This DPA is entered into between Customer and Invoiced, Inc., a Delaware corporation (Invoiced), and is incorporated into and governed by the Terms of Service agreement between the parties.
Definitions
Any capitalized term not defined in this DPA will have the meaning given to it in the Agreement (defined below).
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of a party.
Agreement means the Terms of Service agreement between Customer and Invoiced for the provision of the Services.
CCPA means the California Consumer Privacy Act, along with its regulations, as amended from time to time.
CPA means Colorado Privacy Act, along with its regulations, as amended from time to time.
CTDPA means Connecticut Data Privacy Act, along with its regulations, as amended from time to time.
Controller means Customer, the entity which determines the purposes and means of the process of Personal Data.
Customer Data means data, which may include Personal Data (defined below) and the categories of data submitted, stored, sent, or received via the Services by Customer, its Affiliates, or end users.
Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, but not limited to, the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the FDPA, the CCPA, the VCDPA, the CPA, the CTDPA, the UCPA, the Privacy and the Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and all other applicable data protection and privacy legislation in force from time to time (as may be applicable depending on the location of Customer, data subjects and processing of the relevant Personal Data).
Data Subject means: (i) the identified or identifiable person to whom Personal Data relates; or (ii) a “Consumer” as the term is defined in the applicable Data Protection Laws
DPA means this data processing addendum and its schedules.
EEA means the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1; FDPA) as amended from time to time.
EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
FDPA means the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1; FDPA) as amended from time to time.
Personal Data means any information relating to: (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), which is provided as Customer Data.
Processor means Invoiced, the entity which Processes Personal Data on behalf of Controller, including as applicable any “Service Provider” as that term is defined by the CCPA.
Restricted Transfer means: (i) where the EU GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) a transfer of Personal Data via the Services from Switzerland either directly or via onward transfer, to any country or recipient outside of the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
Standard Contractual Clauses means:(i) where the EU GDPR applies, contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries and published at https://eur-lex.europa.eu/legal-content (EU SCCs); (ii) where the UK GDPR applies standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR, using the controller to processor template available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/ (UK SCCs); and (iii) where Personal Data is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority (Swiss SCCs).
Sub-processors mean any person or entity engaged by Invoiced or an Affiliate to process Personal Data in the provision of the Services to Customer.
Supervisory Authority means a governmental or government-chartered regulatory body having binding legal authority over Customer.
Services means the web subscription services provided by Invoiced to Customer pursuant to the Agreement.
UK GDPR means the EU GDPR as it forms part of the laws of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018.
UCPA means Utah Consumer Privacy Act, along with its regulations, as amended from time to time.
VCDPA means the Virginia Consumer Data Protection Act, along with its regulations, as amended from time to time.
1. Purpose
a) Invoiced has agreed to provide the Services to Customer in accordance with the terms of the Agreement. In providing the Services, Invoiced will process Customer Data on behalf of Customer. Customer Data may include Personal Data. Invoiced will process and protect such Personal Data in accordance with the terms of this DPA and the Data Protection Laws.
b) With respect to Customer Data under this DPA, the parties agree that Customer is the ‘data controller’ and Invoiced is the ‘data processor’. Customer will comply with its obligations as a data controller and Invoiced will comply with its obligations as a data processor under this DPA.
c). Where a Customer Affiliate or a Customer client is the Controller with respect to certain Customer Data, Customer represents and warrants to Invoiced that it is authorized to instruct Invoiced and otherwise act on behalf of such Customer Affiliate or Customer client in relation to Customer Data in accordance with the Agreement and this DPA.
2. Scope
a) In providing the Services to Customer pursuant to the Agreement, Invoiced will treat Personal Data as confidential and only process Personal Data on behalf of Customer, and only to the extent reasonably necessary and proportionate to provide accounts receivable and accounts payable automation and payment services, Services and in accordance with Customer’s instructions as documented in the Agreement and this DPA.
b). Invoiced and Customer must take steps to ensure that any natural person acting under the authority of Customer or Invoiced who has access to Personal Data does not process them except on the instructions from Customer as specified in the Agreement unless required to do so by Data Protection Laws.
