The Sourcer Terms of Service is comprised of the following agreements:

• Terms of Use
• Privacy Policy
• Global Data Processing Agreement
• Cookie Policy

This document explains the rules that keep our marketplace running.

We call these rules our Terms of Use. They apply to sourcer.com and all the websites and apps we own or run. (And by we, we mean Sourcer and our affiliates, which we may also refer to as us.)

These terms explain how we expect you to behave when you’re using Sourcer – whether you’re a registered user or unregistered site visitor on our site.

Please read these rules carefully: by using our site, you’re agreeing to follow them.

1. About licenses and third party content

Here we’ve included the conditions for using our site, which we do our best to keep running smoothly (1.1). That means we have the right to stop people from using our site and services if needed (1.2).

You can’t use our intellectual property (1.3), but you can post your own content to Sourcer. You’re responsible for this content (1.4), and equally, we’re not responsible for content you come across from other users (1.5). If you think someone is using something you’ve copyrighted, just let us know (1.6).

1.1 We let you use our site and services

Technically, we’re giving you a ‘limited license’ to the site. Here’s what that means.

We’re happy for you to access our website and services (known as the services). You’re free to have this access (or limited license) as long as you follow these terms of use and all of our other Terms of Service as they apply to you.

We’ll do our best to make sure our services are safe and working as they should, but we can’t guarantee you’ll have access continuously. In fact, we might even stop providing certain features or the services completely, and don’t have to give notice if we do.

1.2 We can stop letting you use our services

We can take away your right to use our services at any time.

If you violate our Terms of Use or other parts of our Terms of Service, we can take away your access to Sourcer. Officially, this is called terminating your license, and if it happens, we’ll tell you and you must stop using our services immediately.

1.3 We keep the rights to our intellectual property

Using our services doesn’t mean you can use any of our trademarks or other intellectual property, like copyrights and patents. We keep all of our rights to our intellectual property, even though we let you use our services.

Our logos and names are our trademarks and registered in certain jurisdictions. Any other product or company names, logos or similar marks and symbols you see on Sourcer may be trademarked by our partners or other users like you.

1.4 You can use Sourcer to share your content with the world

1.4.1 You’re responsible for what you post

You’re responsible for how you use our site and anything you post on it. If someone makes a claim against us because of anything you put on the site, you agree to compensate us for our legal fees and expenses (the lawyers call this, ‘indemnification’).

When you post content on (or through) our site or give us content for posting, you agree that you’re completely responsible for that content and we’re not. You also agree to only post or give us content that:

• you have the right to post
• is legal
• doesn’t violate anyone’s rights, including intellectual property rights.

You acknowledge and agree that whoever posts content is responsible for any harm caused to anyone by that content – not Sourcer – and that you’ll compensate and defend us, our partners, employees and representatives against any costs or legal or government action we have because of your content.

1.4.2 Other people have some rights to what you post

By posting content on the site, you give other people some rights to that content.

Whenever you post content on our site, you give us and our affiliates a permanent right (called an ‘irrevocable and non-exclusive worldwide license’) to use, edit and share that content – across the world and without paying royalties. If your name, voice and image appear in content you post, we also might use those on the site or in our day-to-day business. For example, if you’re a supplier, we might share your profile with clients we think could be a good match.

You also give each user and site visitor the right to access and use your content through the site. They also have the right to use, copy and share your content – as long as they do it through the site, and follow both our Terms of Service and the law.

We might show ads near your content and information, without compensating you. Depending on choices you make in your profile, we might also include your name or photo when promoting one of our features.

1.4.3 We’re open to your ideas

We’d love to hear your thoughts on improving Sourcer. Here’s what happens when you share them.

You can send us comments and suggestions about our services and ways to improve them. If you do, you’re agreeing your ideas are free and unsolicited, and you don’t expect or ask anything in return, unless we’ve specifically asked you for your ideas and offered something in return (we like to keep our word).

You agree we’re free to use, change and share the idea as we like, without being obligated to to give you anything for it. And if you do send us an idea, you also agree that this doesn’t affect our right to use similar or related ideas – including those we already have or get from others.

1.5 Third parties post on Sourcer, too

Anyone else who uses our site is responsible for what they post or link on Sourcer.

We’re not responsible for the accuracy or reliability of any content shared by other people on our site, unless they’re officially working for us when they share or post the content. Any content represents the views of the person sharing it, not Sourcer.

Our site might also contain links or other access to third-party websites and applications. These sites and applications are owned and run by other parties, not Sourcer. If we use a link or application that goes to a third-party website, it doesn’t mean that we endorse it and you agree that you use it without our endorsement.

1.6 You can make a copyright complaint

If you think content on our site infringes your rights, you can ask to have it removed.

We’re committed to following U.S. copyright and related laws and need site visitors and users to follow them as well. That means you can’t use our site to store or share anything that infringes anyone’s intellectual property rights, including their rights under U.S. copyright law.

If you own copyrighted work and think your rights under U.S. copyright law have been infringed by anything on our site, the Digital Millennium Copyright Act means you can ask us to take it down. To start the process, please contact us at: legalnotices@sourcer.com.

2. What you’re allowed to do on Sourcer

You can only use our services for work and to learn from the information we share.

Our site and services were made to be used for business, not for personal or consumer use. We run our marketplace to help companies find each other, build working relationships, and make and receive payments for that work.

You can also use some of our services to get information we think might be interesting and useful for our site visitors and users – like our Sourcer blog. While we do our best to make sure that this information is timely and accurate, there might sometimes be mistakes. We don’t make any guarantees about information posted on our site, so never use it as tax or legal advice. And you should always double-check the information for yourself.

3. What you’re not allowed to do on Sourcer

Certain uses of the site are not allowed. Here we go into much more depth about those things, including:

• posting unacceptable content (3.1)
• acting in a misleading or fraudulent way (3.2)
• treating others unfairly (3.3)
• abusing our feedback system (3.4)
• other uses that aren’t allowed (3.5)

In short, you’re not allowed to use our services to do (or encourage others to do) anything that is illegal, fraudulent or harmful. If you don’t see something on one of the lists below, you shouldn’t assume it’s allowed. When in doubt, contact us to check.

3.1 Posting unacceptable content

You can’t offer, share, support or try to find anything that:

• is illegal or defamatory
• is violent, discriminatory or harassing, either generally or towards a specific person or group (or encourages others to be), including anyone who is part of a legally protected group
• is sexually explicit or related to sex work or escort services
• is in any way related to child exploitation
• would infringe on any intellectual property rights, including copyrights
• would violate our Terms of Service, another website’s terms of service, or any similar contract
• would go against professional or academic standards or policies – including improperly submitting someone else’s work as your own, or by ghost-writing essays, tests, or certifications
• involves purchasing or requesting a fake review or is connected in any way to making or sharing misleading content which is intended to deceive others.

3.2 Acting in a misleading or fraudulent way

On Sourcer, you can’t do anything that’s dishonest or meant to fool others.

You can’t misrepresent your company, your resources’ experience, skills or professional qualifications, or that of others. This includes:

• lying about your resources’ experience, skills or professional qualifications
• using generative AI or other tools to substantially bolster inquiries from clients or work product if such use is restricted by your client or violates any third-party’s rights
• passing off any part of another company’s profile or identity as your own
• impersonating or falsely attributing statements to any person or entity, including a Sourcer representative
• falsely claiming or implying you’re connected to a person or organization (including Sourcer) – for example, you can’t say you work with a particular company when you don’t, and suppliers can’t use a resource’s profile if they’ve stopped working together.

Similarly, you must always be honest about who’s doing the work. That means you can’t:

• allow someone else to use your account, which misleads other users or
• falsely claim one resource will do a job when another will actually do it – including submitting a profile of the resource who can’t or won’t do the work.

We’re particularly invested in avoiding fraud and misrepresentations when it comes to payments. This means:

Suppliers can’t fraudulently charge a client in any way, including by:

• reporting or billing time the engaged resource haven’t actually worked
• reporting time worked by someone else and claiming the engaged resource did the work
• demanding payments without the intention of or without actually providing services in exchange for the payment.

