IMPORTANT NOTICE: THIS AGREEMENT CONTAINS A BINDING ARBITRATION PROVISION AND CLASS ACTION WAIVER. IT AFFECTS YOUR LEGAL RIGHTS UNLESS YOU OPT OUT, AS DETAILED IN THE ARBITRATION AND CLASS ACTION WAIVER SECTION BELOW. PLEASE READ CAREFULLY.
This Terms of Service Agreement (this “Agreement”) is made and entered into by and between you, as a User (as defined below), and Checkr, Inc., the Delaware corporation that operates the Corridor service (“Corridor”). This Agreement contains the terms and conditions that govern the use of Corridor’s platform (the “Platform”). Corridor, through its website (http://withcorridor.com) and associated domains (collectively, the “Platform”), offers its customers (“Customer”) the products and services available therein (as such products and services may be updated, modified, or otherwise changed from time to time, collectively, the “Services”).
This Agreement is applicable to all persons who use or access the Platform and/or the Services, in their company’s capacity or in an individual capacity, including authorized users representing the company, its employees, or other persons using or accessing the Services (collectively, “Users” and each, a “User”). If User is agreeing to this Agreement on behalf of a business or an individual other than User, User represents and warrants that User has authority to bind that business or other individual to this Agreement, and User’s agreement to this Agreement will be treated as the agreement of such business or individual. In that event, “User” also refers to that business or individual. By clicking the applicable button to indicate User’s acceptance of this Agreement, or by accessing or using the Platform, User agrees, effective as of the date of such action, to be bound by the Agreement.
1. Terms for Services
Corridor’s provision of any Service is subject to the terms of this Agreement and any supplemental terms referenced herein or which Corridor may present User with for review and acceptance at the time User subscribes to such Service (each, “Service Terms”), and any Service Terms shall be incorporated into and form a part of this Agreement. If the terms hereof conflict with any Service Terms, the Service Terms will govern with respect to the matters contemplated thereby.
2. Fees and Charges
User agrees to pay the fees for the Services in accordance with the pricing schedule agreed upon by User and Corridor in writing, and User authorizes Corridor to debit User’s designated bank account, as specified by User through the Platform, monthly in arrears. All fees are non-refundable. User agrees to reimburse Corridor for any sales, use, and similar taxes arising from the provision of the Services that any federal, state, or local governments may impose. Corridor reserves the right to change the fees for its Services from time to time. User will be notified of any change to existing fees at least thirty (30) days before the fee change goes into effect. If a fee increase or change to this Agreement is not acceptable to User, User may cancel the Services as provided herein prior to the time when such fee increase or change to this Agreement takes effect. User’s continued use of the Services beyond the cancellation window constitutes User’s agreement to those changes. If Corridor is unable to collect fees due because of insufficient funds in User’s Bank Account or for any other reason, User must pay the amount due immediately upon demand, plus any applicable exceptions processing fees, bank fees, or charges for return items, plus interest of up to the maximum rate permitted by law, plus attorneys’ fees and other costs of collection as permitted by law.
3. User Accounts
To use the Platform, User must have an account with Corridor (an “Account”). User hereby authorizes Corridor to obtain and store User’s Account information as necessary to make the Platform available to User. User gives Corridor permission to obtain, verify, and record information that identifies the individual who creates an Account, is the intended user of an Account, or accesses the Services.
4. Document Storage and User Content
Certain Users may upload User videos, documents, and other materials (“User Content”) to be stored on the Platform (the “User Storage Area”) and post User Content to specific user accounts (the “Employee Pages”). User hereby grants Corridor a perpetual, worldwide, irrevocable, unrestricted, non-exclusive, royalty-free license to use, copy, license, sublicense, display, adapt, distribute, display, publicly perform, reproduce, transmit, modify, edit and otherwise exploit such User Content throughout the world to provide the Services. User acknowledges and agrees that User is solely responsible for all User Content that User submits through the Services.
User represents and warrants that it is either the sole and exclusive owner of all User Content that User submits or User controls all rights, licenses, consents and releases that are necessary to grant to Corridor the rights in such User Content, as contemplated under this Agreement. User agrees not to engage in or assist or encourage others to engage in transmitting, uploading, posting, publicizing, submitting, e-mailing, sharing, distributing, reproducing, or otherwise making available User Content (or any portion thereof) that (a) is unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, pornographic, libelous, invasive of another’s privacy, hateful, or racially, ethnically, or otherwise objectionable; (b) User do not have a right to make available under any law or under contractual or fiduciary relationships; (c) is known by User to be false, fraudulent, inaccurate or misleading; or (d) will infringe, misappropriate or violate a third party’s patent, copyright, trademark, trade secret, moral rights or other proprietary or intellectual property rights, or rights of publicity or privacy, or result in the violation of any applicable law or regulation.
Corridor is in no way responsible for reviewing User Content, nor does Corridor assume any responsibility or liability for the User Content. Corridor does not endorse or control the User Content transmitted or posted on the Platform or through the Services, and therefore, Corridor does not guarantee the accuracy, integrity or quality of User Content. User acknowledges that Corridor has the right (but not the obligation) to remove, or refuse to post, any User Content, and Corridor reserves the right to change, condense, or delete any User Content. The Platform’s performance of actions initiated by User may irrevocably modify and/or delete User Content. USER ACKNOWLEDGES AND AGREES THAT CORRIDOR IS NOT RESPONSIBLE FOR THE LOSS OR MODIFICATION OF ANY USER CONTENT AND THAT USER’S USE OF THE PLATFORM IS AT USER’S OWN RISK.
5. Privacy Policy and Data Protection Addendum
Please refer to Corridor’s Privacy Policy located at http://withcorridor.com/privacy for information on how Corridor collects, uses, and discloses information from Users. User acknowledges and understands that Corridor may collect, use, and disclose User’s information pursuant to Corridor’s Privacy Policy, as it may be updated from time to time. Additionally, by clicking the applicable button to indicate Customer’s acceptance of this Agreement, or by accessing or using the Platform, Customer agrees, effective as of the date of such action, to be bound by all applicable obligations set forth in the Data Protection Addendum attached hereto as Attachment 1.