3. Invoiced Obligations
a) Invoiced may collect, process, or use Personal Data only in accordance with the scope of the Agreement, this DPA, and Customer’s instructions. This DPA is Customer’s complete and final documented instruction to Invoiced in relation to Personal Data. Additional instructions outside the scope of this DPA (if any) require a prior written agreement between Invoiced and Customer, including the agreement on any additional fees payable by Customer to Invoiced for carrying out such instructions.
b) Invoiced will ensure that all employees, agents, officers, and contractors involved in the handling of Personal Data:
(i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;
(ii) have received appropriate training on their responsibilities as a data processor; and
(iii) are bound by terms materially no less restrictive than the terms of this DPA.
c) Invoiced must maintain appropriate managerial, operational, and technical safeguards designed to preserve the integrity and security of Customer Data while in its possession and control hereunder, while considering the state of the art, costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
d) Invoiced must maintain appropriate measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(i) the pseudonymization and encryption of Personal Data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In accessing the appropriate level of security, Invoiced considers the risks that are presented by processing, from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed, as further set forth in Schedule 2.
e) Customer agrees that while providing the Services to Customer, it may be necessary for Invoiced to access the Personal Data to respond to any technical problems, Customer queries, security monitoring, and to ensure the proper working of the Services. All such access by Invoiced will be limited to those purposes and performed by authorized personnel.
f) Invoiced will not retain, use, or disclose any Personal Data provided by or on Customer’s behalf or collected by Invoiced on Customer’s behalf for any purpose other than (i) providing the Services as directed by Customer under the terms of the Agreement; (ii) complying with Invoiced’s legal obligations; or (iii) as allowed by applicable State Data Protection Laws.
g) Invoiced must promptly inform Customer if, in Invoiced’s opinion, any of the instructions regarding the processing of Personal Data provided by Customer breach Data Protection Laws.
h) Invoiced will reasonably assist Customer in meeting its obligation to carry out Data Protection Impact Assessments (DPIA), considering the nature of processing and the information available to Invoiced.
i) Customer and Invoiced and, where applicable, their representatives, will cooperate, upon request, with a Supervisory Authority in the performance of their respective obligations under this DPA and Data Protection Laws.
j) Invoiced will notify Customer promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts Customer, unless such notification is not permitted under applicable law or relevant court order.
k) Invoiced may not:
(i) Retain, use, or disclose any Personal Data provided by or on Customer’s behalf or collected by Company on Customer’s behalf for any purpose other than
(1) providing the Services as directed by Customer under the terms of the Agreement;
(2) verifying or maintaining the quality of the Services, and improving, upgrading, or enhancing the Services;
(3) complying with Company’s legal obligations; or (4) as allowed by applicable Data Protection Laws,
(ii) Sell or share Personal Data, and
(iii) Combine Personal Data with any Personal Data it receives from another entity or collects on its own.
l) Invoiced will advise Customer if Invoiced determines it can no longer meet its obligations under the applicable Data Protection Laws.
m) Invoiced will ensure through a nondisclosure agreement that any persons accessing or processing Personal Data are subject to a duty of confidentiality with respect to the Personal Data.
4. Customer Obligations
a) Customer represents and warrants, in its use of the Services, that:
(i) it will comply with the terms of the Agreement, this DPA, and the Data Protection Laws, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by Invoiced; and
(ii) it will ensure that its use of the Services will not violate the rights of any Data Subjects. All Affiliates of Customer who use the Services will comply with the obligations of Customer set out in this DPA.
b) Customer represents and warrants that, as having sole responsibility for Customer Data quality, legality, and accuracy, has obtained any and all necessary permissions and authorizations necessary to permit Invoiced, its Affiliates, and Sub-processors, to execute their rights or perform their obligations under this DPA.
c) Customer represents and warrants that:
(i) its instructions comply with Data Protection Laws; and
(ii) some instructions from Customer, including assisting with audits, inspections, or DPIAs by Invoiced, beyond the reasonable assistance Invoiced generally provides to its customers during an audit, inspection, or DPIA, may result in additional fees. Invoiced will notify Customer in advance of its fees for providing such assistance in advance.
