Last Updated: 8 July 2026
This Data Processing Agreement (“DPA”) is entered into by and between:
This DPA is entered into in connection with the Ethos Terms of Use, the Expert Terms and Conditions and/or the master services agreement or other customer agreement (as applicable) between User and Ethos, which govern User’s use of the platform made available by Ethos (the “Agreement”) but only to the extent such Agreement relates to Processing of Personal Data for which Ethos acts as Processor or service provider/contractor on behalf of User.
This DPA sets forth the terms under which the Processor will process personal data on behalf of the Data Controller, ensuring compliance with:
The Processor will process Personal Data exclusively:
Ethos and User are together the “Parties”, and each a “Party”. This DPA applies only to the extent Ethos Processes Personal Data as a Processor or service provider/contractor on behalf of a User that determines the purposes and means of such Processing. For clarity, this DPA does not apply to Ethos’s Processing of Personal Data for which Ethos acts as a controller or business, including Personal Data collected from or about Experts in connection with account creation, profile management, payments and payout administration, platform operation, matching, screening, ranking, AI Tools, marketing, support, security, analytics, service improvement, or other purposes described in the Ethos Privacy Policy. To the extent the Expert Terms and Conditions refer to this DPA, that reference applies only to Personal Data, if any, that Ethos Processes on behalf of a User as Processor, and does not limit Ethos’s rights or obligations as a controller or business under the Ethos Privacy Policy. The Parties agree to comply with this DPA with respect to the Processing of Personal Data by Ethos as Processor on behalf of User.
“Adequate Country” means:
“Authorised Persons” means Ethos employees, contractors, agents, auditors, and other personnel acting under Ethos’s authority who have a need-to-know or otherwise require access to Personal Data to enable Ethos to perform its obligations under the Agreement and this DPA.
“Data Protection Laws” means the European Union General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); the UK General Data Protection Regulation and the UK Data Protection Act 2018 (together, the “UK GDPR”); the Swiss Federal Act on Data Protection (“Swiss FADP”); the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA/CPRA”); and the other data protection laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, Switzerland, and the United States, in each case as applicable to the Processing of Personal Data under this DPA.
“Data Subject Request” means a request made by a Data Subject, consumer, or other individual conferred rights under Data Protection Laws.
“Personal Data” means any personal data or personal information, as defined by Data Protection Laws, that Ethos processes on behalf of User in connection with the Agreement.
“Platform” has the same meaning as in the Agreement.
“Regulatory Authority” means any local, state, national, or multinational agency, department, official, parliament, public or statutory person, government or professional body, regulatory authority or supervisory authority, or board or other body responsible for administering Data Protection Laws.
“Security Incident” means any data breach as defined by applicable Data Protection Laws, or any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data on systems managed or otherwise controlled by the Processor or its Sub-processors.
“User” (also referred to in this DPA as the “Data Controller”) means the legal entity or other person that determines the purposes and means of Processing Personal Data for which Ethos acts as Processor or service provider/contractor under this DPA. References in this DPA to ‘User’ and ‘Data Controller’ mean the same entity or person in that capacity.
“Business Purpose”, “Controller”, “Processor”, “Processing”, “Data Subject”, “Sensitive Data”, and “Sub-processor” if appearing in this DPA shall have the same meaning as in the Data Protection Laws.
Nothing in this DPA shall be construed to require Ethos to comply with the CCPA/CPRA beyond its obligations as a service provider or contractor as defined under the CCPA/CPRA.
Data Subjects:
Individuals whose Personal Data is uploaded to, or generated through, the Platform by or on behalf of User, which may include: User’s personnel and contractors; User’s end-users, customers, prospects, and other contacts; Experts (as defined in the Ethos Expert Terms and Conditions); and other Data Subjects identified in the Agreement or in User’s instructions.
Subject Matter of Processing:
Provision of the Platform and related services described in the Agreement, including identification, evaluation, screening, ranking, matching, and selection of Experts for Projects (where applicable to User’s use case).
Duration of Processing: Duration of the Agreement.
