데이터 보호 부록

Customer and G-P are Parties to a Master Agreement or into an agreement with similar nature and purpose (hereinafter “Master Agreement”). This DPA supplements the terms and conditions in the Master Agreement and is incorporated therein. In the event of a conflict between this DPA, and any other agreement between the Parties on the issues set forth herein, this DPA shall prevail. If Customer already has an executed data protection addendum in effect with G-P, then that agreement shall prevail over this DPA, and this DPA shall have no force or effect, unless otherwise agreed in writing by Customer and G-P.

1. DEFINITIONS

여기에 정의되지 않은 용어는 기본 계약에 명시된 의미를 갖습니다. 이 DPA의 다음 단어에는 다음과 같은 의미가 있습니다:

1.1 “ Authorized User ” means an individual permitted by Customer who may include either or a Customer’s employee and/or contractor, to access and use the GPP on behalf of the Customer, pursuant the execution of the Master Agreement.

1.2 “ Customer Data ” means any Personal Data related to any Authorized User or identifiable natural person that is transferred, processed, or stored by G-P on behalf of Customer in connection with the Services for the use of the GPP by the Customer.

1.3 “ Data Protection Laws ” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, but not limited to, GDPR, UK GDPR, Swiss Data Protection Laws, US Privacy Laws (including state and federal laws), and Brazil LGPD.

1.4 “ 기록상 고용주(EOR) ” means Employer of Record.

1.5 “ 일반데이터보호규정(GDPR) ” means the General Data Protection Regulation (EU) 2016/679.

1.6 “ GPP ” means G-P’s proprietary software , including without limitation, the software, the mobile version, any software contained therein, and any data made available through the use of either G-P’s proprietary software or the third party services, including their updates, upgrades, platform as a service and, documentation.

1.7 “ EEA ” means the European Economic Area.

1.8 “ LGPD "는 개정, 대체 또는 대체될 수 있는 브라질 법률 번호 13709, 개인 데이터 보호에 관한 일반 법률을 의미합니다.

1.9 “ 개인정보 보호정책 ” means G-P´s privacy policy, as updated from time to time, available at https://www.globalization-partners.com/privacy-policy/

1.10 “ Professionals´ Data ” means Professionals´ Personal Data processed by G-P in the course of the provision of EOR services to Customer.

1.11 " Restricted Transfer" means any transfer of Personal Data to a country outside the EEA, the United Kingdom, Switzerland or Brazil that is not subject to an adequacy decision under the applicable Data protection Laws, and therefore requires appropriate safeguards under applicable data protection laws.

1.12 “ Services” mean the services to be provided by G-P to the Customer under the Master Agreement which may include the provision of EOR services and the access and use of GPP.

1.13 " Standard Contractual Clauses" 또는 "SCCs" mean (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum (“UK Addendum”) to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such UK Addendum may be revised under Section 18 therein ("UK SCCs"); (iii) where the Swiss Data Protection Laws apply, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection Authority and Information Commissioner´s Office (the "Swiss SCCs); where the Brazilian LGPD applies, the applicable sstandard contractual clauses, attached to Resolution CD/ANPD No. 19/2024 promulgated by the Brazilian National Data Protection Authority (“ANPD”), as they may be amended from time to time (“Brazil SCCs”).

1.14 “ Swiss Data Protection Laws ” or “FADP” means (i) Swiss Federal Data Protection Act (“ FDPA ”); (ii) The Ordinance on the Federal Act on Data Protection (“ FODP “); and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.

1.15 “ UK Addendum ” means the United Kingdom international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner.

1.16 “ UK Data Protection Laws” mean the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2019 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws").

1.17 “ US Privacy Laws ” means applicable United States (US) state laws, orders, regulations and regulatory guidance relating to the Processing of Personal Data including without limitation: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; (e) the Utah Consumer Privacy Act; and (f) all similar state laws.

1.18 " Controller" "Data Subject", "Personal Data", “Personal Information” “Data Breach”, "Processor", "Process/Processing", “Restricted Transfer”, “Service Provider” 및/또는 기타 유사한 용어 및 개념은 데이터 보호법에 정의된 의미를 갖습니다.

2. INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP

2.1 당사자의 역할. When G-P provides the Customer with EOR services, G-P assumes the role of the legal employer for any individuals selected by the Customer (“Professional(s)”) to be hired. With regard to such Professionals‘ Personal Data, G-P is an independent Controller during the course of the employment relationship. Regarding Professional´s Personal Data collected and used by the Customer for its own purposes, Customer is also an independent Controller with independent privacy obligations. When delivering the EOR services, the exchange of Professionals’ Personal Data between G-P and the Customer is under an independent Controller-to-Controller relationship and the provisions of this section 2 (“Independent Controller-Controller Relationship”), shall apply. In no event will the Parties Process Personal Data under this DPA as joint Controllers.

2.2 책임 및 인정 . The Parties in their capacity as Controllers shall:

2.2.1 Comply with the applicable Data Protection Laws in relation to the Processing of Professionals´ Personal Data.

2.2.2 Process and share the Professionals´ Personal Data fairly and lawfully for the purpose of (as the case may be) performing or receiving the EOR Services for its own legitimate interests.

2.2.3 Ensure a lawful Processing ground applies to any sharing of Professional´s Personal Data between the Parties.

2.2.4 Assist each other in complying with their respective obligations under Data Protection Laws, including, but not limited to, assisting each other if a Data Breach occurs, responding to Data Subjects and/or regulators’ requests.

3. CONTROLLER – PROCESSOR RELATIONSHIP

3.1 Roles of the Parties . G-P also offers various software as a service products via GPPthrough which G-P enables Customer to manage the relationship with those Professionals. When G-P provides Customer with access to GPP, G-P is the Processor for the account related Personal Data uploaded to the GPP by the Customer´s appointed Authorized Users of GPP and the Customer is the Controller of such data and, the provisions of this section 3 (“Controller-Processor Relationship”), shall apply.

3.2 Instructions. G-P will process Customer Data in accordance with Customer’s documented instructions. Customer agrees that this DPA, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to G-P regarding the Processing of Customer Data. Any additional or alternate instructions must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions. Customer will ensure that its instructions comply with applicable Data Protection Laws. Customer acknowledges that G-P is not responsible for determining which laws are applicable to Customer’s business. Customer will ensure that G-P’s Processing of Customer Data, when done in accordance with Customer’s instructions, will not cause G-P to violate any applicable law, including applicable Data Protection Laws. However, if G-P is of the opinion that a Customer instruction infringes applicable Data Protection Laws, G-P shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.

3.3 처리 세부 정보 . 처리의 주제, 기간, 성격 및 목적, 고객 데이터 및 데이터 주체의 유형에 대한 자세한 내용은 여기에 첨부된 부록 I에 명시된 바와 같습니다.

3.4 규정 준수. Customer and G-P agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to G-P. For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for G-P to Process Customer Data as directed by Customer.

3.5 하위 프로세서 . Customer authorizes G-P to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services. Subprocessors may include third parties or any member of the G-P group of companies. G-P may continue to use those Subprocessors already engaged by G-P as of the date of this DPA, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, G-P shall be liable to the Customer for the performance of the Subprocessor’s obligations. G-P shall notify Customer of any changes to its list of Subprocessors through GPP. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and G-P cannot reasonably accommodate Customer’s objection, the Parties will discuss Customer’s concerns in good faith with a view to resolving the matter.

3.6 기술적 및 조직적 보안 조치 . Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data, G-P shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data, as detailed in Annex II attached hereto. G-P will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.

3.7 기밀 유지 . G-P는 고객 데이터에 액세스할 수 있는 권한을 부여받은 사람이 (i) 기밀을 유지하기로 약속했거나 적절한 법적 기밀 유지 의무를 준수하고 (ii) 관련 법률에서 요구하지 않는 한 G-P의 문서화된 지시에 의해서만 고객 데이터에 액세스하도록 보장합니다.

3.8 개인 데이터 유출. G-P will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach .

3.9 개인 데이터 삭제. 서비스 해지 시(어떤 이유로든) G-P 는 관련 법률에서 고객 데이터를 장기간 보관하도록 요구하지 않는 한 합리적으로 실행 가능한 즉시 GPP에 저장된 고객 데이터를 반환하거나 삭제합니다. 그러한 보유에 대해서는 본 DPA의 조항이 해당 고객 데이터에 계속 적용됩니다.

3.10 데이터 주체 요청 . G-P shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. Customer is responsible for responding to such requests. G-P will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the GPP.

3.11 타사 요청 . G-P 이 계약에 따른 고객 데이터 처리와 관련하여 제3자로부터 요청을 받거나 G-P 이 관할권을 갖는 법원, 재판소, 규제기관 또는 정부 기관의 명령을 받는 경우 G-P 은 즉시 해당 요청을 고객에게 전달합니다. G-P는 법적으로 강제되지 않는 한 고객의 사전 승인 없이 이러한 요청에 응답하지 않습니다. G-P는 법적으로 금지되지 않는 한, 고객 데이터를 공개하기 전에 고객에게 미리 알리고 그러한 공개 범위를 법적으로 요구되는 범위로 제한하기 위해 고객과 합리적으로 협력할 것입니다.

3.12 데이터 보호 영향 평가 및 사전 협의 . 데이터 보호법이 요구하는 범위 내에서 G-P 은 G-P 이 수행하는 고객 데이터 처리 및 감독 당국과 필요한 사전 협의와 관련하여 고객이 데이터 보호 영향 평가를 수행할 수 있도록 합리적인 지원을 제공합니다. G-P는 이러한 지원 제공에 대해 고객에게 합리적인 수수료를 부과할 권리를 보유합니다.

3.13 감사. Customer may audit G-P compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001 certification, SOC2 certificate), within twelve (12) months as of the date of Customer’s request. Alternatively, in the event the documentation provided subject to this Section 3.13 is not sufficient for the purpose of demonstrating compliance, the Customer may conduct its own audit in addition to the provided third party certifications or reports, provided that such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting G-P’s day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense; v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or Processing activities contemplated hereunder; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon G-P’s reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. Notwithstanding the forgoing, no audit right is granted after termination of the Master Agreement, except for legal obligations that will have to be demonstrated by the Customer. Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR services company, agency, a related organization or consultant. Nothing in this DPA will require G-P to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other G-P’s customer; (ii) G-P’ internal accounting or financial information; (iii) any trade secret of G-P or its affiliates; (iv) any information that, in G-P’ reasonable opinion, could compromise the security of any G-P’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.

3.14 미국 개인정보 보호법. Under this section 3, the Parties agree that G-P is a “Service Provider” or “Processor” as such terms are defined under applicable US Privacy Laws. Accordingly, to the extent US Privacy Laws apply to the Processing of Customer Data by G-P, G-P shall not (a) retain, use, or disclose any Customer Data outside the direct business relationship between G-P and Customer, or for any purpose other than for the purpose set out in Annex I attached hereto, and G-P shall only Process Customer Data only as long as it provides services to the Customer; (b) sell any Customer Data; (c) share any Customer Data; or (d) combine the Customer Data that G-P receives from, or on behalf of, Customer with “personal data” (as such term or equivalent is defined under applicable Data Protection Laws) that it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, provided that G-P may combine Customer Data if it is within the scope of providing the services to Customer. Where applicable, each Party shall notify the other party if it makes a determination that it can no longer meet its obligations under US Privacy Laws.

4. INTERNATIONAL DATA TRANSFERS

4.1 적절한 보호 . G-P is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors. When making such transfers to a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Personal Data according to Data Protection Laws, G-P shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Master Agreement.