Clients can’t engage in fraud related to payments, including by:

• posting requisitions with payment terms that are objectively unreasonable or disproportionate to the scope of services requested
• demanding services without the intention of or without actually providing payment in exchange for the services.

3.3 Treating others unfairly

Everyone should be treated fairly and legally on Sourcer.

You can’t use Sourcer to:

• express an unlawful preference in a requisition, inquiry or submission
• unlawfully discriminate against someone
• incite or encourage violence
• post personal identifying information or other sensitive, private data about another person
• spam other companies with inquiries or submissions. This includes posting the same requisition several times at once and contacting people you connected with on Sourcer outside of Sourcer without their permission
• make or demand bribes or payments for anything other than the work
• ask for or demand free work – you can’t ask suppliers to submit work for little or no payment as part of a proposal bid or competition
• request a fee in order to submit an inquiry or submission.

3.4 Abusing our feedback system

You must use our feedback system honestly and fairly.

That means you can’t:

• withhold payment or work until you’ve been given positive feedback
• swap payment (or anything of value) for feedback, including with third parties
• coerce another company by threatening negative feedback
• use the system to share unrelated views (like about politics or religion)
• offer or accept fake services to improve your feedback or rating score, which is called feedback building

3.5 Other uses that aren’t allowed

Sourcer relies on technology and trust – here’s how we maintain those things.

• You can’t copy, share or give away your account. You can’t have multiple accounts and you can’t sell, trade or give your account to anyone else without our permission.
• You can’t promote other organizations – including advertising any other websites, products or services. You also can’t use our site to recruit suppliers or clients to join another agency, website or company, unless you pay us a fee to do so.
• You can’t interfere with our technology or tamper with our site or services. That means you can’t:
  • bypass any security features we’ve put in place to restrict how you use the site – you’re not allowed to try and get around restrictions on copying content
  • interfere with or compromise our systems, server security, or transmissions
  • use a robot, spider, scraper, or similar mechanisms on our site without written permission
  • copy, distribute, or otherwise use any information you found on Sourcer, if whether directly or through third parties (like search engines), without our consent (no scraping allowed)
  • collect or use identifiable information, including account names
  • overwhelm the site with an unreasonable or large amount of information
  • introduce any malware or any other code or viruses that could harm us, our customers, or our services
  • access our services through any technology other than our interface
  • frame or link to the services without our written permission
  • use our services to build a similar service, identify or poach our users or publish any performance or benchmark analysis relating to the site
  • reverse engineer, decipher, modify, or take source code from our site that is not open source without our written permission.

4. Enforcing our terms of use

If you break any of these rules, we can suspend your account and stop you from using Sourcer (4.1). If you see someone else breaking these rules, please let us know (4.2).

4.1 We enforce these rules

We have the right to look into any potential violations of these terms of use, and might decide to pause, change or take away any content on our site when we do.

We can’t guarantee that we’ll take action against every potential violation, but just because we don’t take action against one breach doesn’t waive our right to take action against any future breaches, whether they’re related to the first breach or not.

If we do suspect rule-breaking, we can stop you using our site at any time. If we disable or close your account, you won’t be able to use any of our services, but these things will stay in place:

• our rights to use and share your feedback
• our users’ and visitors’ rights to share your content (1.4.2)
• your agreement to all the rules laid out in section 3 on this page.

4.2 Tell us if you see someone breaking these rules

What to do if you become aware of a violation of our Terms of Use.

If you believe anyone is breaking any of our terms of use, please let our customer service team know.

If we follow up on the breach, you agree to help with our investigation and take reasonable steps to help us fix the problem.

5. Definitions

Here, we explain some of the terms we’ve used in our Terms of Use. Any other terms in italics should be defined when they’re mentioned, throughout the Terms of Service.

An affiliate is anyone or anything that in any way manages, is managed by, or shares management with us.

A customer is a company using our site to source talent services from a supplier.

A supplier is a company using our site to offer their services to customers.

Supplier services refer to the work supplier’s resources offer to their customers.

A means of direct contact is information that would let someone get in touch with you directly (or find the information to do that) so you can bypass our site. For example, phone numbers, email and physical addresses, social media accounts, and personal websites with contact information are means of direct contact.

Site services are all services, applications and products – apart from supplier services – that people can access through Sourcer.

Content is what users post to Sourcer themselves, like comments, profiles, feedback, images, or other information. It includes anything posted by you even if elements of the content were originally generated by generative AI or other tools, or in response to questions posed to you by Sourcer or other users or Sourcer.

This Privacy Policy explains how and why Sourcer collects, uses, and shares personal information when you interact with or use our Site or Service. It also includes any information Sourcer collects offline in connection with the Service, which we may combine with information from the Site and Service. By reading this Privacy Policy, you will understand your privacy rights and choices.

When we say “Sourcer”, we mean Sourcer, Inc., and any of its affiliates. When we say “Site”, we mean sourcer.com, and when we say “Service”, we mean the Site plus any websites, features, applications, widgets, or online services owned or controlled by Sourcer and that post a link to this Privacy Policy.

As part of the Service, Sourcer provides a marketplace which results in platform information pertaining to different parties to an interaction. Users of the Service may be Customers, Suppliers, or Site Visitors (as each is defined in the Terms of Use). This Privacy Policy applies to Sourcer’s processing of personal information of Users where Sourcer determines the purposes and means of processing. It does not apply to processing of information by Users themselves, who may be controllers of the personal information they access through the Service. For information about how Users process your personal information, please contact them directly.

Accessibility: This Privacy Policy uses industry-standard technologies and was developed in connection with the World Wide Web Consortium’s Web Content Accessibility Guidelines, version 2.1. If you wish to print this policy, please do so from your web browser or by saving the page as a PDF.

1. Information Collection

a. Information You Provide to Us

When you use the Service, you may provide us with information about you. This may include your name and contact information, financial information to make or receive payment for services obtained through the Sourcer platform, or information to help us calculate sales taxes. When you use the Service, we may also collect information related to your use of the Service and aggregate this with information about other users. This helps us improve our Services for you. Suppliers may also provide us with information about resources associated with the Supplier.

Depending upon our relationship with you, we may collect the following categories and types of personal information from and about you:

b. Non-Identifying Information and De-Identified Information

• Non-Identifying Information/Usernames: We also may collect other information that does not identify you directly, such as zip codes, demographic data, information about your use of the Service, and general project-related data (“Non-Identifying Information”). We may combine information collected from Sourcer users, whether they are registered or not (“Sourcer Users”). In some cases, we may render Personal Information (generally, email address) into a form of Non-Identifying Information referred to in this Privacy Policy as “Hashed Information.” This is typically accomplished using a mathematical process (commonly known as a hash function) to convert information into a code. While the code does not identify you directly, it may be used by Sourcer’s partners to connect your activity and interests.
• Combination of Personal and Non-Identifying Information: We may combine your Personal Information with Non-Identifying Information, but Sourcer will treat the combined information as Personal Information.
• De-Identified Information: We may also de-identify or aggregate information and convert it into non-personal information so that it can no longer reasonably be used to identify you (“De-Identified Information”). We may use De-Identified Information for any of the purposes described in the “We Use Information We Collect” section below. We will maintain and use De-Identified Information in de-identified form and will not attempt to reidentify the information, except to confirm our de-identification processes or unless required by law.

c. Information Collected Automatically

Like other online companies, we receive technical information when you use our Services. We use these technologies to analyze how people use the Service, to improve how our Site functions, to save your log-in information for future sessions, and to serve you with advertisements that may interest you.

Sourcer and its partners use cookies or similar technologies to analyze trends, administer the website, track users’ movement around the website, the desktop app, and the mobile app, and to gather demographic information about our user base as a whole. The technology used to collect information automatically from Sourcer Users may include cookies, web beacons, and embedded scripts. In addition, we and our marketing partners, affiliates, analytics, and service providers may use a variety of other technologies (such as tags) that collect similar information for security and fraud detection purposes and we may use third parties to perform these services on our behalf.