6. Use Restrictions
Use of the Platform and the Services are each conditioned upon User’s full compliance with this Agreement and all applicable laws, rules, and regulations. User represents and warrants that it will not do or attempt to do, or cause any third party to do or attempt to do, any of the following in connection with its use of the Platform or Services:
- access the Platform or Services for improper, illegal, or unauthorized purposes, including, but not limited to, in violation of the Fair Credit Reporting Act, Civil Rights Act, or Equal Employment Opportunity Act;
- use the Platform or Services for the benefit of any third party without Corridor’s prior written permission;
- copy, distribute, rent, lease, lend, sublicense or transfer the Services, or make the Services available to any third party, including User’s affiliates, parents or subsidiaries, without Corridor’s express prior written consent; (ii) modify, decompile, reverse engineer, or disassemble the Platform or Services or otherwise attempt to discover any underlying source code, ideas, algorithms, file formats or programming interfaces; (iii) create derivative works based on the Services; (iv) modify, remove, or obscure any copyright, trademark, patent or other notices or legends that appear on the Services; or (v) use the Services to develop a competitive product offering;
- use any meta tags, “hidden text,” agents, robots, scripts, spiders, crawlers or other tools or means, whether manual or automated, to collect, scrape, index, mine, republish, redistribute, transmit, sell, license, download, access or manage the Services, Platform (except caching or as necessary to view the Platform), or the personal information of others without Corridor’s prior written permission or authorization;
- take any action that (i) may unreasonably encumber the Services’ infrastructure; (ii) bypasses measures that are used to prevent or restrict access to the Services; (iii) circumvents, disables, or otherwise interferes with security features of the Services; (iv) distribute, transmit, upload, post, e-mail, share, distribute, reproduce, or otherwise make available any software viruses, malware, program, code, file, or other technology or material intended to interrupt, disrupt, alter, destroy, or limit any part of the Platform or Services, or that may harm Customers or Users; or (v) use the Platform or Services in a way that violates any of Corridor’s intellectual property rights, or other rights of any third party, including privacy or publicity rights, or take any action that would jeopardize or impair Corridor’s rights as owner of the Intellectual Property Rights or the legality and/or enforceability of the Intellectual Property Rights, including challenging or opposing Corridor’s ownership in the Intellectual Property Rights;
- use the Platform or Services for any reason not explicitly authorized by this Agreement;
- frame or utilize framing techniques to enclose the Platform or any portion thereof;
- intentionally violate any applicable local, state, national, or international law; and/or
- attempt to indirectly undertake any of the foregoing.
7. Proprietary Rights
“Corridor Content” means text, graphics, images, music, software, audio, video, works of authorship of any kind, and documents, information, or other materials that are posted, generated, provided, or otherwise made available through the Services by Corridor, other than User Content. User Content and Corridor Content shall be collectively referred to herein as “Content.” Corridor and its licensors exclusively own all worldwide right, title, and interest in and to the Corridor Content, and also in and to the Platform and the Services, including in each case all associated intellectual property rights (“Corridor IP”). User acknowledges that the Platform, Services, and Corridor Content are protected by copyright, trademark, and other laws of the United States and foreign countries. User agrees not to remove, alter, or obscure any copyright, trademark, service mark, or other proprietary rights notices incorporated in or accompanying the Platform, Services, or Corridor Content. This Agreement does not convey any proprietary interest in or to any Corridor IP or rights of entitlement to the use thereof except as expressly set forth herein. Subject to User’s compliance with this Agreement, Corridor grants User a limited, non-exclusive, non-transferable, non-sublicensable license to access, view, and download Corridor Content solely in connection with User’s permitted use of the Platform for User’s own behalf.
8. Feedback
By sending us any feedback, comments, questions, or suggestions concerning Corridor or our Services (collectively, “Feedback”), User represents and warrants (a) that User has the right to disclose the Feedback, (b) that the Feedback does not violate the rights of any other person or entity, and (c) that User’s Feedback does not contain the confidential or proprietary information of any third party or parties. By sending Corridor any Feedback, User further (i) agrees that Corridor is under no obligation of confidentiality, express or implied, with respect to the Feedback, (ii) acknowledges that Corridor may have something similar to the Feedback already under consideration or in development, (iii) grants us an irrevocable, non-exclusive, royalty-free, perpetual, worldwide license to use, modify, prepare derivative works, publish, distribute and sublicense the Feedback, and (iv) irrevocably waive, and cause to be waived, against Corridor and its users any claims and assertions of any moral rights contained in such Feedback. This Feedback section shall survive any termination of the Services.
9. SMS Messages
Corridor will send SMS messages to end users who have opted in to receive messages about activity in User’s Account and service updates. If User would like to opt out of receiving SMS messages, User should reply HELP for help or STOP to cancel.
10. Support
User may request Platform support during Corridor’s normal business hours via email sent to support@withcorridor.com. While Corridor makes commercially reasonable efforts to ensure continuous availability of the Platform, Corridor makes no representation, warranty or guarantee regarding the continuous availability or performance of the Platform.
11. Warranty Disclaimers
User’s use of the Platform, Services, and Content is entirely at User’s own risk. Corridor is not in the business of providing legal, regulatory, tax, financial, accounting, employment, or other professional services or advice. Any information provided by Corridor via the Platform or otherwise is meant for informational purposes only and should not be interpreted as professional advice. User should consult a professional that is trained or licensed in the relevant area if User needs such assistance.
USER ACKNOWLEDGES THAT, TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW, THE PLATFORM AND SERVICES ARE PROVIDED “AS IS,” WITHOUT WARRANTY OF ANY KIND MADE BY CORRIDOR. WITHOUT LIMITING THE FOREGOING, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CORRIDOR DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, DATA LOSS, AND NON-INFRINGEMENT. FURTHERMORE, CORRIDOR MAKES NO WARRANTIES REGARDING THE ACCURACY, RELIABILITY, TIMELINESS, TRUTHFULNESS, COMPLETENESS, OR QUALITY OF ANY INFORMATION OR CORRIDOR CONTENT IN OR LINKED TO THE SERVICES. CORRIDOR CANNOT GUARANTEE THE ACCURACY OR COMPLETENESS OF USER CONTENT AND MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO USER CONTENT. CORRIDOR DOES NOT WARRANT THAT THE PLATFORM, SERVICES, OR CORRIDOR CONTENT WILL (I) MEET USER’S EXPECTATIONS OR REQUIREMENTS; (II) BE COMPLETELY SECURE OR FREE FROM ERRORS, BUGS, VIRUSES, OR OTHER HARMFUL COMPONENTS; OR (III) BE FREE FROM INTERRUPTION, THEFT, OR DESTRUCTION. IN ADDITION, CORRIDOR EXPRESSLY DISCLAIMS ANY RESPONSIBILITY FOR MAKING SURE THAT DOCUMENTS WHICH ARE ELECTRONICALLY SIGNED VIA THE E-SIGN SERVICE ARE VALID AND ENFORCEABLE UNDER ANY APPLICABLE U.S. LOCAL, STATE, OR FEDERAL LAWS, OR THE LAWS OF ANY OTHER JURISDICTION.