4.2 Data Privacy Framework. Professionals and Customer Data are stored in GPP which is hosted in U.S. G-P is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). G-P´s certification can be confirmed publicly on the DPF website https://www.dataprivacyframework.gov/list . The EU-U.S. Data Privacy Framework was considered adequate by the European Commission, being a lawful data transfer mechanism pursuant to Article 45 of the GDPR, the UK GDPR, and the FADP, respectively. If the DPF Framework(s) are invalidated, suspended, or otherwise no longer recognized as providing adequate protection for international data transfers, the Processor agrees to enter into and comply with the SCCs issued or approved by the European Commission, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable. The Parties shall cooperate in good faith to implement any supplementary measures required to ensure an essentially equivalent level of protection for the transferred data.

4.3 표준 계약 조항. The Parties agree that when the transfer of personal data from Customer (as "data exporter") to G-P (as "data importer") is a Restricted Transfer and applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:

a. In relation to transfers of Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:

i. Modules One and Two shall apply;

ii. in Clause 7, the optional docking clause will apply;

iii. in Clause 9 of Module Two, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 3.5 of this DPA;

iv. in Clause 11, the optional language will not apply;

v. in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Master Agreement;

vi. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

vii. in Clause 18(b), disputes shall be resolved before the courts of Ireland;

viii. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and

ix. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA;

x. Annex III of Module Two of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this DPA.

b. In relation to transfers of personal data protected by the UK Data protection Laws or the Swiss Data Protection Laws , the EU SCCs as implemented under sub-paragraphs (a) above will apply with the following modifications:

i. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);

ii. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);

iii. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);

iv. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);

v. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);

vi. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);

vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and

viii. with respect to transfers to which UK Data Protection Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss Data Protection Laws apply, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

ix. In relation to data that is protected by the UK GDPR, the EU SCCs will apply as follows: (i) apply as completed in accordance with the paragraphs (i) to (viii) above; and (ii) be deemed amended as specified by Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of this DPA. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".

c. In relation to transfers of personal data protected by the Brazil LGPD, either directly or via onward transfer, to a country outside of Brazil that is not subject to an adequacy decision issued by the ANPD, the Brazil SCCs will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

i. Clause 2 of the Brazil SCCs is satisfied by the information set forth in Annex I, which describes the data transfer;

ii. In Clause 3 of the Brazil SCCs, Option B shall apply, with onward transfers permitted in accordance with Section 3.5 (“Subprocessors”) of this DPA. The subject matter, nature, and duration of processing are set forth at Annex I of this DPA;

iii. Clause 4 of the Brazil SCCs is satisfied by the information set forth in Annex I of this DPA. Where G-P is a Controller, it will be the “Designated Party”, as defined in the Brazil SCCs, and for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting) of the Brazil SCCs. Customer remains responsible for compliance with Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 Incident Reporting) of the Brazil SCCs for any personal data of which it may otherwise be Controller;

iv. In Clause 9 of the Brazil SCCs, the optional docking clause will not apply; and

v. Section III (Security Measures) of the Brazil SCCs will be deemed completed with the information set forth in Annex II of this DPA.

4.4 Unforeseen Data Transfers . If, in the course of providing the Services, either Party identifies that a transfer of Personal Data occurs or is likely to occur that is not already addressed by the mechanisms set forth in Sections 4.1 through 4.3 of this DPA, the Parties shall promptly notify each other and shall cooperate in good faith to implement, without undue delay, such additional transfer mechanisms or supplementary measures as may be required under applicable Data Protection Laws to ensure the lawfulness of such transfer. Neither Party shall be required to proceed with any such unforeseen transfer until the appropriate mechanism has been agreed and put in place.

