了G-P为确保客户数据处理安全而采取的功能、流程、控制措施、系统、程序和措施:​​ 

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​ 

Privacy by Design and Default:​​ 

G-P takes the requirements of Article 25 GDPR into account in the conception and development phase of product development. Processes and functionalities are set up in such a way that the data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are considered at an early stage.​​ 

b) Encryption of Personal Data:​​ 

Ensuring that personal data are only stored in the system in a way that does not allow third parties to identify the data subject.​​ 

Database and storage encryption:​​ 

On all databases used by G-P an encryption "at rest" according to the state of the art is used so that the data from the database can only be read after proper authentication on the respective database system.​​ 

Encryption of mobile data media:​​ 

The use of mobile data carriers for storing customer data is not permitted.​​ 

Encryption of data carriers on laptops:​​ 

Appropriate state-of-the-art hard disk encryption is installed on all employees' laptops.​​ 

Encrypted exchange of information and files:​​ 

In principle, the exchange of information and files is directly encrypted via a special application. If personal data or confidential information must be transferred to servers which cannot be sent via TLS-encrypted HTTPS uploads, these will be transferred using Secure File Transfer Protocol (SFTP), encrypted envelope service or another encrypted mechanism according to the state of the Art.​​ 

E-Mail Encryption:​​ 

In principle, all e-mails sent by employees of G-P are encrypted with TLS. Exceptions may be if the receiving mail server does not support TLS. The Customer shall ensure that the corresponding mail servers used within the scope of the order support TLS encryption​​ 

c) Admission Control​​ 

Admission controls are intended and put in place in order to prevent the use and processing of data which is protected by data protection laws by unauthorized persons.​​ 

Use of authentication methods​​ 

Access to personal data is always via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols. Authentication procedure for IT system: Multifactor authentication log-in to IT system.​​ 

Automatic blocking in case of inactivity​​ 

Laptops used by G-P employees locked with password or PIN protection when not in use by the user. In addition, an automatic screen lock with password protection is set up after 15 minutes of inactivity.​​ 

Use of anti-virus software​​ 

Laptops used by G-P employees are equipped with state-of-the-art anti-virus software that is kept up to date on all operational or business IT systems. As a matter of principle, no computers may be operated without resident virus protection unless other equivalent state-of-the-art security measures have been taken or there is no risk. Default security settings must not be deactivated or circumvented.​​ 

"Clean Desk Policy"​​ 

Employees of G-P are instructed not print out or locally store personal data of data subjects, not to leave work materials in a location where they may be viewed by third parties, and to store all work materials properly. Documents which G-P is required by law to hold in hard copy are stored in locked cabinets.​​ 

d) Access Controls Within the Platform​​ 

Access controls ensure that persons authorized to use a processing system have access only to the personal data covered by their access authorization.​​ 

角色和授权​​ 

Roles and Authorization Platform – Customer Access Customer users can view and edit customer account information.​​ 

Roles and Authorization Platform – Professional Access Professional users can view and edit their own professional information.​​ 

Professionals can also gain Customer access role upon requirement + approval​​ 

Roles and Authorization Platform – Internal Access​​ 

Internal access users have varied roles. They have varied access to create, view, edit, and approve the following:​​ 

客户信息​​ 

账单信息​​ 

合作伙伴信息​​ 

专业人事档案信息​​ 

通常只有经过培训的客户支持和产品开发领域的员工才能访问管理系统。​​ 

e) Firewall as a Service​​ 

G-P uses use an external firewall as a service that allows it to grant or block access to websites to make sure systems can’t access malicious content and to restrict access to inappropriate content.​​ 

f) Record of Log-In to the Platform​​ 

G-P maintains a record of all login activity.​​ 

g) Separability​​ 

Ensuring that personal data collected for different purposes can be processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.​​ 

Separation of development, test and operating environments​​ 

Data from the operating environment may only be transferred to test or development environments if it has been made completely anonymous before transfer. The transfer of the anonymized data must be encrypted or via a trustworthy network.​​ 

Software to be transferred to the operating environment must first be tested in an identical test environment ("staging"). Programs for error analysis or the creation/compilation of software may only be used in the operating environment if this cannot be avoided. This is especially the case if error situations depend on data that would be falsified due to the requirements for anonymization when transferring to test environments.​​ 

Separation in networks​​ 

G-P separates its networks according to tasks. The following networks are used permanently: operating environment ("Production"), test environment ("Staging", “Sandbox”), development environment (“Dev”) office IT staff. In addition to these networks, further separate networks are created as required, e.g., for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated either physically or by means of virtual networks.​​ 

h) Availability control​​ 

G-P takes the following steps to ensure that personal data is protected against accidental destruction or loss.​​ 

Data protection procedures/ backups​​ 

To ensure adequate availability G-P implements daily snapshots of its database with replication to a different region. Measures are also taken to ensure employees with job-based need to review data are granted access only to replica datasets.​​ 

生产数据和备份服务器基础设施的地理冗余性​​ 

IT incident management ("Incident Response Management")​​ 

There is a concept and documented procedures for handling incidents and safety- relevant events. This includes the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security- relevant events and the definition of corresponding responsibilities and reporting channels in the event of a violation of the protection of personal data within the framework of the legal requirements.​​ 