Nature and Purpose of Processing:
Ethos will Process Personal Data for the purposes of providing services to User in accordance with the Agreement and this DPA, including hosting, storage, transmission, retrieval, structuring, analysis, and presentation of Personal Data, and the operation of AI Tools (as described in the Ethos Privacy Policy) on Personal Data to perform the matching, ranking, screening, and selection functions of the Platform.
Type of Data:
Categories may include, depending on User’s use of the Platform: identifiers (name, email, phone, user ID, IP address); professional/employment information (job title, employer, work history, areas of expertise, billing rate, availability); content submitted to the Platform (messages, files, audio/video); usage and log data; account and authentication data; and outputs generated by AI Tools (e.g., match scores, screening evaluations, ranking signals). Further specifics shall be as agreed in the Agreement.
Sensitive Data:
User may not give Ethos any sensitive or other similar Personal Data without written approval from Ethos. Where such approval is given, the Parties shall agree the additional safeguards required under Article 9 of the UK GDPR and the EU GDPR (and applicable U.S. state law equivalents) in advance of any such Processing.
Frequency of Transfer:
Continuous, for the duration of the Agreement.
Retention Period:
As set forth in §10 of this DPA and the Agreement; aggregated and de-identified data may be retained indefinitely as described in the Ethos Privacy Policy.
Sub-processors:
As listed at https://agent.askethos.com/ethos-subprocessors and updated from time to time in accordance with §7 of this DPA. The transfers, processing operations, and durations performed by each Sub-processor correspond to the support, hosting, analytics, payment, and integration services described on the Sub-processor Site.
This Attachment B describes the technical and organisational measures implemented by Ethos (the “Processor”) to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and applicable Data Protection Laws. The Processor may update these measures from time to time, provided that such updates do not materially diminish the overall level of security described herein.
The Processor maintains documented information security policies and procedures governing the protection of Personal Data. These are reviewed and updated as needed to reflect material changes to the Processor’s operations, systems, or applicable Data Protection Laws, and responsibility for information security is assigned to designated personnel within the Processor.
The Processor restricts access to Personal Data to authorised personnel who require such access to perform their job functions, applying the principles of least privilege and need-to-know. Access rights are uniquely assigned, reviewed periodically, and revoked promptly upon role change or termination of employment. Access to systems requires individual user credentials, and the use of shared accounts is avoided. Multi-factor authentication is required for remote access and for access to systems processing Personal Data.
The Processor enforces password policies that include minimum complexity, length, and rotation requirements, and stores authentication credentials using salted cryptographic hashing. Default vendor credentials are changed prior to deployment.
The Processor encrypts Personal Data in transit over public networks using current industry-standard protocols (e.g., TLS 1.2 or higher) and encrypts Personal Data at rest using industry-standard algorithms (e.g., AES-256). Encryption keys are managed securely and access to keys is restricted.
Where appropriate and technically feasible, the Processor applies pseudonymisation and data minimisation techniques to reduce the risk to data subjects.
The Processor maintains network security controls including firewalls, network segmentation, intrusion detection or prevention systems, and regular vulnerability scanning. Systems are hardened in accordance with industry standards, and security patches are applied in a timely manner based on risk.
Personal Data is hosted in facilities (including those operated by approved sub-processors) that maintain physical access controls such as secured entry, surveillance, visitor management, and environmental safeguards. Access to data centers is restricted to authorised personnel.
The Processor logs access to and activity within systems processing Personal Data, protects logs against tampering and unauthorised access, and monitors systems for anomalous or unauthorised activity. Logs are retained for a defined period consistent with operational and legal requirements.
The Processor requires personnel devices used to access Personal Data to use standard operating-system security features, including full-disk encryption, automatic security updates, and built-in malware protection.
The Processor maintains backup and disaster-recovery arrangements designed to support the availability and timely restoration of Personal Data following a physical or technical incident. Backups are protected by access controls and encryption, and backup-restore procedures are validated as part of routine engineering operations.