부속서 I

데이터 처리 설명

INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP DETAILS (This section regards to the details of Personal Data that is being shared between the Parties in their capacities as Controllers)
정당	데이터 내보내기: 기본 계약을 실행하는 고객 법인 Data Importer: Globalization Partners LLC.
당사자 연락처 정보	기본 계약에 명시된 연락처 정보.
전송된 데이터와 관련된 활동	Activities related to the EOR Services.
Roles	Data Exporter: Controller. Data Importer: Controller.
처리 활동	The Personal Data processed / transferred may be subject to the following Processing activities: any operation with regard to Personal Data irrespective of the means applied and procedures, in particular the collecting, organizing, storage, holding, use, retrieval, consultation, archiving, transmission, blocking, erasing, or destruction of data, the operation and maintenance of systems, compliance, legal and audit functions.
처리 기간	The term of the Master Agreement and on a continuous basis.
처리의 성격 및 목적	Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the Processing is to provide the EOR Services in accordance with the Master Agreement.
Categories of Data Subjects	Professionals.
Types of Personal Data	Contact details (which may include name, address, email address, telephone, fax, emergency contact details, and associated local time zone information). Employment details (which may include education, CV, job title, grade, demographic, location data, nationality and export compliance status, salary, bonus). Data subjects' email content. Details of services provided to or for the benefit of data subjects.
특수 데이터 범주(해당되는 경우)	N/A
직원 유지	개인 데이터는 해당 법률에 규정된 최소 보존 기간 동안, 관련 법령에 부합하고 모범적인 비즈니스 관행에 부합하는 기간 동안 보관됩니다.
관할 감독 기관	The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).
하위 프로세서로 전송	처리자로의 전송의 경우 처리의 주제, 성격 및 기간은 위에 정의된 것과 동일합니다.
G-P 개인 정보 보호 연락처 정보	privacy@G-P.com 수신: 글로벌 개인정보 보호 사무소.

CONTROLLER - PROCESSOR RELATIONSHIP DETAILS (This section regards to the details of Personal Data that is being processed by G-P on behalf of the Customer)
정당	데이터 내보내기: 기본 계약을 실행하는 고객 법인 Data Importer: Globalization Partners LLC.
당사자 연락처 정보	기본 계약에 명시된 연락처 정보.
전송된 데이터와 관련된 활동	기록상 고용주(EOR) 서비스 및 고객에게 서비스로 제공되는 GPP 사용과 관련된 활동.
Roles	Data Exporter: Controller Data Importer: Processor
처리 활동	처리/전송되는 개인정보는 적용되는 수단과 절차에 관계없이 개인정보와 관련된 모든 작업, 특히 데이터의 수집, 정리, 저장, 보유, 사용, 검색, 상담, 보관, 전송, 차단, 삭제 또는 파기, 시스템 운영 및 유지 관리, 규정 준수, 법률 및 감사 기능 등 다음과 같은 처리 활동의 대상이 될 수 있습니다.
처리 기간	The term of the Master Agreement and on a continuous basis.
처리의 성격 및 목적	Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the processing is to provide GPP as a Service to the Customer in accordance with the Master Agreement.
Categories of Data Subjects	Authorized Users of the GPP who may include Customer’s employees and/or contractors.
Types of Personal Data	연락처 세부 정보(예: 전화번호 및 이메일). 직원/계약자 데이터(직책 및 회사명 등). 사용 데이터(예: 인증된 사용자의 디바이스에 대한 데이터 및 해당 디바이스가 GPP와 상호 작용하는 방식). 위치 데이터(예: IP 주소에서 파생된 위치). 콘텐츠 데이터(전문가 및 관련 커뮤니케이션에 관한 고객의 파일 내용 등). 자격증명(비밀번호, 비밀번호 힌트 및 GPP에 대한 인증 및 계정 액세스에 사용되는 유사한 보안 정보 등). Any Personal Data supplied by Authorized Users.
특수 데이터 범주(해당되는 경우)	N/A
직원 유지	개인 데이터는 해당 법률에 규정된 최소 보존 기간 동안, 관련 법령에 부합하고 모범적인 비즈니스 관행에 부합하는 기간 동안 보관됩니다.
관할 감독 기관	The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).
하위 프로세서로 전송	처리자로의 전송의 경우 처리의 주제, 성격 및 기간은 위에 정의된 것과 동일합니다.
G-P 개인 정보 보호 연락처 정보	privacy@G-P.com 수신: 글로벌 개인정보 보호 사무소.