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​ 

G-P已采取以下组织措施,以确保本组织以符合数据隐私和保护要求的方式运作。​​ 

a) Organizational Instructions​​ 

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. Documentation includes how to identify and manage data privacy issues, best practices for ensuring privacy compliance, and policies for addressing privacy incidents.​​ 

b) Commitment to confidentiality and data protection​​ 

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. All employees and contractors are bound in writing to confidentiality and data protection as well as other relevant laws. All employees receive privacy & security training. Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes. The employees and contractors of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.​​ 

c) Data protection training​​ 

All employees receive privacy & security training which remains available for review at any time in G-P training platform.​​ 

d) Physical Access Controls​​ 

G-P has the following physical controls in place to deny unauthorized persons access to IT systems equipment used for processing.​​ 

Electronic door protection​​ 

The entrance doors to the premises of G-P offices are always locked and electronically secured. The doors are opened via a personal electronic transponder.​​ 

Controlled distribution of keys​​ 

A central, documented allocation of keys to the employees of G-P takes place. These electronic transponders/keys could be deactivated centrally by each office manager or the People Resources department.​​ 

Supervision and accompaniment of external persons​​ 

External service providers and other third parties may only be granted access to the premises via prior authorization or when accompanied by an employee of G-P. G-P applies its written Visitor’s Policy when visitors are invited to the premises.​​ 

Securing of premises with increased need for protection​​ 

Premises or cabinets with increased protection requirements, such as legal offices and certain Operations locations, are equipped with locking cabinets and drawers. Cabinets and drawers where legal documents, contracts, and confidential documentation are held are to be locked at all times except when they are in use.​​ 

Closed doors and windows​​ 

Employees are organizationally instructed to keep windows and doors closed or locked outside office hours.​​ 

e) Recoverability​​ 

G-P ensures that systems in use can be restored in the event of physical or technical failure.​​ 

Regular tests of the data recovery ("Restore-Tests")​​ 

Regular full restore tests are carried out to ensure recoverability in the event of an emergency/disaster.​​ 

Emergency plan ("Disaster Recovery Concept")​​ 

There is a concept for the treatment of emergencies/disasters and a corresponding emergency plan. G-P ensures the recovery of all systems on the basis of the data backups / backups, usually within 48 hours.​​ 

Review and evaluation measures​​ 

Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.​​ 

f) Privacy Team​​ 

The organization has a Global Data Privacy Office tasked with planning, implementing, evaluating and adapt measures in the field of data protection.​​ 

g) Risk Management​​ 

There is a process for analyzing, evaluating, and allocating risks and for deriving measures on the basis of these risks.​​ 

3) INDEPENDENT REVIEW OF INFORMATION SECURITY​​ 

Performance of audits​​ 

Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes.​​ 

b) Review of compliance with security policies and standards​​ 

Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is checked regularly. Where possible, these checks are carried out on a random and unexpected basis.​​ 

c) Verification of compliance with technical specifications​​ 

Regular automated and manual vulnerability scans are performed by the IT department or other qualified personnel to verify the security of the applications and infrastructure, as well as the regular development of the product. Detailed penetration tests are carried out by an external service provider to specifically examine the applications and infrastructure for vulnerabilities.​​ 

d) Processing on instruction​​ 

The employees of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.​​ 

e) Careful supplier selection​​ 

G-P adheres to its Supplier Prequalification Process when selecting vendors and suppliers who may encounter protected data. This process includes feedback from the Finance and Legal/Privacy Departments and incorporates risk assessment, security prequalification and documentation certification steps. Suppliers who will process protected data will be required to demonstrate their adherence to applicable data privacy laws, including Article 28 GDPR for covered data​​ 

附件三​​ 

子处理器列表​​ 
处理器​​ 
地点和联系信息​​ 
处理说明​​ 
3933 Lake Washington Blvd NE #350, Kirkland, WA98033, 美国​​ 
金融服务​​ 
P.O.盒子81226​​ 
华盛顿州西雅图98108-1226, 美国​​ 
托管 - 云服务提供商​​ 
微软公司 微软大道一号​​ 
Redmond, Washington98052 USA 电话:(+1)425-882-8080 。​​ 
为通信(电子邮件)和服务管理提供业务流程支持​​ 
350 布什街楼层13​​ 
加利福尼亚州旧金山94104, 美国​​ 
+ 1 415 701 1110​​ 
为服务管理提供业务流程支持​​ 
DocuSign International (EMEA) Ltd, Attention:Privacy Team,5 Hanover Quay, Ground Floor, Dublin2, Republic of Ireland​​ 
文件管理​​ 
Salesforce Tower,415 Mission Street,3rd Floor, San Francisco, CA94105, USA​​ 
1 - 800 - 387 - 3285​​ 
客户关系管理 (CRM) 业务流程支持​​ 
989 市场街​​ 
加利福尼亚州旧金山94103, 美国​​ 
888-670-4887​​ 
客户支持帮助台咨询​​ 
2225 Lawson Lane Santa Clara, CA , 95054​​ 
美国​​ 
Business Process Support for IT service and operations management, the employee and customer experiences through (​​ automated cloud-based workflow)​​ 
160 Spear Street, 15th Floor San Francisco, CA 94105 1-866-330-0121​​ 
美国​​ 
云数据仓库基础设施。​​ 
620 8th​​  Ave 45​​ th​​  Floor​​ 
纽约州纽约市10018​​ 
美国​​ 
服务监控和调试工具​​ 
Avenue Louise54, Room s52 、​​ 
1050 布鲁塞尔​​ 
比利时​​ 
在线支付处理器​​ 
1600 加利福尼亚州山景城圆形剧场大道94043​​ 
业务流程支持,包括通信(电子邮件)和内部文档存储​​