For further information on cookies and how they are used for the Service, please visit our Cookie Policy at sourcer.com/legal/cookie-policy.

d. Analytics Providers, Ad Servers and Similar Third Parties

We may work with advertising agencies and vendors who use technology to help us understand how people use our Site. These vendors may use technologies to serve you advertisements that may interest you. You can choose to opt out of receiving certain interest-based advertising.

Sourcer works with (or may in the future work with) ad networks, ad agencies, analytics service providers and other vendors to provide us with information regarding traffic on the Service, including pages viewed and the actions taken when visiting the Service; to serve our advertisements on other websites, within mobile apps and elsewhere online; and to provide us with information regarding the use of the Service and the effectiveness of our advertisements. Our service providers may collect certain information about your visits to and activity on the Service as well as other websites or services, they may set and access their own tracking technologies on your device (including cookies and web beacons), and may use that information to show you targeted advertisements. Some of these parties may collect Personal Information when you visit the Service or other online websites and services. We may also share certain Non-Identifying Information with these parties, including Hashed Information, in connection with the services they provide to us. If you wish to opt out of interest-based advertising from participating companies, click here (or if located in the European Union, click here). You must opt out on each device and each browser where you want your choice to apply. If you choose to opt out, please note you will continue to receive advertisements, but they may be less relevant to you.

While we may use a variety of service providers to perform advertising services, some of these companies are members of the Network Advertising Initiative (“NAI”) or the Digital Advertising Alliance (“DAA”) Self-Regulatory Program for Online Behavioral Advertising. You may want to visit http://www.networkadvertising.org/managing/opt_out.asp, which provides information regarding targeted advertising and the “opt-out” procedures of NAI members. You may also want to visit http://www.aboutads.info/choices/, which provides information regarding targeted advertising and offers an “opt-out” by participating companies in the DAA Self-Regulatory Program.

e. Do Not Track Signals and GPC

Please note that your browser setting may allow you to automatically transmit a “Do Not Track” signal to websites and online services you visit. Sourcer does not generally alter its practices when it receives a “Do Not Track” signal from a visitor’s browser. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Global Privacy Control (GPC) is a technical specification that you can use to inform websites of your privacy preferences regarding ad trackers. If you do choose to set up GPC, it may impact the functionality of the Site, but we honor the GPC signal on a per-browser basis automatically in your cookie preferences.

f. Children

The Service is general audience and intended for users 18 and older. We do not knowingly collect Personal Information from anyone younger than age 18. If we become aware that a child younger than 18 has provided us with Personal Information, we will use commercially reasonable efforts to delete such information from our files. If you are the parent or legal guardian of a child younger than age 18 and believe that Sourcer has collected Personal Information from your child, please contact us at: legalnotices@sourcer.com.

2. Use of Information

We use information collected through the Service to provide and improve the Service, develop new Services and products, process your requests, prevent fraud, provide you with information and advertising that may interest you, comply with the law, and as otherwise permitted with your consent.

a. We Use Information We Collect:

• To provide and improve the Service, complete your transactions, address your inquiries, process your registration, verify the information you provide is valid, and for compliance and internal business purposes.
• To contact you with administrative communications and Sourcer newsletters, marketing or promotional materials (on behalf of Sourcer or third parties) and other information that may be of interest to you. If you decide at any time that you no longer wish to receive such communications from us, please follow the instructions in the Your Choices and Rights section, below.
• To tailor content we display to you and offers we may present to you, both on the Service and elsewhere online.
• To administer and develop our business relationship with you and, if applicable, the corporation or other legal entity you represent.
• To enforce and comply with the law, including to conduct an investigation, to protect the property and rights of Sourcer or a third party, to protect the safety of the public or any person, or to prevent or stop activity we may consider to be, or to pose a risk of being, illegal, fraudulent, unethical or legally actionable activity. We may also use Device Identifiers to identify Sourcer Users.
• For the purposes disclosed at the time you provide your information, with your consent, and as further described in this Privacy Policy.
• To Honor Our Contractual Commitments to You. Much of our processing of Personal Information is to meet our contractual obligations to our investors, or to take steps at Users’ request in anticipation of entering into a contract with them.
• For Our Legitimate Interests. In many cases, we handle Personal Information on the grounds that it furthers our legitimate interests in commercial activities, such as the following, in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals:
  • Providing our Site and Service.
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity.
  • Measuring interest and engagement in our Services.
  • Short-term, transient use, such as contextual customization of ads.
  • Improving, upgrading or enhancing our Services.
  • Developing new products and services.
  • Ensuring internal quality control and safety.
  • Authenticating and verifying individual identities.
  • Debugging to identify and repair errors with our Services.
  • Auditing relating to interactions, transactions and other compliance activities.
  • Enforcing our agreements and policies.
  • Analyzing and improving our business.
  • Communications, including marketing and responding to your inquiries about our services.
  • Addressing information security needs and protecting our Users, Sourcer, and others.
  • Managing legal issues.
• To Comply with Legal Obligations. We need to use and disclose Personal Information in certain ways to comply with our legal obligations.

3. Data Retention

Unless you request that we delete certain information, we will only retain your personal information for as long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements, as well as ongoing fraud prevention, backup, and business continuity purposes.

4. Information Sharing and Disclosure

We do not sell your Personal Information for monetary consideration, and we do not share your Personal Information with third parties for those third parties’ marketing purposes unless we first provide you with the opportunity to opt-in to or opt-out of such sharing. However, we may use technologies on our Site for the purposes of advertising or marketing to you and understanding how you interact with our ads. This may be considered a “sale” or “sharing” of personal information for targeted advertising under applicable data protection laws. We may also share information we have collected about you, including Personal Information, as disclosed at the time you provide your information, with your consent, as otherwise described in this Privacy Policy, or for the following business or commercial purposes:

5. Your Choices and Rights

You may have certain choices and rights associated with your personal information, including opting out of targeted advertising or other disclosures to third parties. Residents of certain locations may have the right to have an authorized agent submit requests on your behalf. You or your authorized agent may request that Sourcer honor these rights by contacting us as outlined in the “Contact Us” section below.

Non-Discrimination: You will not receive any discriminatory treatment by us for the exercise of your privacy rights.

Verifying Your Request: Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. In the case of access and deletion, your request must be verifiable before we can fulfill such request. Verifying your request will require you to provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information or a person authorized to act on your behalf. We will only use the personal information that you have provided in a verifiable request in order to verify your request. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority. Please note that we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive or manifestly unfounded.

For Individuals Located in the European Economic Area (EEA), United Kingdom (UK) or Switzerland:

You have a number of rights under applicable data protection laws in relation to your personal information. Under certain circumstances, you have the right to:

• Have access to your personal information by submitting a request to us;
• Have your personal information deleted;
• Have your personal information corrected if it is wrong;
• Have the processing of your personal information restricted;
• Object to further processing of your personal information, including to object to marketing from us;
• Make a data portability request;
• Withdraw any consent you have provided to us;
• Restrict any automatic processing of your personal information; and
• Complain to the appropriate Supervisory Authority.

To exercise any of these rights, please contact us as outlined in the “Contact Us” section below.

Notice for California Residents

“Shine the Light” and “Eraser” Laws: Residents of the State of California may request a list of all third parties to which we have disclosed certain information during the preceding year for those third parties’ direct marketing purposes.

California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA): The CCPA, as amended by the CPRA, provides California residents and/or their authorized agents with specific rights regarding the collection and processing of their personal information.

Your Right to Know: California residents have the right to request that we disclose the following information to you about our collection and use of your personal information over the past twelve (12) months. We may ask you to provide certain information to identify yourself so that we may compare it with our records in order to verify your request. Upon verification, we will disclose to you:

1. The categories of personal information we have collected about you.
2. The categories of sources for the personal information we have collected about you.
3. The specific pieces of personal information we have collected about you.
4. Our business or commercial purpose for collecting or “selling” your personal information as defined by the CCPA.
5. The categories of third parties to whom we have sold or shared your personal information, if any, and the categories of personal information that we have shared with each third-party recipient.