부록 II

기술적 및 조직적 조치

G-P has been certified and attested to confirm compliance with SOC 2 and ISO 27001 standards, by independent auditors. Such certifications demonstrate our commitment to securing Customer Data. G-P’s security program is designed to:

Protect the confidentiality, integrity, and availability of Customer Data in G-P’s possession or to which G-P has access;

고객 데이터의 기밀성, 무결성 및 가용성에 대한 예상되는 위협이나 위험으로부터 보호합니다;

고객 데이터에 대한 무단 또는 불법적인 액세스, 사용, 공개, 변경 또는 파기로부터 보호합니다;

고객 데이터의 우발적 손실 또는 파기 또는 손상으로부터 보호.

G-P가 규제될 수 있는 모든 규정에 명시된 대로 정보를 보호합니다.

다음은 G-P가 고객 데이터 처리의 보안을 보장하기 위해 취한 기능, 프로세스, 통제, 시스템, 절차 및 조치에 대해 설명합니다:

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

Privacy by Design and Default:

G-P takes the requirements of Article 25 GDPR into account in the conception and development phase of product development. Processes and functionalities are set up in such a way that the data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are considered at an early stage.

b) Encryption of Personal Data:

Ensuring that personal data are only stored in the system in a way that does not allow third parties to identify the data subject.

Database and storage encryption:

On all databases used by G-P an encryption "at rest" according to the state of the art is used so that the data from the database can only be read after proper authentication on the respective database system.

Encryption of mobile data media:

The use of mobile data carriers for storing customer data is not permitted.

Encryption of data carriers on laptops:

Appropriate state-of-the-art hard disk encryption is installed on all employees' laptops.

Encrypted exchange of information and files:

In principle, the exchange of information and files is directly encrypted via a special application. If personal data or confidential information must be transferred to servers which cannot be sent via TLS-encrypted HTTPS uploads, these will be transferred using Secure File Transfer Protocol (SFTP), encrypted envelope service or another encrypted mechanism according to the state of the Art.

E-Mail Encryption:

In principle, all e-mails sent by employees of G-P are encrypted with TLS. Exceptions may be if the receiving mail server does not support TLS. The Customer shall ensure that the corresponding mail servers used within the scope of the order support TLS encryption

c) Admission Control

Admission controls are intended and put in place in order to prevent the use and processing of data which is protected by data protection laws by unauthorized persons.

Use of authentication methods

Access to personal data is always via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols. Authentication procedure for IT system: Multifactor authentication log-in to IT system.

Automatic blocking in case of inactivity

Laptops used by G-P employees locked with password or PIN protection when not in use by the user. In addition, an automatic screen lock with password protection is set up after 15 minutes of inactivity.

Use of anti-virus software

Laptops used by G-P employees are equipped with state-of-the-art anti-virus software that is kept up to date on all operational or business IT systems. As a matter of principle, no computers may be operated without resident virus protection unless other equivalent state-of-the-art security measures have been taken or there is no risk. Default security settings must not be deactivated or circumvented.

"Clean Desk Policy"

Employees of G-P are instructed not print out or locally store personal data of data subjects, not to leave work materials in a location where they may be viewed by third parties, and to store all work materials properly. Documents which G-P is required by law to hold in hard copy are stored in locked cabinets.

d) Access Controls Within the Platform

Access controls ensure that persons authorized to use a processing system have access only to the personal data covered by their access authorization.

역할 및 권한

Roles and Authorization Platform – Customer Access Customer users can view and edit customer account information.

Roles and Authorization Platform – Professional Access Professional users can view and edit their own professional information.

Professionals can also gain Customer access role upon requirement + approval

Roles and Authorization Platform – Internal Access

Internal access users have varied roles. They have varied access to create, view, edit, and approve the following:

고객 정보

청구 정보

파트너 정보

전문 인력 기록 정보

관리자 시스템에 대한 액세스 권한은 일반적으로 고객 지원 및 제품 개발 분야의 숙련된 직원으로 제한됩니다.

e) Firewall as a Service

G-P uses use an external firewall as a service that allows it to grant or block access to websites to make sure systems can’t access malicious content and to restrict access to inappropriate content.

f) Record of Log-In to the Platform

G-P maintains a record of all login activity.

g) Separability

Ensuring that personal data collected for different purposes can be processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.