12. Indemnity
User agrees to defend, indemnify and hold Corridor, and its subsidiaries, affiliates, partners, licensors, directors, officers, employees, and agents (the “Indemnified Parties”) harmless for any damages, losses, judgments, costs, or expenses, including reasonable attorneys’ fees, arising from any third party claim, action, or demand (collectively “Claims”) arising out of or relating to: (a) User’s use of the Platform, Services or User Content in violation of any law, rule, regulation, or User’s breach of any covenants, representations or warranties of this Agreement; (b) any part of the User Content; or (c) User’s willful or malicious conduct relating to any violation described in this section. User also agrees to indemnify the Indemnified Parties for any loss, damages, or costs, including reasonable attorneys’ fees, resulting from User’s use of software robots, spiders, crawlers, or similar data gathering and extraction tools, or any other action User takes that imposes an unreasonable burden or load on Corridor’s infrastructure.
13. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW, CORRIDOR AND ITS SUBSIDIARIES, AFFILIATES, PARTNERS, LICENSORS, DIRECTORS, OFFICERS, EMPLOYEES AND AGENTS WILL NOT BE RESPONSIBLE OR LIABLE IN CONTRACT, WARRANTY OR IN TORT (INCLUDING NEGLIGENCE) FOR ANY (a) INTERRUPTION OF SERVICES; (b) ACCESS DELAYS OR ACCESS INTERRUPTIONS TO THE PLATFORM; (c) DATA NON-DELIVERY, MISDELIVERY, CORRUPTION, DESTRUCTION, OR OTHER MODIFICATION; (d) LOSS OR DAMAGES OF ANY SORT INCURRED AS A RESULT OF DEALINGS WITH OR THE PRESENCE OF OFF-WEBSITE LINKS ON THE PLATFORM; (e) COMPUTER VIRUSES, SYSTEM FAILURES, OR MALFUNCTIONS WHICH MAY OCCUR IN CONNECTION WITH YOUR USE OF THE PLATFORM OR SERVICES; (f) ANY INACCURACIES, ERRORS OR OMISSIONS IN CONTENT OR (g) EVENTS BEYOND OUR REASONABLE CONTROL.
FURTHER, CORRIDOR WILL NOT BE LIABLE IN CONTRACT, WARRANTY, OR IN TORT (INCLUDING NEGLIGENCE) OR ANY OTHER LEGAL THEORY FOR ANY INDIRECT, PUNITIVE, SPECIAL, RELIANCE, INCIDENTAL, CONSEQUENTIAL OR SIMILAR DAMAGES OF ANY KIND (INCLUDING LOSS OF REVENUE OR PROFITS) ARISING OUT OF OR RELATING TO THIS AGREEMENT, THE PLATFORM OR YOUR USE THEREOF, INCLUDING THE USE OR INABILITY TO USE THE SERVICES, OR FOR ANY INFORMATION OBTAINED FROM OR THROUGH THE SERVICES, EVEN IF CHECKR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL CORRIDOR’S LIABILITY EXCEED THE AMOUNT PAID TO CORRIDOR UNDER THIS AGREEMENT DURING THE TWELVE MONTH PERIOD IMMEDIATELY PRECEDING THE INITIATION OF ANY CLAIM FOR DAMAGES.
THE LIMITATION OF LIABILITY DESCRIBED ABOVE SHALL APPLY FULLY TO RESIDENTS OF NEW JERSEY. IF ANY PORTION OF THIS SECTION IS HELD TO BE INVALID UNDER THE LAWS OF THE STATE OF NEW JERSEY, THE INVALIDITY OF SUCH PORTION SHALL NOT AFFECT THE VALIDITY OF THE REMAINING PORTIONS OF THE APPLICABLE SECTIONS.
Some jurisdictions do not allow the exclusion of certain warranties or the exclusion or limitation of liability for consequential or incidental damages, so the limitations above may not apply.
14. Term; Termination; Suspension
The Services and this Agreement will continue until they are terminated by either party. User may terminate the Services and this Agreement through User’s Account. Corridor may terminate the Services and this Agreement by giving User at least thirty (30) days’ prior written notice. In addition to Corridor’s foregoing termination right, Corridor may immediately suspend or restrict User’s Account; suspend or restrict User’s access to the Platform or any Services; block User’s ability to use any particular feature of a Service; or immediately terminate the Services and this Agreement, in each case with or without notice to User, in the event that: (i) Corridor has any reason to suspect or believe that User may be in violation of this Agreement; (ii) Corridor determines that User’s actions are likely to cause legal liability for or material negative impact to Corridor; (iii) Corridor believes that User has misrepresented any data or information or that User has engaged in fraudulent or deceptive practices or illegal activities; (iv) Corridor has determined that User is behind in payment of fees for the Services and User has not cured such non-payment within five (5) days of Corridor providing User with notice of the non-payment; or (v) User files a petition under the U.S. Bankruptcy Code or a similar state or federal law, or a petition under the U.S. Bankruptcy Code or a similar state or federal law is filed against User. Furthermore, while Corridor strives to support a multitude of business and organization types, in certain unique situations, if Corridor cannot support the payroll-related filings for User’s business or organization type, Corridor may immediately terminate the Services and this Agreement upon written notice to User.
The termination of any of the Services or this Agreement will not affect User’s or Corridor’s rights with respect to transactions which occurred before termination. Corridor will have no liability for any costs, losses, damages, penalties, fines, expenses, or liabilities arising out of or related to Corridor’s termination of this Agreement. The following sections of this Agreement shall survive termination: 2, 11-13, 18, and any other sections that are intended, by their nature, to survive termination.