Your Right to Opt-Out of “Sale” or “Sharing” of Personal Information: California residents have the right to opt-out of the “sale” or “sharing” of their personal information as defined by the CCPA by contacting us using the information in the “Contact Us” section below.

Please note that we do not knowingly “sell” the personal information of any individuals under the age of 18.

Where we are “sharing” your personal information with third parties for the purposes of cross-context behavioral advertising or profiling, you may opt-out of such sharing at any time by submitting a request as directed on the homepage of our website or by contacting us using the information in the “Contact Us” section below.

Your Right to Limit Use of Sensitive Personal Information: California residents may have the right to request that businesses limit the use of any sensitive personal information to those uses which are necessary to perform the Services or for other specifically-enumerated business purposes under the CCPA, as amended by the CPRA. Please note that we do not use sensitive personal information other than as necessary to perform the Services or as specifically permitted under the CCPA.

Your Right to Delete: California residents have the right to request that we delete any of the personal information collected from you and retained by us, subject to certain exceptions. We may ask you to provide certain information to identify yourself so that we may compare it with our records in order to verify your request. Once your request is verified and we have determined that we are required to delete the requested personal information in accordance with the CCPA, we will delete, and direct our service providers to delete your personal information from their records. Your request to delete personal information that we have collected may be denied if we conclude it is necessary for us to retain such personal information under one or more of the exceptions listed in the CCPA.

Your Right to Correct: Under the CCPA, as amended by the CPRA, California residents have the right to request that we correct any inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes for which we are processing such personal information. We will use commercially reasonable efforts to correct such inaccurate personal information about you.

Non-Discrimination: You will not receive any discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.

Notice for Nevada Residents

Under Nevada law, certain Nevada residents may opt out of the sale of “personally identifiable information” for monetary consideration to a person for that person to license or sell such information to additional persons. “Personally identifiable information” includes first and last name, address, email address, phone number, Social Security Number, or an identifier that allows a specific person to be contacted either physically or online.

We do not engage in such activity; however, if you are a Nevada resident who has purchased or leased goods or services from us, you may submit a request to opt out of any potential future sales under Nevada law by emailing privacyrequests@sourcer.com. Please note we will take reasonable steps to verify your identity and the authenticity of the request. Once verified, we will maintain your request in the event our practices change.

Notice for Residents of Certain Other States

The laws of your state of residence (“Applicable State Law”) may provide you with certain rights, including the following:

Your Right to Confirm and Access: You have the right to confirm whether we are processing personal information about you and access the personal information we process about you.

Your Right to Portability: You have the right to obtain a copy of the personal information we maintain and process about you in a portable and, to the extent technically feasible, readily-usable format.

Your Right to Delete: You have the right to request that we delete the personal information we maintain or process about you.

Your Right to Correct: You have the right to request that we correct inaccuracies in the personal information we maintain or process about you, taking into consideration the nature and purpose of such processing.

Your Rights to Opt-Out: You have the right to opt-out of certain types of processing of personal information, including:

• Opt-Out of the “sale” of personal information as defined by Applicable State Law;
• Opt-Out of targeted advertising by us;
• Opt-Out of automated profiling for the purposes of making decisions that produce legal or similarly significant effects.

Please note, as explained above, we do not “sell” personal information as that word is traditionally defined. However, we do share personal information with third parties to provide you with personalized advertising from us and to better understand how you interact with our Services. Through the use of cookies, we may also make available certain personal information to third parties for targeted advertising.

Appeals Process and Other Concerns

Certain information may be exempt from the rights described above under applicable law. If we deny your request in whole or in part, you may have the right to appeal the decision. In such circumstances, we will provide you with information regarding the appeals process. Depending on your location, you may also email legalnotices@sourcer.com with the subject “Data Privacy Request Appeal” to provide us with details about why you are appealing the decision.

If you have an unresolved privacy or data use concern that we have not addressed to your satisfaction, please contact our U.S.-based third-party dispute resolution provider free at https://feedback-form.truste.com/watchdog/request.

6. Security

We take a number of steps to protect your data, but no security is guaranteed.

Sourcer takes reasonable steps to help protect and secure the information it collects and stores about Sourcer Users. We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information that we receive against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure or use.

7. Cross-Border Data Transfers

Because we are a U.S. company, we process and store your information in the United States and our service providers may process and store it elsewhere.

Sourcer may transfer your personal information to a third party that is located in a jurisdiction other than the one from which we collected your personal information, including to countries that have not been deemed to have an adequate level of protection for the rights and freedoms of data subjects. If we do transfer your personal information to another jurisdiction, we will do so following due diligence and provided that the data recipient is subject to contractual agreements imposing obligations on it to ensure appropriate technical and organizational are implemented and maintained at all times to prevent the unauthorized and unlawful processing of personal information, and the accidental loss or destruction of, or damage to, personal information, consistent with our obligations under applicable data protection laws.

We will use appropriate legal transfer mechanisms, including Standard Contractual Clauses, where required by law.In addition, Sourcer is self-certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework, as described below. Personal information from EU and Swiss residents will be treated in accordance with the Data Privacy Framework Principles. To exercise any legal right to see copies of the data transfer mechanism documents that Sourcer uses to transfer data to third parties, please contact us.

Data Privacy Framework Notice

Sourcer, Inc. has certified that its U.S. operations adhere to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) with respect to the personal Information that they receive in reliance on the Privacy Shield. In July 2023, all members of the Privacy Shield, including Sourcer, automatically became members of the Data Privacy Framework (“DPF”). Our DPF certification is available at https://www.dataprivacyframework.gov/s/participant-search. To learn more about the DPF program, please visit https://www.dataprivacyframework.gov/s/.

When Sourcer or one of its affiliates receives Personal Information under the DPF and then transfers it to a third party service provider acting as an agent on their behalf, Sourcer or its affiliate may have certain responsibility under the DPF if both (i) the agent processes the information in a manner inconsistent with the DPF and (ii) Sourcer or its affiliate is responsible for the event giving rise to the damage.

Covered European residents should contact Sourcer at the contact information below regarding Sourcer’s or its affiliates’ compliance with the DPF. Sourcer will attempt to answer your questions and satisfy your concerns in a timely and complete manner as soon as possible. If, after discussing the matter with Sourcer, your issue or complaint is not resolved, Sourcer and the above-named affiliates have agreed to participate in the DPF independent dispute resolution mechanisms listed below, free of charge to you. PLEASE CONTACT SOURCER FIRST.

For other Personal Information Sourcer or its affiliates receive under the DPF, Sourcer and its affiliates have committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Data Privacy Framework Principles to an independent dispute resolution mechanism, JAMS Data Privacy Framework Dispute Resolution, operated by JAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information and to file a complaint.

If your complaint still is not resolved through these channels, under limited circumstances, an additional binding arbitration option may be available before a DPF panel, as described at https://www.dataprivacyframework.gov/s/. Every individual also has a right to lodge a complaint with the relevant supervisory authority.

8. Links to Other Sites

Our Service contains links to other websites. If you choose to click on a third-party link, you will be directed to that third party’s website. The fact that we link to a website is not an endorsement, authorization or representation of our affiliation with that third party, nor is it an endorsement of their privacy or information security policies or practices. We do not exercise control over third party websites. These other websites may place their own cookies or other files on your computer, collect data or solicit Personal Information from you. We encourage you to read the privacy policies or statements of the other websites you visit.

9. Changes to This Policy

We may change this Privacy Policy. If we make substantial changes, we will provide notice.

This Privacy Policy is effective as of the date stated at the top of this page. Sourcer may update this Privacy Policy at any time and any changes will be effective upon posting. By accessing or using the Service after we notify you of such changes to this Privacy Policy, you are deemed to have accepted such changes. Please refer back to this Privacy Policy on a regular basis.

10. Contact Us

To request that Sourcer honor any of the rights described in this Policy contact us as outlined below.