Separation of development, test and operating environments

Data from the operating environment may only be transferred to test or development environments if it has been made completely anonymous before transfer. The transfer of the anonymized data must be encrypted or via a trustworthy network.

Software to be transferred to the operating environment must first be tested in an identical test environment ("staging"). Programs for error analysis or the creation/compilation of software may only be used in the operating environment if this cannot be avoided. This is especially the case if error situations depend on data that would be falsified due to the requirements for anonymization when transferring to test environments.

Separation in networks

G-P separates its networks according to tasks. The following networks are used permanently: operating environment ("Production"), test environment ("Staging", “Sandbox”), development environment (“Dev”) office IT staff. In addition to these networks, further separate networks are created as required, e.g., for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated either physically or by means of virtual networks.

h) Availability control

G-P takes the following steps to ensure that personal data is protected against accidental destruction or loss.

Data protection procedures/ backups

To ensure adequate availability G-P implements daily snapshots of its database with replication to a different region. Measures are also taken to ensure employees with job-based need to review data are granted access only to replica datasets.

생산적인 데이터 및 백업의 서버 인프라와 관련된 지리적 이중화

IT incident management ("Incident Response Management")

There is a concept and documented procedures for handling incidents and safety- relevant events. This includes the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security- relevant events and the definition of corresponding responsibilities and reporting channels in the event of a violation of the protection of personal data within the framework of the legal requirements.

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

G-P는 데이터 개인정보 보호 및 보호 요건을 충족하는 방식으로 조직을 운영하기 위해 다음과 같은 조직적 조치를 취하고 있습니다.

a) Organizational Instructions

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. Documentation includes how to identify and manage data privacy issues, best practices for ensuring privacy compliance, and policies for addressing privacy incidents.

b) Commitment to confidentiality and data protection

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. All employees and contractors are bound in writing to confidentiality and data protection as well as other relevant laws. All employees receive privacy & security training. Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes. The employees and contractors of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

c) Data protection training

All employees receive privacy & security training which remains available for review at any time in G-P training platform.

d) Physical Access Controls

G-P has the following physical controls in place to deny unauthorized persons access to IT systems equipment used for processing.

Electronic door protection

The entrance doors to the premises of G-P offices are always locked and electronically secured. The doors are opened via a personal electronic transponder.

Controlled distribution of keys

A central, documented allocation of keys to the employees of G-P takes place. These electronic transponders/keys could be deactivated centrally by each office manager or the People Resources department.

Supervision and accompaniment of external persons

External service providers and other third parties may only be granted access to the premises via prior authorization or when accompanied by an employee of G-P. G-P applies its written Visitor’s Policy when visitors are invited to the premises.

Securing of premises with increased need for protection

Premises or cabinets with increased protection requirements, such as legal offices and certain Operations locations, are equipped with locking cabinets and drawers. Cabinets and drawers where legal documents, contracts, and confidential documentation are held are to be locked at all times except when they are in use.

Closed doors and windows

Employees are organizationally instructed to keep windows and doors closed or locked outside office hours.

e) Recoverability

G-P ensures that systems in use can be restored in the event of physical or technical failure.

Regular tests of the data recovery ("Restore-Tests")

Regular full restore tests are carried out to ensure recoverability in the event of an emergency/disaster.

Emergency plan ("Disaster Recovery Concept")

There is a concept for the treatment of emergencies/disasters and a corresponding emergency plan. G-P ensures the recovery of all systems on the basis of the data backups / backups, usually within 48 hours.

Review and evaluation measures

Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.

f) Privacy Team

The organization has a Global Data Privacy Office tasked with planning, implementing, evaluating and adapt measures in the field of data protection.

g) Risk Management

There is a process for analyzing, evaluating, and allocating risks and for deriving measures on the basis of these risks.