15. Changes to this Agreement, Platform, or Service
Corridor may modify this Agreement at any time, in Corridor’s sole discretion. If Corridor does so, Corridor shall let User know either by posting the modified Agreement on the Platform or Platform or through other communications. It is important that User reviews the Agreement whenever Corridor modifies it because if User continues to use the Platform or Services after Corridor has notified User of the modification and the modified Agreement has been posted on the Platform or Platform, User is indicating to Corridor that User agrees to be bound by the modified Agreement. If User does not agree to be bound by the modified Agreement, then User may not continue to use the Platform or Services. Because the Platform and Services are evolving over time, Corridor may change or discontinue all or any part of the Platform, Services, or Corridor Content at any time and without notice, at Corridor’s sole discretion.
16. Notices
Written notices to Corridor may be sent via first-class mail to CORRIDOR LEGAL DEPARTMENT, 1 MONTGOMERY STREET, SUITE 2000, SAN FRANCISCO, CA 94104 or via e-mail to legal@checkr.com. User agrees that Corridor may send notices regarding User’s use of the Platform by means of electronic mail, a general notice posted on the Platform, or by written communication delivered either by overnight courier or U.S. mail to User’s email or mailing address as appearing in Corridor’s records from time to time.
17. Third-Party Links and Services
Through the Platform, User may elect to access links to sites controlled by, or receive services from, partners of Corridor (each such service, a “Third-Party Service,” and each such partner, a “Partner”). User is solely responsible for, and assumes all risk arising from, User’s election to receive and User’s receipt of any Third-Party Service. Corridor is not responsible for Third-Party Services or any material, information, or results made available through Third-Party Services. The applicable Partners may require User to agree to terms and conditions or agreements with respect to their provision of the Third-Party Services to User. If User elects to receive a Third-Party Service, User authorizes Corridor to submit to the applicable Partner any and all documents and information about User, User’s business and User’s business’ employees that are necessary for such Partner to provide the Third-Party Service to User. User expressly relieves Corridor from any and all liability arising from User’s use of any third-party website, service, or content.
18. Arbitration and Class Action Waiver
PLEASE READ THIS SECTION CAREFULLY — IT AFFECTS USER’S LEGAL RIGHTS AND GOVERNS HOW USER AND CORRIDOR CAN BRING CLAIMS AGAINST EACH OTHER. THIS SECTION WILL, WITH LIMITED EXCEPTION, REQUIRE USER AND CORRIDOR TO SUBMIT CLAIMS AGAINST EACH OTHER TO BINDING AND FINAL ARBITRATION ON AN INDIVIDUAL BASIS, NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY CLASS, GROUP OR REPRESENTATIVE ACTION IN COURT.
Agreement to Arbitrate
In exchange for the benefits of the speedy, economical, and impartial dispute resolution procedure of arbitration, User and Corridor mutually agree to give up their right to resolve disagreements in a court of law by a judge or jury, and, as described below, agree to binding and final arbitration pursuant to the Federal Arbitration Act, 9 U.S.C. § 1, et seq.
User and Corridor agree that this arbitration agreement is governed by the Federal Arbitration Act, and shall survive even after this Agreement or any Services terminate.
Claims Covered by Arbitration
User and Corridor agree that any Claim arising out of or relating in any way to this Agreement (including its enforcement, breach, performance, interpretation, validity, or termination), or User’s access to and/or use of the Services, shall be resolved by final and binding arbitration to the fullest extent allowed by law.
Delegation to Arbitrator
If there is a disagreement about the arbitrability of any Claim (including questions about the scope, applicability, interpretation, validity, and enforceability of this arbitration agreement), User and Corridor agree that this threshold disagreement shall be delegated to the arbitrator (not a court) and that the arbitrator shall have initial authority to resolve such threshold disagreements.
Claims Not Covered by Arbitration
This arbitration agreement shall not require arbitration of the following types of claims: (1) small claims actions demanding $10,000 or less brought on an individual basis and within a small claims court’s jurisdiction; and (2) applications for provisional remedies, preliminary injunctions, and temporary restraining orders, including those relating to actual or threatened infringement, misappropriation, or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights.
Class Action Waiver
Except as otherwise required under applicable law, User and Corridor agree to bring and resolve any Claims only on an individual basis, and not as a named-plaintiff or class member in any class or representative proceeding. User and Corridor acknowledge and agree that we are each waiving the right to participate as a plaintiff or class member in any purported class action lawsuit, class-wide arbitration, or any other representative proceeding as to all Claims (hereinafter, “Class Action Waiver”). Further, the arbitrator may not consolidate more than one party’s claims and may not preside over any class, consolidated, or representative proceeding, unless User and Corridor agree otherwise in writing.
Notwithstanding any other provision of this arbitration agreement or the AAA Rules, specific disagreements about the scope, applicability, enforceability, revocability or validity of this Class Action Waiver may be resolved only by a civil court of competent jurisdiction and not by an arbitrator. If there is a final determination that the Class Action Waiver is unenforceable as to certain claims brought on a class or representative basis, then those claims shall be severed from any remaining claims and may proceed in court, but the Class Action Waiver shall be enforced in arbitration on an individual basis as to any remaining claims to the fullest extent possible.
Arbitration Rules, Procedures, and Costs
User and Corridor agree that the arbitration shall be administered by the American Arbitration Association (“AAA”) before a single arbitrator mutually agreed upon by the parties, and if the parties cannot agree within thirty (30) days after names of potential arbitrators have been proposed, then by a single arbitrator who is chosen by the AAA. The arbitrator will apply the terms of this arbitration agreement and the applicable AAA rules, which are available at www.adr.org or by calling 1–800–778–7879. If User is an individual person, the arbitrator shall apply the AAA Consumer Arbitration Rules. If User is not an individual person, but is an entity or company, the arbitrator shall apply the AAA Commercial Arbitration Rules.
If User is an individual person and brings a claim solely for monetary relief of $10,000 or less: Corridor will agree to pay for any filing, administrative, or hearing fees charged by the AAA. If the arbitrator finds that the substance of User’s claim or the relief sought is frivolous or brought for an improper purpose, however, then the allocation of fees will be governed by the AAA Consumer Arbitration Rules.