If you have any questions about this Privacy Policy, please contact us at legalnotices@sourcer.com, or by mail addressed to Sourcer, Attn: Legal, 1111B S Governors Ave, Ste 20165, Dover, DE 19904, USA. You may also contact us by phone at 415-574-0205.

The Client agreeing to these terms (“Customer”), and Sourcer, Inc. or any other entity that directly or indirectly controls, is controlled by, or is under common control with Sourcer, Inc. (as applicable, “Sourcer”) (each, a “party” and collectively, the “parties”), have entered into an agreement under which Sourcer has agreed to provide a marketplace where Clients and Suppliers can identify each other and advertise, buy, and sell Supplier Services online, with such other services, if any, described in the agreement (the “Service”) to Customer (as amended from time to time, the “Agreement”). Unless otherwise agreed to in writing by you and Sourcer, to the extent Sourcer processes any EU personal data for you as a controller (as defined by the General Data Protection Regulation (EU) 2016/679) in your role as a Customer as defined in this Global Data Processing Agreement (the “DPA”), this DPA applies. This DPA, including its appendices, supplements the Agreement. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.

1. Introduction

This DPA reflects the parties’ agreement with respect to the processing and security of Customer Data under the Agreement.

2. Definitions

2.1 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

2.2 Unless stated otherwise:

• “Affiliate” means any entity that controls or is under common control with a specified entity.
• “Agreed Liability Cap” means the maximum monetary or payment-based amount at which a party’s liability is capped under the Agreement.
• “Confidential Information” means any information or materials (regardless of form or manner of disclosure) that are disclosed by or on behalf of one party to the other party that (i) are marked or communicated as being confidential at or within a reasonable time following such disclosure; or (ii) should be reasonably known to be confidential due to their nature or the circumstances of their disclosure. The term “Confidential Information” does not include any information or materials that: (a) are or become generally known or available to the public through no breach of this Agreement or other wrongful act or omission by the receiving party; (b) were already known by the receiving party without any restriction; (c) are acquired by the receiving party without restriction from a third party who has the right to make such disclosure; or (d) are independently developed by or on behalf of the receiving party without reference to any Confidential Information.
• “Customer Account Data” means personal data that relates to Customer’s relationship with Sourcer, including the names and/or contact information of individuals authorized by Customer to access Customer’s Sourcer account and billing information of individuals that Customer has associated with its Sourcer account.
• “Customer Personal Data” means the personal data contained within the Customer Data.
• “Customer Data” means the data entered into the Service by or on behalf of any End User, but excludes Customer Account Data.
• “End User” means an authorized user of the Service under Customer’s account.
• “Data Incident” means a breach of Sourcer’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Sourcer. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
• “EEA” means the European Economic Area, Switzerland, and/or the United Kingdom.
• “European Data Protection Legislation” means, as applicable: (a) the GDPR and its respective national implementing legislations; and/or (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
• “EU SCCs” means the EU Standard Contractual Clauses approved by the European Commission in decision 2021/914 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
• “Non-European Data Protection Legislation” means, as applicable, the data protection or privacy laws, regulations, and other legal requirements other than the European Data Protection Legislation.
• “Notification Email Address” means the contact email address that you provided to Sourcer for the purpose of receiving notices from Sourcer.
• “Security Measures” has the meaning given in Section 7.1.1 (Sourcer’s Security Measures).
• “Subprocessors” means third parties authorized under this DPA to have logical access to and process Customer Data in order to provide parts of the Service. For clarity, freelancers that clients engage via Sourcer are not Subprocessors under this DPA.
• “Term” means the period from the DPA’s effective date until the end of Sourcer’s provision of the Service, including, if applicable, any period during which provision of the Service may be suspended and any post- termination period during which Sourcer may continue providing the Service for transitional purposes.
• “United Kingdom International Data Transfer Agreement or Addendum” (“UK IDTA”) means either, as applicable, (a) the International Data Transfer Agreement when used under the UK GDPR, or (b) the International Data Transfer Addendum to the EU SCCs issued by the Commissioner under s119A(1) of the Data Protection Act 2018, version A1.0, in force from March 21, 2022.

3. Duration of this DPA

This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Data by Sourcer as described in this DPA.

4. Data Protection Legislation

4.1 Application of European Legislation. The parties acknowledge that the European Data Protection Legislation will apply to the processing of Customer Personal Data to the extent provided under the European Data Protection Legislation.

4.2 Application of Non-European Legislation. The parties acknowledge that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.

5. Processing of Data

5.1 Roles and Regulatory Compliance; Authorization.

5.1.1 Processor and Controller Responsibilities. If the European Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:

• 5.1.1.1 Customer is a controller (or processor, as applicable), of the Customer Personal Data under European Data Protection Legislation;
• 5.1.1.2 Sourcer is a processor (or subprocessor, as applicable) of the Customer Personal Data under the European Data Protection Legislation; and
• 5.1.1.3 each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Personal Data.

5.1.2 Responsibilities under Non-European Legislation. If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.

5.1.3 Authorization by Third Party Controller. If Customer is a processor, Customer warrants to Sourcer that Customer’s instructions (defined below) and actions with respect to that Customer Personal Data, including its appointment of Sourcer as another processor, have been authorized by the relevant controller to the extent required by applicable law.

5.2 Scope of Processing.

5.2.1 The subject matter and details of the processing are described in Appendix 1.

5.2.2 Customer’s Instructions. By entering into this DPA, Customer instructs Sourcer to process Customer Personal Data only in accordance with applicable law: (a) to provide the Service; (b) as further specified through Customer’s use of the Service; (c) as documented in the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Customer and acknowledged by Sourcer as constituting instructions for purposes of this DPA (each and collectively, “Customer’s Instructions”) and only for the foregoing purposes and not for the benefit of any other third party. Sourcer may condition the acknowledgement described in (d) on the payment of additional fees or the acceptance of additional terms.

5.2.3 Sourcer’s Compliance with Instructions. With respect to Customer Personal Data subject to European Data Protection Legislation, Sourcer will comply with the instructions described in Section 5.2.2 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Sourcer is subject requires other processing of Customer Personal Data by Sourcer, in which case Sourcer will inform Customer (unless that law prohibits Sourcer from doing so on important grounds of public interest) via the Notification Email Address.

6. Data Deletion

6.1 Deletion by Customer. Sourcer will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Service. If Customer uses the Service to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Sourcer to delete the relevant Customer Data from Sourcer’s systems in accordance with applicable law. Sourcer will comply with this instruction as soon as reasonably practicable, unless applicable law requires storage. Nothing herein requires Sourcer to delete Customer Data from files created for security, backup, and business continuity purposes sooner than required by Sourcer’s existing data retention processes.

6.2 Deletion on Termination. On expiry of the Term, Customer instructs Sourcer to delete all Customer Data (including existing copies) from Sourcer’s systems in accordance with applicable law. Sourcer will comply with this instruction as soon as reasonably practicable, unless applicable law requires storage. Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards. If the EU or the UK SCCs are applicable to Sourcer’s processing of Customer Personal Data, the parties agree that the certification of deletion referenced in Clauses 8.5 and 16(d) of the EU and the UK SCCs shall be provided only upon Customer’s written request. Nothing herein requires Sourcer to delete Customer Data from files created for security, backup, and business continuity purposes sooner than required by Sourcer’s existing data retention processes.

7. Data Security

7.1 Sourcer’s Security Measures, Controls and Assistance.

7.1.1 Sourcer’s Security Measures. Sourcer will implement and maintain technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Sourcer’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Sourcer may update or modify the Security Measures from time to time provided that such updates and modifications do not degrade the overall security of the Service.

7.1.2 Security Compliance by Sourcer Staff. Sourcer will take appropriate steps to ensure compliance with the Security Measures by its staff to the extent applicable to their scope of performance, including ensuring that all such persons it authorizes to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.1.3 Sourcer’s Security Assistance. Customer agrees that Sourcer will (taking into account the nature of the processing of Customer Personal Data and the information available to Sourcer) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:

• 7.1.3.1 implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Sourcer’s Security Measures);
• 7.1.3.2 complying with the terms of Section 7.2 (Data Incidents); and
• 7.1.3.2 providing Customer with the information contained in the Agreement including this DPA.