All personnel with access to Personal Data are subject to written confidentiality obligations. The Processor provides data-protection and security guidance to such personnel and undertakes background checks where appropriate and permitted by applicable law.
The Processor follows secure software development practices, including code review, separation of development, testing, and production environments, and testing of changes prior to deployment.
The Processor imposes data-protection and security obligations on its sub-processors that are no less protective than those set out in this Attachment, and assesses the security practices of sub-processors prior to engagement.
The Processor maintains an incident response plan that provides for the detection, investigation, containment, and remediation of security incidents, and for notification to the Controller without undue delay upon becoming aware of a Personal Data Breach, in accordance with the DPA.
Upon termination or expiry of the services, the Processor will, at the Controller’s choice, delete or return Personal Data and delete existing copies, except to the extent retention is required by applicable law, in accordance with the DPA.
The Processor periodically tests, assesses, and evaluates the effectiveness of these technical and organisational measures, and where applicable maintains independent certifications or audit reports (e.g., SOC 2, ISO/IEC 27001) that may be made available to the Controller in accordance with the audit provisions of the DPA.
In such event, the Parties shall rely on the following transfer mechanisms (as applicable):
(a) EU GDPR transfers. For transfers from User to Ethos that are subject to the EU GDPR and require appropriate safeguards under Chapter V of the EU GDPR, the EU Standard Contractual Clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (controller-to-processor), are incorporated by reference and deemed completed with the information set out in Attachment A. For onward transfers from Ethos to Sub-processors, including affiliated Sub-processors, Ethos shall ensure that the relevant onward transfer is subject to an appropriate transfer mechanism as described in Section 11.3.
(b) UK GDPR transfers. For transfers from User to Ethos that are subject to the UK GDPR and require appropriate safeguards under Chapter V of the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office under section 119A(1) of the Data Protection Act 2018 is incorporated by reference and deemed completed with the information set out in Attachment A. For onward transfers from Ethos to Sub-processors, including affiliated Sub-processors, Ethos shall ensure that the relevant onward transfer is subject to an appropriate transfer mechanism as described in Section 11.3.
(c) Swiss FADP transfers. For transfers subject to the Swiss Federal Act on Data Protection (FADP), the EU Standard Contractual Clauses referenced in (a) above apply as amended in accordance with the guidance of the Swiss Federal Data Protection and Information Commissioner (FDPIC), including that references to the EU GDPR are understood as references to the FADP, references to EU member state law are understood as references to Swiss law, the competent supervisory authority is the FDPIC, and data subjects in Switzerland may enforce their rights in Switzerland.
(d) Completion of the Clauses. The Clauses referenced above are completed as follows: (i) the optional docking clause in Clause 7 applies; (ii) for purposes of Clause 9, Option 2, general written authorisation applies, and the time period for prior notice of Sub-processor changes is as set out in Section 7 of this DPA; (iii) for purposes of Clause 11, the optional independent dispute resolution body language does not apply; (iv) for purposes of Clause 17, Option 1 applies and the EU SCCs are governed by the laws of Ireland; (v) for purposes of Clause 18(b), the courts of Ireland are the competent courts; (vi) for purposes of Clause 13 and Annex I.C, the competent supervisory authority is the Irish Data Protection Commission for EU GDPR transfers, the Information Commissioner’s Office for UK GDPR transfers under the UK Addendum, and the FDPIC for Swiss FADP transfers; (vii) Annex I.A is completed with the party details set out in this DPA and the Agreement, with User as data exporter and Controller and Ethos as data importer and Processor; (viii) Annex I.B is completed with the description of transfer set out in Attachment A; (ix) Annex II is completed with the technical and organisational measures set out in Attachment B; (x) Annex III is completed by reference to the Sub-processor Site, as updated in accordance with Section 7; and (xi) for the UK Addendum, the information required by Tables 1 to 3 is completed with the information set out in this DPA, Attachment A, Attachment B, and the Sub-processor Site, and Table 4 specifies that neither Party may end the UK Addendum under Section 19 except as permitted by the UK Addendum.