If User is an individual person and brings a claim for monetary relief exceeding $10,000: The AAA Consumer Arbitration Rules will govern payment of administrative or hearing fees charged by the AAA, including limiting User’s filing fee to $200. In addition, fee waivers or other forms of cost relief at the arbitrator’s discretion may be available. If the arbitrator finds that the substance of User’s claim or the relief sought is frivolous or brought for an improper purpose, however, then the allocation of fees will be governed by the AAA Consumer Arbitration Rules.
If User is not an individual person: The AAA Commercial Arbitration Rules will govern payment of administrative or hearing fees charged by the AAA.
The arbitrator shall have the power to decide any motions, including dispositive or summary judgment motions, brought by any party to the arbitration. The arbitrator may grant any remedy, relief, or outcome that the parties could have received in court to resolve the party’s individual claim, including awards of attorney’s fees and costs, in accordance with the law or laws that apply to the Claim. The arbitrator shall provide in writing to the parties the basis for any award or decision. Judgment upon any award rendered in such arbitration will be binding and may be entered in any court with proper jurisdiction.
Severability
If any clause within this arbitration agreement is found to be illegal or unenforceable, that specific clause will be severed from this arbitration agreement, and the remainder of the arbitration agreement will be given full force and effect.
Opt-out
If User is an individual person, User has the right to opt-out and not be bound by this arbitration agreement by sending written notice to Corridor—clearly indicating User’s intent to opt out of this arbitration agreement and including the name, phone number, and email address associated with User’s account—via email (arbitration@checkr.com) or U.S. Mail (Checkr, Inc., Legal Department, 1 Montgomery Street, Suite 2000, San Francisco, CA 94104). Your opt-out notice must be sent within 30 days of User’s acceptance of this Agreement.
If User does not opt-out of this arbitration agreement within the 30-day period, User and Corridor shall be bound by the terms of this arbitration agreement in full. If User opts-out of this arbitration agreement within the 30-day period, it will not affect any other, previous, or future arbitration agreements that User may have with Corridor.
Pre-Arbitration Notification and Negotiation Process
Prior to initiating an arbitration, You and Corridor each agree to first attempt to negotiate an informal resolution of any Claims. This pre-arbitration negotiation shall be initiated by providing written notice to the other party—including a brief written statement describing the name, address, and contact information of the notifying party, the facts giving rise to the Claim, and the relief requested. You must send such written notice to Corridor via email (legal@checkr.com) or U.S. Mail (Checkr, Inc., Legal Department, 1 Montgomery Street, Suite 2000, San Francisco, CA 94104); Checkr will send such written notice to the email address You have provided to Corridor.
During this pre-arbitration negotiation, all offers, promises, conduct and statements, whether oral or written, made in the course of the negotiation by any of the parties, their agents, employees, and attorneys are confidential, privileged and inadmissible for any purpose, including as evidence of liability, in arbitration or other proceeding involving the parties.
After a good faith effort to negotiate, if You or Corridor believe a Claim cannot be resolved informally, the party intending to pursue arbitration agrees to notify the other party via email prior to initiating the arbitration. In order to initiate arbitration, a claim must be filed with the AAA and the written Demand for Arbitration (available at www.adr.org) must be provided to the other party, as specified in the AAA Rules.
18. General
Governing Law
Except for Section 17, which is governed by the Federal Arbitration Act, this Agreement is governed by the laws of the State of California without regard to choice of law rules or principles. The choice of law provision is only intended to specify the use of California law to interpret this Agreement and is not intended to create and substantive right to non-Californians to assert claims under California law whether by statute, common law, or otherwise.
Assignment
User may not assign any of its rights or obligations under this Agreement without the prior written consent of Corridor. Subject to the foregoing, this Agreement inure to the benefit of and is binding on the parties’ permitted assignees, transferees and successors. Any attempted assignment in violation of this clause is void.
Integration
User acknowledges and agrees that this Agreement constitutes the parties’ complete and exclusive agreement concerning the use of the Platform and Services, and supersedes and govern any and all prior or contemporaneous proposals, agreements, or other communications relating to the Platform and Services.
Miscellaneous
The parties are independent contractors. Nothing contained in this Agreement shall be construed as creating any employment, agency, partnership, franchise, joint venture, or other form of joint enterprise or authority to bind the other party. There are no third-party beneficiaries to this Agreement. If any provision is found unenforceable, it and any related provisions will be interpreted to best accomplish the unenforceable provisions essential purpose. Any waiver of a provision of this Agreement will only be valid if provided in writing and applies only to the specific occurrence so waived. Failure to enforce any provision will not constitute a waiver. Nothing in this Agreement will limit a party’s ability to seek equitable relief. Section headings are not to be used in the interpretation hereof.
ATTACHMENT 1
DATA PROTECTION ADDENDUM
This Data Protection Addendum (“DPA”) supplements the Agreement by and between You and any of Your Approved Affiliates (collectively, “Customer”) and Checkr, Inc., the Delaware corporation that operates the Corridor service (“Corridor”). In the event of any conflict between the Agreement and the terms of this DPA, this DPA shall govern.
1. Definitions. For purposes of this DPA:
a. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any applicable regulations.
b. “Customer Data” means Personal Data provided by or collected on behalf of Customer for purposes of obtaining Services under the Agreement.
c. “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as that term is defined by the CCPA.
d. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the CCPA, GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection 2020. For the avoidance of doubt, if the parties’ processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
e. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates. Specifically, this refers to Consumers whom Checkr has been engaged by Customer to compile Reports.
f. “EU Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the General Data Protection Regulation or the Swiss Federal Act on Data Protection 2020.
g. “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation.
h. “Personal Data” includes “personal data” as defined by the GDPR, “personal information” as defined by the CCPA, and “personally identifiable information” as defined by other applicable Data Privacy Laws. Personal Data does not include publicly available information excluded from the definition of “Personal Data” under applicable Data Privacy Laws. Further Personal Data does not include data exempted under applicable Data Privacy Laws, including but not limited to CCPA §§1798.145(d)-(f).
i. “Process”, “Processed” and/or “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
j. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
k. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to, Customer Data.
l “Sell,” “Sale,” “Share,” or “Sharing” shall have the meaning set forth in the CCPA.
m. “Services” mean the services provided by Checkr to Customer, as provided in the Agreement.
n. “Standard Contractual Clauses” means the annex found in EU Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, incorporated herein by reference, completed as described in the “Data Transfers” section below.
o. “Subprocessor” means any Checkr affiliate or subcontractor engaged by Checkr for the Processing of Customer Data.
p. “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses.
q. “UK GDPR” means the UK General Data Protection Regulation, amended by the Data Protection Act 2018.
r. “UK Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the UK GDPR.