7.2 Data Incidents.

7.2.1 Incident Notification. If Sourcer becomes aware of a Data Incident, Sourcer will: (a) notify Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.

7.2.2 Details of Data Incident. Notifications made pursuant to this section will describe, to the extent practicable, details of the Data Incident, including steps taken to mitigate the potential risks and any steps Sourcer recommends Customer take to address the Data Incident.

7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Sourcer’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.

7.2.4 No Assessment of Customer Data by Sourcer. Sourcer will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).

7.2.5 No Acknowledgement of Fault by Sourcer. Sourcer’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) is not an acknowledgement by Sourcer of any fault or liability with respect to the Data Incident.

7.3 Customer’s Security Responsibilities and Assessment.

7.3.1 Customer’s Security Responsibilities. Customer agrees that, without prejudice to Sourcer’s obligations under Section 7.1 (Sourcer’s Security Measures, Controls and Assistance) and Section 7.2 (Data Incidents):

• 7.3.1.1 Customer is solely responsible for its use of the Service, including:
  • 7.3.1.1.1 making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Customer Data;
  • 7.3.1.1.2 securing the account authentication credentials, systems and devices Customer uses to access the Service;
  • 7.3.1.1.3 backing up its Customer Data; and
• 7.3.1.2 Sourcer has no obligation to protect Customer Data that Customer elects to store or transfer outside of the Service.

7.3.2 Customer’s Security Assessment.

7.3.2.1 Customer is solely responsible for reviewing Sourcer’s security processes and evaluating for itself whether the Service, the Security Measures, and Sourcer’s commitments under this Section 7 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation or Non-European Data Protection Legislation, as applicable.

7.3.2.2 Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Sourcer as set out in Section 7.1.1 (Sourcer’s Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.

7.4 Reviews and Audits of Compliance.

7.4.1 Customer’s Audit Rights.

• 7.4.1.1 If the European Data Protection Legislation applies to the processing of Customer Personal Data, Sourcer will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Sourcer’s compliance with its obligations under this DPA in accordance with Section 7.4.2 (Additional Business Terms for Reviews and Audits). Sourcer will contribute to such audits as described in this Section 7.4 (Reviews and Audits of Compliance).
• 7.4.1.2 If the Standard Contractual Clauses as described in Section 10 (International Data Transfers) are applicable to Sourcer’s processing of Customer Personal Data, without prejudice to any audit rights of a supervisory authority under such Standard Contract Clauses, the parties agree that Customer or an independent auditor appointed by Customer may conduct audits as described in Clauses 8.9(c) and (d) of the EU and the UK SCCs in accordance with Section 7.4.2 (Additional Business Terms for Reviews and Audits).

7.4.2 Additional Business Terms for Reviews and Audits.

• 7.4.2.1 If the European Data Protection Legislation applies to the processing of Customer Personal Data, Customer may exercise its right to audit Sourcer under Sections 7.4.1(a) or 7.4.1(b): (1) where there has been a Data Incident within the previous six (6) months or there is reasonable suspicion of a Data Incident within the previous six (6) months or (2) where Customer will pay all reasonable costs and expenses incurred by Sourcer in making itself available for an audit. Any third party who will be involved with or have access to the audit information must be mutually agreed to by Customer and Sourcer and must execute a written confidentiality agreement acceptable to Sourcer before conducting the audit.
• 7.4.2.2 To request an audit under Section 7.4.1(a) or 7.4.1(b), Customer must submit a detailed audit plan to Sourcer’s Privacy Contact as described in Section 12 (Privacy Contact; Processing Records) at least thirty (30) days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. The scope may not exceed a review of Sourcer’s compliance with the Standard Contractual Clauses or its compliance with the European Data Protection Legislation, in each case with respect to the Customer Data. The audit must be conducted during regular business hours at the applicable facility, subject to Sourcer policies, and may not interfere with Sourcer business activities.
• 7.4.2.3 Following receipt by Sourcer of a request for an audit under Section 7.4.1(a) or 7.4.1(b), Sourcer and Customer will discuss and agree in advance on: (i) the reasonable date(s) of and security and confidentiality controls applicable to any review of documentation; and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 7.4.1(a) or 7.4.1(b).
• 7.4.2.4 Customer will be responsible for any fees it incurs, including any fees charged by any auditor appointed by Customer to execute any such audit.
• 7.4.2.5 Customer will provide Sourcer any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only to meet its regulatory audit requirements and to confirm compliance with the requirements of the Standard Contractual Clauses or European Data Protection Legislation. The audit reports, and all information and records observed or otherwise collected in the course of the audit, are Confidential Information of Sourcer under the terms of the Agreement.
• 7.4.2.6 Sourcer may object in writing to an auditor appointed by Customer if the auditor is, in Sourcer’s reasonable opinion, not suitably qualified or independent, a competitor of Sourcer, or otherwise unsuitable. Any such objection by Sourcer will require Customer to appoint another auditor or conduct the audit itself.
• 7.4.2.7 Nothing in this DPA will require Sourcer either to disclose to Customer or its auditor, or to allow Customer or its auditor to access:
  • 7.4.2.7.1 any data of any other customer of Sourcer;
  • 7.4.2.7.2 Sourcer’s internal accounting or financial information;
  • 7.4.2.7.3 any trade secret of Sourcer;
  • 7.4.2.7.4 any information that, in Sourcer’s reasonable opinion, could: (A) compromise the security of Sourcer systems or premises; or (B) cause Sourcer to breach its obligations under applicable law or its security and/or privacy obligations to Customer or any third party; or
  • 7.4.2.7.5 any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Standard Contractual Clauses or European Data Protection Legislation.

7.4.3 No Modification of Standard Contractual Clauses. Nothing in this Section 7.4 (Reviews and Audits of Compliance) varies or modifies any rights or obligations of Customer or Sourcer under any Standard Contractual Clauses entered into as described in Section 10 (International Data Transfers).

8. Impact Assessments and Consultations

Customer agrees that Sourcer will (taking into account the nature of the processing and the information available to Sourcer) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the information contained in the Agreement including this DPA.

9. Data Subject Rights; Data Export

9.1 Access; Rectification; Restricted Processing; Portability. During the Term, Sourcer will, in a manner consistent with the functionality of the Service, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Sourcer as described in Section 6.1 (Deletion by Customer), and to export Customer Data.

9.2 Data Subject Requests.

9.2.1 Customer’s Responsibility for Requests. During the Term, if Sourcer receives any request from a data subject under European Data Protection Legislation in relation to Customer Personal Data, Sourcer will advise the data subject to submit their request to Customer, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Service.

9.2.2 Sourcer’s Data Subject Request Assistance. Customer agrees that Sourcer will (taking into account the nature of the processing of Customer Personal Data) reasonably assist Customer in fulfilling an obligation to respond to requests by data subjects described in Section 9.2.1 (Customer’s Responsibility for Requests), including, if applicable, Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in Section 9.1 (Access; Rectification; Restricted Processing; Portability) and Section 9.2.1 (Customer’s Responsibility for Requests).

10. International Data Transfers

10.1 Data Storage and Processing Facilities. Sourcer may, subject to this Section 10 (International Data Transfers), store and process the relevant Customer Data anywhere Sourcer or its Subprocessors maintain facilities.