3) INDEPENDENT REVIEW OF INFORMATION SECURITY

Performance of audits

Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes.

b) Review of compliance with security policies and standards

Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is checked regularly. Where possible, these checks are carried out on a random and unexpected basis.

c) Verification of compliance with technical specifications

Regular automated and manual vulnerability scans are performed by the IT department or other qualified personnel to verify the security of the applications and infrastructure, as well as the regular development of the product. Detailed penetration tests are carried out by an external service provider to specifically examine the applications and infrastructure for vulnerabilities.

d) Processing on instruction

The employees of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

e) Careful supplier selection

G-P adheres to its Supplier Prequalification Process when selecting vendors and suppliers who may encounter protected data. This process includes feedback from the Finance and Legal/Privacy Departments and incorporates risk assessment, security prequalification and documentation certification steps. Suppliers who will process protected data will be required to demonstrate their adherence to applicable data privacy laws, including Article 28 GDPR for covered data

부록 III

하위 프로세서 목록

하위 프로세서	위치 및 연락처 정보	처리 설명
아쿠마티카	3933 Lake Washington Blvd NE #350, 커클랜드, 워싱턴 98033, 미국	금융 서비스
Amazon Web 서비스	P.O. Box 81226 시애틀, 워싱턴주 98108-1226, 미국	호스팅 - 클라우드 서비스 제공업체
Microsoft	Microsoft Corporation 원 마이크로소프트 방식 레드먼드, 워싱턴 98052 미국 전화: (+1) 425-882-8080.	커뮤니케이션(이메일) 및 서비스 관리를 위한 비즈니스 프로세스 지원
Atlassian	350 부시 스트리트 플로어 13 샌프란시스코, 캘리포니아 94104, 미국 +1 415 701 1110	서비스 관리를 위한 비즈니스 프로세스 지원
DocuSign	DocuSign International (EMEA) Ltd, 주의: 개인정보 보호팀, 5 하노버 키, 1층, 더블린 2, 아일랜드 공화국	문서 관리
Salesforce.com	세일즈포스 타워, 415 미션 스트리트, 3rd 층, 샌프란시스코, 캘리포니아 94105, 미국 1-800-387-3285	고객 관계 관리(CRM)를 위한 비즈니스 프로세스 지원
Zendesk	989 마켓 스트리트 샌프란시스코, 캘리포니아 94103, 미국 zendesk.com 888-670-4887	고객 지원 헬프데스크 문의
지금 서비스	2225 Lawson Lane Santa Clara, CA , 95054 미국	Business Process Support for IT service and operations management, the employee and customer experiences through ( automated cloud-based workflow)
데이터브릭	160 Spear Street, 15th Floor San Francisco, CA 94105 1-866-330-0121 미국	클라우드 데이터 웨어하우스 인프라.
데이터독	620 8^th Ave 45 ^th Floor 뉴욕, 뉴욕 10018 미국	서비스 모니터링 및 디버깅 도구
Wise	애비뉴 루이스 54, 룸 에스52, 1050 브뤼셀 벨기에	온라인 결제 처리기
Google	1600 앰피시어터 Pkwy, 마운틴뷰, 캘리포니아 94043	커뮤니케이션(이메일) 및 내부 문서 저장을 위한 비즈니스 프로세스 지원

MSA 개인정보 보호 언어​​

데이터 보호 부록​​

1. DEFINITIONS​​

2. INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP​​

3. CONTROLLER – PROCESSOR RELATIONSHIP​​

4. INTERNATIONAL DATA TRANSFERS​​

부속서 I​​

부록 II​​

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​

b) Encryption of Personal Data:​​

c) Admission Control​​

d) Access Controls Within the Platform​​

e) Firewall as a Service​​

f) Record of Log-In to the Platform​​

g) Separability​​

h) Availability control​​

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​

a) Organizational Instructions​​

b) Commitment to confidentiality and data protection​​

c) Data protection training​​

d) Physical Access Controls​​

e) Recoverability​​

f) Privacy Team​​

g) Risk Management​​

3) INDEPENDENT REVIEW OF INFORMATION SECURITY​​

b) Review of compliance with security policies and standards​​

c) Verification of compliance with technical specifications​​

d) Processing on instruction​​

e) Careful supplier selection​​

부록 III​​

MSA 개인정보 보호 언어