2. Scope and Purposes of Processing.Customer agrees to determine the purposes and general means of Checkr’s Processing of Customer Data in accordance with the Agreement. Checkr will Process Customer Data, including Personal Data contained therein, solely for the purposes set forth in the Agreement, including for the purpose of generating a consumer report as defined by 15 U.S.C 1681a(d), and in compliance with applicable law. Customer will not instruct Checkr to Process Customer Data in violation of applicable law. Checkr will inform Customer if, Checkr discovers, in its opinion, an instruction from Customer infringes applicable law.
3. Obligations of the Parties.
a. Compliance with Laws. Each party shall comply with all laws, whether state, federal, local or international, including Data Privacy Laws. Each party shall promptly notify the other party in writing if it is no longer able to meet its obligations under Data Privacy Laws applicable to this DPA.
b. Compliance with Data Controller Obligations. To the extent such party is acting as a Data Controller, each party shall independently fulfill all duties required of Data Controllers under Data Privacy Laws. Checkr is a Data Controller with respect to Personal Data, other than Customer Data, that it Processes in connection with the Services.
c. No joint controllership. Unless otherwise agreed in writing, the parties acknowledge and agree that each is acting independently as a Data Controller with respect of Personal Data and the parties are not joint Controllers as defined in the General Data Protection Regulation and UK GDPR.
d. No CCPA Sale or Sharing. Neither party shall Sell or Share to a third party any Personal Data made available to it by the other party except to the extent such Personal Data or Sale or Sharing thereof is exempted from Data Privacy Laws. The parties agree that for the purposes of the CCPA, Checkr acts as a service provider with regard to the Processing of Customer Data. Customer does not Sell or Share Customer Personal Data to Checkr because Checkr shall only use Customer Personal Data for the purposes specified in the Agreement.
e. Data Subject Requests. For the avoidance of doubt, to the extent the party is a Data Controller, each party shall have an independent obligation to respond to requests received from Data Subjects seeking to exercise their rights under applicable Data Privacy Laws, including, but not limited to, access and deletion requests made pursuant to the Data Privacy Laws. The recipient of the Data Subject request shall be responsible for responding to the Data Subject. If applicable, and to the extent legally permitted, each party shall provide the other party with reasonable cooperation and assistance in relation to the handling of a Data Subject’s request.
f. Disclosures and Consent. Each party shall comply with applicable Laws, including, but not limited to, the FCRA (as applicable) and Data Privacy Laws, to provide legally required notices to Data Subjects regarding the purpose and nature of the Processing of Personal Data in connection with the Services. Customer shall ensure that Data Subjects have provided legally sufficient consent or other appropriate legal basis (including under the GDPR and all other applicable Data Privacy Laws), wherever such consent or other appropriate legal basis is necessary to enable Checkr to perform the Services.
4. Customer Data Processing Requirements. Checkr will:
a. Ensure that the persons it authorizes to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Upon written request of Customer, assist Customer in the fulfillment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights with respect to Customer Data under Data Privacy Laws.
c. Promptly, and in any event within ten days, notify Customer of any third-party or Data Subject requests or complaints regarding the Processing of Customer Data. Customer agrees to, at Checkr’s request, designate to Checkr a single point of contact responsible for receiving and responding to such requests or complaints.
d. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Data.
e. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Customer Data, including complying with any obligation applicable to Checkr under Data Privacy Laws to consult with a regulatory authority in relation to Checkr’s Processing or proposed Processing of Customer Data.
5. Subprocessors.
a. Checkr may subcontract the collection or other Processing of Customer Data in compliance with Data Privacy Law to provide the Services. Checkr will impose contractual obligations on the Subprocessor that are at least the same level of protection as those imposed on Checkr under this DPA and will remain liable for its Subprocessors’ performance to the same extent Checkr is liable for its own performance, consistent with the limitations of liability set forth herein.
b. If GDPR is applicable to the Services,Checkr shall notify Customer of any changes made to Subprocessors at least 10 days prior to any such change by sending an email to the email address designated by Customer to receive notifications. Customer may reasonably object to Checkr’s use of a new Subprocessor by notifying Checkr promptly in writing within ten (10) business days after Checkr’s notice is sent pursuant to this DPA. Customer shall explain its reasonable grounds for objection. In the event Customer objects to a Subprocessor, the parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Checkr will, at its sole discretion, either (i) not appoint the Subprocessor; or (ii) in the event that Checkr cannot provide the services without such objected to Subprocessor, then Checkr will permit Customer to terminate the Services. Checkr may replace a Subprocessor if the need for the change is urgent and necessary to provide the Services. In such instance, Checkr shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to this Section.
6. Security.
a. Taking into account the nature of Processing and the information available to Checkr, Checkr shall implement technical and organizational measures, including the measures set forth in Annex II of the Appendix to this DPA, without prejudice to Checkr’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Data.
b. Security Breach. Checkr shall notify Customer promptly of any Security Breach of Customer Data and provide related information to Customer as set forth by Data Privacy Laws. Customer shall notify Checkr promptly of any actual or suspected unauthorized access to Customer’s systems or compromise of Customer’s credentials used to access the Services. Taking into account the nature of Processing and the information available to Checkr, the parties reasonably shall work together to address any such compromise, including taking steps to mitigate the effects of the Security Breach or system compromise and reduce the risk to Data Subjects whose Personal Data in the Customer Data was involved. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations. Nothing shall be construed to require Checkr to violate, or delay compliance with, any legal obligation it may have with respect to a Security Breach or other security incidents generally.
7. Data Transfers.
For transfers of EU Personal Data to Checkr for processing by Checkr in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will use Module 2 of the Standard Contractual Clauses for Controller to Processor transfers, which are incorporated herein by reference. The annexes included in the Appendix to this Agreement shall apply as the annexes of the Standard Contractual Clauses.