10.2 Data Transfers under the EU SCCs. The EU SCCs are incorporated into this DPA and apply where the application of the EU SCCs, as between the parties, is required under applicable European Data Protection Legislation for the transfer of personal data. The EU SCCs shall be deemed completed as follows:

• 10.2.1 Where Customer acts as a controller and Sourcer acts as Customer’s processor with respect to Customer Personal Data subject to the EU SCCs, Module 2 applies.
• 10.2.2. Where Customer acts as a processor and Sourcer acts as Customer’s Subprocessor with respect to Customer Personal Data subject to the EU SCCs, Module 3 applies.
• 10.2.3 Clause 7 (the optional docking clause) is not included.
• 10.2.4 Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization).
• 10.2.5 Under Clause 11 (Redress), the optional language will not apply.
• 10.2.6 Under Clause 17 (Governing law), the parties choose Option 1 and select the law of Ireland.
• 10.2.7 Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
• 10.2.8 Annexes I, II, and III of the EU SCCs are set forth in Appendix 1 below.

10.3 Data Transfers under the IDTA. When used as an addendum to the EU SCCs and the UK IDTA is otherwise required under applicable European Data Protection Law for the transfer of Customer Personal Data, the UK IDTA addendum shall incorporate the selections above and be deemed further completed as follows:

• 10.3.1 Table 1: the parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Appendix 1, and the Key Contact shall be the contacts set forth in Appendix 1.
• 10.3.2 Table 2: The referenced Approved EU SCCs shall be the EU SCCs incorporated into this DPA.
• 10.3.3 Table 3: Annex 1A, 1B, and II shall be set forth in Appendix 1.
• 10.3.4 Table 4: Either party may end the EU SCCs as set out in Section 19 of the EU SCCs.

10.4 Data Transfers from Switzerland. Where the EU SCCs are required under Swiss data protection law applicable to the transfer of Customer Personal Data, the following additional provisions will apply:

• 10.4.1 References to the GDPR in the EU SCCs are to be understood as references to the Swiss Federal Act on Data Protection (“FADP”) insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
• 10.4.2 The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
• 10.4.3 References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
• 10.4.4 Under Annex I(C) of the EU SCCs: where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

11. Subprocessors

11.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of Sourcer’s Affiliates as Subprocessors. In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”). If the Standard Contractual Clauses as described in Section 10 (International Data Transfers) are applicable to Sourcer’s processing of Customer Personal Data, the above authorizations will constitute Customer’s prior written consent to the subcontracting by Sourcer of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses.

11.2 Information about Subprocessors.

11.2.1 Information about Subprocessors is available upon request by emailing privacyrequests@sourcer.com (as may be updated by Sourcer from time to time in accordance with this DPA). Subprocessor information will be provided only upon request and is the Confidential Information of Sourcer under this Agreement and must be treated with the level of confidentiality afforded to Confidential Information hereunder.

11.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Sourcer will:

a. ensure via a written contract that:

• i. subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any Standard Contractual Clauses entered into or Alternative Transfer Solution adopted by Sourcer as described in Section 10 (International Data Transfers); and
• ii. if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are imposed on the Subprocessor; and

b. remain liable for all obligations subcontracted to, and all related acts and omissions of, the Subprocessor.

11.4 Opportunity to Object to Subprocessor Changes.

11.4.1 Sourcer may add or remove Subprocessors from time to time. Sourcer will inform Customer of new Subprocessors via a subscription mechanism described in the list of Subprocessors as described above. If Customer objects to a change, it will provide Sourcer with notice of its objection to gdpr-dsar@sourcer.com including reasonable detail supporting Customer’s concerns within sixty days of receiving notice of a change from Sourcer or, if Customer has not subscribed to receive such notice, within sixty days of Sourcer publishing the change. Sourcer will then use commercially reasonable efforts to review and respond to Customer’s objection within thirty days of receipt of Customer’s objection. If Sourcer does not respond to a Customer objection as described above, or cannot reasonably accommodate Customer’s objection, Customer may terminate the Agreement by providing written notice to Sourcer. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.

12. Privacy Contact; Processing Records

12.1 Sourcer’s Privacy Contact. Privacy inquiries related to this DPA can be submitted to privacyrequests@sourcer.com (and/or via such other means as Sourcer may provide from time to time).

12.2 Sourcer’s Processing Records. Customer acknowledges that Sourcer is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Sourcer is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to Sourcer via the Service or other means provided by Sourcer, and will use the Service or such other means to ensure that all information provided is kept accurate and up-to-date.

13. Liability

13.1 Liability Cap. For clarity, the total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement (such as under the DPA or the Standard Contractual Clauses) will be limited to the Agreed Liability Cap for the relevant party, subject to Section 13.2 (Liability Cap Exclusions).

13.2 Liability Cap Exclusions. Nothing in Section 13.1 (Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

14. Miscellaneous

Notwithstanding anything to the contrary in the Agreement, where Sourcer, Inc. is not a party to the Agreement, Sourcer, Inc. will be a third-party beneficiary of Section 7.4 (Reviews and Audits of Compliance), Section 11.1 (Consent to Subprocessor Engagement) and Section 13 (Liability) of this DPA.

Appendix 1:
Subject Matter and Details of the Data Processing

Subject Matter

Sourcer’s provision of the Service to Customer.

Duration of the Processing

The Term plus the period from the expiry of the Term until deletion of all Customer Data by Sourcer in accordance with the DPA.

Nature and Purpose of the Processing

Sourcer will process Customer Personal Data for the purposes of providing the Service to Customer in accordance with the DPA.

Categories of Data

Data relating to End Users or other individuals provided to Sourcer via the Service, by (or at the direction of) Customer or by End Users. The open nature of the Service does not impose a technical restriction on the categories of data Customer may provide. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Sourcer services; and demographic information.

Data Subjects

Data subjects include End Users and the individuals about whom data is provided to Sourcer via the Service by (or at the direction of) Customer or by End Users.

Appendix 2:
Security Measures

Sourcer will implement and maintain the Security Measures set out in this Appendix 2. Sourcer may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service. Sourcer will:

• Conduct information security risk assessments at least annually and whenever there is a material change in the organization’s business or technology practices that may impact the privacy, confidentiality, security, integrity or availability of Customer Personal Data.
• Regularly and periodically train personnel who have access to Customer Personal Data or relevant Sourcer Systems.
• Maintain secure user authentication protocols, secure access control methods, and firewall protection for Sourcer Systems that Process Customer Personal Data.
• Maintain policies and procedures to detect, monitor, document and respond to actual or reasonably suspected Information Security Incidents.
• Implement and maintain tools that detect, prevent, remove and remedy malicious code designed to perform an unauthorized function on or permit unauthorized access to Sourcer Systems.
• Implement and maintain up-to-date firewalls.
• Implement and use cryptographic modules to protect Customer Personal Data in transit and, when commercially reasonable, at rest.
• Maintain reasonable restrictions on physical access to Customer Personal Data and relevant Sourcer Systems.

Appendix 3:
Annex I of the EU SCCs

A. LIST OF PARTIES

Data exporter(s):

Name: Customer

Activities relevant to the data transferred under these Clauses: Obtaining the Services from Data Importer

Role (controller/processor): Controller or Processor, as applicable

Data importer(s):

Name: Sourcer, Inc.

Address: 1111B S Governors Ave, Ste 20165, Dover, DE 19904 USA

Contact person’s name, position and contact details: Privacy Counsel, legalnotices@sourcer.com

Activities relevant to the data transferred under these Clauses: Providing the Services to Data Exporter.

Role (controller/processor): Processor

В. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data subjects include End Users and the individuals about whom data is provided to Sourcer via the Service by (or at the direction of) Customer or by End Users.

Categories of personal data transferred

Data relating to End Users or other individuals provided to Sourcer via the Service, by (or at the direction of) Customer or by End Users. The open nature of the Service does not impose a technical restriction on the categories of data Customer may provide. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Sourcer services; and demographic information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None anticipated.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuously, for the length of the Agreement between the parties.

Nature of the processing

Sourcer will process Customer Personal Data to provide the Service to Customer in accordance with the DPA.

Purpose(s) of the data transfer and further processing

Sourcer will process Customer Personal Data for the purposes of providing the Service to Customer in accordance with the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Term plus the period from the expiry of the Term until deletion of all Customer Data by Sourcer in accordance with the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sourcer’s subprocessors will process personal data to assist Sourcer in providing the Services pursuant to the Agreement, for as long as needed for Sourcer to provide the Services.