In case of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail. Notwithstanding the foregoing, where the transfers contemplated under this Section 7 result in transfers of UK Personal Data to Checkr for processing by Checkr in a jurisdiction other than in the UK or UK Information Commissioner’s Office-approved countries providing ‘adequate’ data protection, then (a) the Standard Contractual Clauses used for EU Personal Data shall also apply to transfers of UK Personal Data; (b) the UK Addendum shall be deemed executed between Customer and Checkr; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.
8. Audits.
a. Reasonable Audits. If GDPR is applicable to the Services, Checkr shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Checkr provide it with documentation, data, and records (“Records”) no more than once annually relating to Checkr’s compliance with this DPA with respect to Customer Data (an “Audit”). To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. Customer shall provide Checkr with fourteen (14) days prior written notice of its intention to conduct an Audit. Customer shall conduct its Audit in a manner that will result in minimal disruption to Checkr’s business operations and shall not be entitled to receive data or information of other clients of Checkr or any other confidential information of Checkr that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Checkr shall take prompt action to correct such non-compliance. Any information that Customer receives under this Section is Confidential Information of Checkr.
b. Limitations. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Checkr’s premises. Customer shall reimburse Checkr for any time expended for an Audit at the Checkr’s then-current reasonable rates, which shall be made available to Customer upon request. Nothing herein will require Checkr to disclose or make available: (a) any data of any other customer of Checkr; (b) access to systems; (c) Checkr’s internal accounting or financial information; (d) any trade secret of Checkr; (e) any information or access that, in Checkr’s reasonable opinion, could (i) compromise the security of Checkr systems or premises; or (ii) cause Checkr to breach its obligations under applicable law or applicable contracts; or (f) any information sought for any reason other than the good faith fulfilment of Customer’s obligations under Applicable Law to audit compliance under this DPA.
9. Return or Destruction. Upon termination of the Services or on reasonable written request from Customer’s authorized representative Checkr shall, at the choice of Customer, return or deletesuch Customer Data in accordance with its requirements under applicable Data Privacy Law, unless applicable law prevents Checkr from returning or deleting all or part of the Customer Data. In such case, Checkr agrees to preserve the confidentiality of the Customer Data retained by it that it will only Process such Customer Data in order to comply with applicable law. Notwithstanding the foregoing, this provision will not require Checkr to delete Customer Data from archival and back-up files except as provided by Checkr’s internal data deletion practices or as required by applicable law. For avoidance of doubt, Checkr may continue to Process Customer Data that has been anonymized or aggregated in a manner that does not identify individuals.
10. Miscellaneous. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.The provisions of this DPA shall survive the termination or expiration of the Agreement as long as either party continues to Process Personal Data in connection with the Agreement.
APPENDIX
ANNEX I: LIST OF PARTIES
Data exporter(s):
Name: Customer
Address: As specified in the Agreement.
Contact person’s name, position, and contact details: As specified in the Agreement.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
Role: Controller.
Data importer(s):
Name: Checkr, Inc.
Address: 1 Montgomery Street, Suite 2400, San Francisco, CA 94104
Contract person’s name, position, and contact details: Graham Ravdin, DPO, DPO@Checkr.com
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
Role: Processor.
ANNEX II: DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is transferred
Data subjects include the individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. These individuals may include, without limitation, individuals who are subject to background checks.
Categories of personal data transferred
Customer Data, including data relating to individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. This data may include, for example:
- Personal details, including information that identifies the data subject and their personal characteristics, such as name, address, contact details, and date of birth.
- Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, and driving license details.
- Employment details, including information relating to the employment of the data subject, such as employment and career history.
- Education and training details, including information which relates to the education and any professional training of the data subject.
- Background information, including information relating to criminal activity or sanctions.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- None, based on GDPR Article 9’s definition of “sensitive categories of data.”
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Customer Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the Agreement.
Nature of the processing
The data importer will process Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
Purpose(s) of the data transfer and further processing
The data importer will transfer Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement until deletion in accordance with the provisions of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above.
Competent Supervisory Authority
The supervisory authority of the member state in which the data subjects whose personal data is transferred in order to provide the Services shall act as competent supervisory authority.
ANNEX III: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Data importer will maintain administrative, physical, and technical safeguards for protection of the security,confidentiality and integrity of Customer Data, as described below in Checkr’s Security Whitepaper.
OVERVIEW
Checkr was built with an emphasis on security, compliance and privacy. We work behind the scenes to protect your data with a secure, distributed infrastructure with multiple layers of protection. Administrators are empowered with control and visibility features to help effectively manage the security of your information. This paper will explain the ways Checkr creates a platform for offering its SaaS products, covering topics like information security, physical security and operational security. The policies, procedures and technologies described in this paper are detailed as of the time of authorship. Some of the specifics may change over time as we regularly innovate with new features and products.
We’re committed to being transparent about our security practices and helping you understand our approach.
SECURITY PROGRAM
Checkr has established a ISMS (Information Security Management System) based on the ISO 27001:2013 Information Security Standard because it is one of the most recognized frameworks worldwide. Checkr’s ISMS covers the following security categories; Governance, Risk Management, Information Security policies, HR Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations Security, Network Security, Product Security, Third-Party Security, Incident Response, Business Continuity/Disaster Recovery, Continuous Monitoring, Vulnerability Management and Compliance.
GOVERNANCE
Checkr’s ISMS (information security management system) follows a top-down approach and is driven by our ISMS Steering Committee comprised of cross functional department heads. The executive team meets at least bi-annually to discuss the current posture of the program including the scope, vision, information security policy, risks, internal and external audit non-conformities, corrective actions, etc. Tasks are delegated to information owners and custodians to maintain and continually improve the ISMS.
PEOPLE SECURITY
People are every company’s greatest asset and biggest weakness. The people creating Checkr products are important and therefore processes have been implemented to ensure we are hiring the right people. All Checkr employees prior to employment must go through a background screen that consist of a SSN trace, Sex Offender Search, Global Watchlist Search, National and Federal Criminal Search, Federal Civil Search, County Criminal Searches, Employment Verification and Education Verification. Once cleared, employees are required to sign and acknowledge company terms and conditions, non-disclosure agreements, policies and procedures.
CHECKR SECURITY WHITEPAPER
Checkr has implemented a security awareness program which requires all Checkr employees to attend a security training during onboarding week and are required to pass a test afterwards. Checkr provides continuous education campaigns through various communication channels regularly.