C. COMPETENT SUPERVISORY AUTHORITY

The Irish Data Protection Commission.

Annex II of the EU SCCs
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

See Appendix 2 to the DPA.

Privacy At Sourcer

Sourcer understands the importance of data privacy and takes the responsibility of handling and securing personal data seriously. We focus on incorporating data protection principles throughout our platform, program, and services that provide effective data privacy measures for Sourcer, its workforce, partners, and users.

Sourcer’s Privacy and Information Security teams have carefully analyzed applicable privacy laws and regulations and undertaken the necessary steps for our compliance with their requirements. We provide detailed information about the personal data we collect and how we use it in our agreements, in our help articles, and in our Privacy Policy.

Depending on where you are located, you may have certain rights with respect to your personal data, which you can learn about below. Regardless of where you call home, you may close your account or request the deletion of all personal information we have about you at any time.

Learn more about how Sourcer is complying with GDPR and the CCPA in our Privacy Policy.

Europe

The General Data Protection Regulation (GDPR) is a data privacy law that gives residents of the European Union (“EU”) more clarity and control over how their personal data is used. Personal data is anything that can directly or indirectly identify a person, such as a photo, name, bank details, medical information, computer IP address, and so on.

Under the GDPR, companies are required to be transparent about what types of personal data they collect and how they use it, be responsible for secure data processing practices, and provide notification to customers or data subjects when breaches occur.

The United Kingdom General Data Protection Regulation (UK GDPR) is a UK law that is largely based on the GDPR, but went into effect in 2021 as a result of the UK’s withdrawal from the EU. In conjunction with the Data Protection Act 2018, it sets out the key principles, rights and obligations for most processing of personal data in the UK.

The Digital Services Act (DSA) is a European law that aims to ensure a safe and accountable online environment that went into effect November 16, 2022. For the purposes of the DSA, Sourcer has 528 average monthly users in the EU as of January 31, 2024.

Transfer of Data

With respect to transfers that involve personal data that is within the scope of European data protection laws, Sourcer relies on standard contractual clauses as a transfer mechanism to reflect relevant compliance requirements.

We have posted a Data Processing Agreement (“DPA”), governing the relationship between the Customer (as defined in the DPA) and Sourcer with respect to personal data. Unless otherwise agreed to in writing by you and Sourcer, the DPA applies to the extent Sourcer processes any personal data for you as a controller in your role as a Customer.

United States

The data protection landscape in the U.S. is a patchwork of regulations, state laws, and other requirements that are currently in flux. Sourcer’s Legal team performs ongoing monitoring and analysis to determine their application to the personal data we handle and conform to their requirements.

“Sharing” and “Selling” Personal Information

Certain state laws provide rights for individuals to prevent the “sharing” and “sale” of their personal information. Sourcer does not sell your personal information as the term is commonly understood. But we do allow some advertising vendors to use your personal information for internet-based marketing that may be considered “selling” or “sharing” under those definitions. The only means by which Sourcer may “sell” or “share” your personal information is with our third-party marketing partners.

If you are located in a state that provides this right, you may opt out of the “sale” and “sharing” of your personal information by emailing us at privacyrequests@sourcer.com. This opt-out is specific to the browser on the device, so you will need to opt out again if you: 1) later clear your cookies, or 2) visit this site from a different browser or device.

Sensitive Personal Information

State laws have different definitions for personal information that is inherently more sensitive or would pose a greater risk of harm to the individual if mishandled. Sourcer identifies and appropriately handles the data classified as “sensitive personal information” or other elevated classification.

Some state laws allow individuals to limit the use of their sensitive personal information to purposes necessary to perform the services. Sourcer imposes this limitation upon itself inherently, and only uses the limited sensitive personal information it collects to provide, maintain, improve, and secure our services.

How Do I Submit a Data Request?

Depending on where you are located, you may have certain rights with regard to your personal data. These rights may be limited, for example, if fulfilling a request would reveal personal data about another person, or if you ask us to delete data which we are required by law to keep or have compelling legitimate interests in keeping (such as fraud prevention purposes or record retention requirements under applicable laws). In addition, we typically will not remove data you posted publicly or shared with others through or on the Service, as neither you nor Sourcer can delete all copies of data that have been previously shared with others.

If you would like to request to close your account in our system, you can do so through our platform. In addition, you can access, correct, or delete your personal data by making updates to that data through your account. You can also submit a request to us regarding your personal data by emailing privacyrequests@sourcer.com. Please note that if your data is deleted, then your account may become deactivated. If your account is deactivated or you ask to close your account, you will no longer be able to use the platform.

Additional Resources

Sourcer Privacy Policy

Sourcer Cookie Policy

This policy describes how Sourcer uses cookies and other related technologies (collectively referred to as “cookies”) when you interact with us on https://sourcer.com (the “Site”) as set forth in the Sourcer Privacy Policy.

By visiting or using the Site, you agree that we can use the cookies described in this Cookie Policy. You can stop or update your cookie preferences by changing the settings in your browser (more information on how to do this is provided below) or adjusting the settings at the bottom of the homepage labeled “Cookie Settings”. We may modify this Agreement without notifying you, so please check back often for updates.

What Are Cookies?

Cookies are text files, containing small amounts of information, which are downloaded to your browsing device (such as a computer or smartphone) when you visit a website. Cookies can be recognized by the website that downloaded them, or by other websites that use the same cookies. First-party cookies are cookies that belong to Sourcer, or are placed on your device by Sourcer. Third-party cookies are cookies that another party places on your browsing device through our Site.

What Are Cookies Used For?

Cookies do lots of different jobs, like helping us understand how the Site is being used, letting you navigate between pages efficiently, remembering your preferences, and generally improving your browsing experience. Cookies can also help ensure marketing you see online is more relevant to you and your interests.

What Type of Cookies Does Sourcer Use?

To provide you with the best browsing experience, Sourcer uses the following types of cookies: Strictly Necessary, Performance, Functional, and Targeting Cookies. You can find out more about each cookie category in the sections below.

Strictly Necessary Cookies

These cookies are essential, as they enable you to move around the Site and use its features, such as accessing secure areas. Without these cookies, some services you have asked for such as payment submission can’t be provided. These cookies cannot be switched off in our systems, because they are necessary for Site functionality. While you can set your browser to block or alert you about these cookies, some or all parts of the Site may not function.

Performance Cookies

These cookies collect information about how you use the Site, for example which pages you go to most often and if you get error messages from certain pages. These cookies gather only aggregated or anonymous information that does not identify you.

Functionality Cookies

These cookies allow the Site to remember choices you make (such as your username or the region you’re in). For instance, the Site uses functional cookies to remember your language preference. These cookies can also be used to remember changes you’ve made to text size, font and other parts of pages that you can customize. They may also be used to provide services you’ve asked for such as watching a video or commenting on a blog. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

These cookies are used to deliver advertisements that are more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of an advertising campaign. They remember that you have visited a website and this information may be shared with other organizations such as advertisers. This means after you have been to the Site you may see some advertisements about our services elsewhere on the Internet.

How Long Will Cookies Stay on My Browsing Device?

The length of time a cookie will stay on your browsing device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay on your browsing device until they expire or are deleted.

How To Control And Delete Cookies Through Your Browser?

The browser you are using to view the Site can enable, disable or delete cookies. To do this, follow the instructions provided by your browser (usually located within the “Help,” “Tools” or “Edit” functions). Please note that if you set your browser to disable cookies, you may not be able to access certain parts of the Site ( e.g. to apply for a job or post a job. Other parts of the Site may also not work properly. You can find out more information about how to change your browser cookie settings at www.allaboutcookies.org.

Also, you may update your cookie preferences by clicking the “Cookie Settings” button at the bottom of the Site’s homepage.

Contacting Us

If you have any questions about this Cookie Policy, please contact us at https://sourcer.com/contact or by mail addressed to Attn: Legal, 1111B S Governors Ave, Ste 20165, Dover, DE 19904, USA.