RISK MANAGEMENT
Checkr has established a risk management program to demonstrate our commitment to information security. We leverage ISO 27005 Risk Management framework to prioritize risks identified. Checkr identifies all critical tangible and intangible assets to our business and assess the assets against potential threats and vulnerabilities. We incorporate a business impact analysis (BIA) for all assets. Assets within and outside of Checkr’s risk appetite are mitigated and managed so we can protect privacy and Checkr’s Confidentiality, Integrity and Availability (CIA) of the asset. Risk assessments are conducted at least annually and/or when major changes occur to the scope of the business.
ACCESS CONTROL
The concept of access control touches all three of the fundamental components of information security: Confidentiality, Integrity, Availability. It is a key component in preserving Confidentiality and Integrity by limiting access to Checkr’s information. Checkr assures that access is granted to only to those personnel with a valid business reason and justification. Availability ties to access control by restricting access to those personnel with “need to know” and limiting user privileges. For ease of understanding, Checkr follows a Role Based Access Control (RBAC) model for user access provisioning / de-provisioning. Checkr leverages a world class identity management multi-factor authentication solution for employees to access information systems. User and privileged user access is reviewed on a continual basis. Prior to a Checkr employee separating from the organization, all access is revoked.
PRODUCT SECURITY
The mission of Checkr’s product security is to enable the product teams to build solutions that are best in class when it comes to security. Checkr teams must perform security checks to ensure we create secure products at each stage of development: requirements, design, implementation and deployment. Checkr engineers continuously perform security checks such as regular penetration test by independent third parties, internal security reviews, internal and external security audits and regularly conducted threat models. All patching and deployments into production must go in accordance to our formal Change Management process. Checkr works with a world class bug bounty firm that helps Checkr triage and recreate all vulnerabilities found. Our bug bounty program provides an incentive for ethical hackers to responsibly disclose software bugs. This outside evaluation provides Checkr an independent view point of our applications to help keep users safe.
INCIDENT RESPONSE
Checkr is dedicated to monitoring and responding to security incidents (physical, cyber, etc.) in a timely manner. Checkr has developed an incident response policy to help prepare our dedicated IRT (incident response team). On at least an annual basis, Checkr works with an independent cybersecurity firm to recreate real life scenarios and test the effectiveness of our program. Checkr models our incident response lifecycle based on the NIST 800-61 Computer Security Incident Handling Guide and it is divides the process into four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery and Post-Incident Activity.
CRYPTOGRAPHY
Data in transit
All in bound HTTPS traffic goes through a cloud-based security platform that provides multiple layers of DDoS protection. All inbound connections use TLS 1.2, are encrypted and authenticated using AES-256 encryption. All of our database servers require SSL encrypted connections.
Data at rest
Our database instances, backups and read replicas are encrypted at rest using the industry standard AES-256 algorithm. This provides an additional layer of data protection by securing our data from unauthorized access to the underlying storage. For file storage, we use Amazon S3 buckets, which allows us to encrypt files with server-side encryption.
CLOUD & NETWORK INFRASTRUCTURE SECURITY
Direct access to infrastructure, networks and data is minimized to the greatest extent possible. Where possible, control planes are used to manage services running in production, to reduce direct access to host infrastructure, networks and data. Direct access to production resources is restricted to employees requiring access and requires approval, strong multifactor authentication and access via a bastion host.
Checkr’s production environment, where all customer data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC). Production and non-production networks are segregated. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.
VULNERABILITY MANAGEMENT
Checkr has created a vulnerability management program to identify, respond and triage vulnerabilities against the Checkr platform. Checkr approaches continuous monitoring through the development of proactive and detective capabilities. Through the ongoing awareness of vulnerabilities, incidents and threats, Checkr is poised to respond and mitigate accordingly.
PHYSICAL SECURITY
Datacenter Security
Checkr leverages AWS data centers for all production systems and customer data. AWS follows industry best practices and complies with an array of compliance standards. Refer to AWS SOC reports here: https://aws.amazon.com/compliance/soc-faqs/
Office Security
Checkr is located at 1 Montgomery St. Suite 2000 San Francisco, CA 94104 The building where Checkr’s suite is located in are managed by security personnel 24×7 365 days a year. All Checkr entry points are locked and secure at all times and require an electronic key card access to enter. Visitors are required to check in with the building receptionist before being allowed elevator access to Checkr’s suite followed by being greeted by our receptionist. CCTV’s, fire detection systems and other safeguards are in place to maintain a restrict and secure environment.
BUSINESS CONTINUITY PLAN / DISASTER RECOVERY PLAN
Recovery Planning
Checkr maintains a formal BCP/DRP that is regularly reviewed and updated by executive management at least annually
Plan testing/exercising
Checkr tests elements of its BCP/DRP at least annually. Post mortems are documented and reviewed with management to address issues and strengthen weak areas.
Review and approval of the BCP/DRP
As part of our ISMS program, the BCP/DRP is reviewed at least annually by management.
Redundancy
Checkr performs regular backups of Checkr account information, call records, call recordings and other critical data using Amazon S3 cloud storage solution. All backups are encrypted in transit and at rest using industry standard encryption. AWS (Amazon Web Services) spans across multiple geographic regions and availability zones. Checkr backup files are stored redundantly across multiple availability zones to create a fully backed-up and restorable environment.
THIRD-PARTY SECURITY
All third-parties used by Checkr are assessed thoroughly by going through a vendor risk assessment and analyzed by our security team. Once the third-party is validated and meet Checkr’s security requirements, Checkr will periodically review security controls and SLA agreements. Checkr ensures that data is returned and/or deleted at the end of a vendor relationship.
COMPLIANCE
Checkr complies with applicable legal, industry and regulatory requirements as well as industry best practices.
ISO 27001 (Information Security)
Checkr is ISO/IEC 27001:2013 certified.
NAPBS (National Association of Professional Background Screeners)
Checkr is NAPBS accredited.
SOC 2 type II
Checkr is SOC 2 compliant (Security, Availability, Confidentiality).
ANNEX IV: LIST OF SUB-PROCESSORS
The data importer has the data exporter’s general authorisation for the engagement of sub-processors, which are included on the following list: https://checkr.com/sub-processor-list.