d) Customer must inform Invoiced of any notice, inquiry (including any notice, investigation, complaint, or request) relating to Invoiced’s processing of Personal Data and provide Invoiced with a copy thereof within 48 hours of receipt. Notices should be sent to: support@invoiced.com
5. Notification of Security Breach
a) Invoiced will notify Customer without undue delay after becoming aware of (and in any event within 72 hours of discovering) any actual accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to Customer’s Personal Data (Personal Data Breach).
b) Invoiced will take all commercially reasonable measures to secure the Personal Data, to eliminate the Personal Data Breach, and to assist Customer in meeting Customer’s obligations under applicable law. In the event of a Personal Data Breach, Invoiced’s System Administration Team and Security Team will perform a risk-based assessment of the situation and develop appropriate strategies in accordance with Invoiced incident response procedures, which include contacting Customer and to contact Customer’s primary (technical or business) point of contact or Security Operation Center (SOC) to brief them on the situation and provide resolution status updates.
6. Audit
a) Invoiced will make available to Customer all information reasonably necessary to demonstrate compliance with its processing obligations and allow for and contribute to audits and inspections. Invoiced will allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor. Alternatively, if required by the applicable Data Protection Laws, Invoiced may arrange for a qualified and independent assessor to assess Invoiced’s policies and technical and organizational measures in support of Invoiced’s privacy obligations under Data Protection Laws using appropriate and accepted control standard or framework and assessment procedure for such assessments.
b) Any audit conducted under this DPA will consist of examination of the most recent reports, certificates, and/or extracts prepared by an independent auditor bound by confidentiality provisions like those set out in the Agreement. In the event that provision of the same is not deemed sufficient in the reasonable opinion of Customer, Customer may conduct a more extensive audit which will be:
(i) at Customer’s expense;
(ii) limited in scope to matters specific to Customer and agreed in advance;
(iii) carried out during Invoiced’s business hours and upon reasonable notice which must be not less than 4 weeks unless an identifiable material issue has arisen; and
(iv) conducted in a way which does not interfere with Invoiced’s day-to-day business. Any such audit must be conducted remotely, except Customer and/or its Supervisory Authority may conduct on-site audit at Invoiced’s premises if so required by the Data Protection Laws. In no event will any audit of a Sub-processor, beyond a review of reports, certifications and documentation made available by the Sub-processor, be permitted without the Sub-processor’s consent. This section does not modify or limit the rights of audit of Customer, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.
c) Customer may not perform an audit more than once in any 12-month period.
7. Data Subjects
a) Invoiced must, to the extent legally permitted, promptly notify Customer if Invoiced receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing (Data Subject Request).
b) Considering the nature of the processing and the information available to Invoiced, Invoiced must assist Customer by having in place appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under the Data Protection Laws.
c) To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Invoiced must upon Customer’s request, and to the extent possible, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Invoiced is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer must be responsible for any costs arising from Invoiced’s provision of such assistance.
8. Sub-Processors
a) Customer agrees that: (i) Affiliates of Invoiced may be used as Sub-processors; and (ii) Invoiced and its Affiliates respectively may engage Sub-processors in connection with the provision of the Services. The current list of Sub-processors is on Schedule 3. Customer authorizes Invoiced to use the Sub-processors set out in Schedule 3.
b) Prior to any disclosure, Invoiced will impose on the Sub-processors, in writing, obligations concerning Personal Data as required by the Data Protection Laws.
c) During the term of this DPA, Invoiced will provide Customer with 30 days prior notification, via email, of any changes to the list of Sub-processors before authorizing any new or replacement Sub-processors to process Personal Data in connection with the provision of the Services.
d) Customer may object to the use of a new or replacement Sub-processor by notifying Invoiced promptly in writing within 30 days after receipt of Invoiced’s notice. If Customer objects to a new or replacement Sub-processor, and that objection is reasonable, Customer may terminate the Agreement or applicable order with respect to those Services which cannot be provided by Invoiced without the use of the new or replacement Sub-processor. Invoiced will refund Customer any prepaid and unused fees covering the remainder of the term of the applicable order following the effective date of termination with respect to such terminated Services.
e) All Sub-processors who process Personal Data must comply with the applicable obligations of Invoiced set out in this DPA. Invoiced must prior to the relevant Sub-processor carrying out any processing activities in respect of the Personal Data: (i) appoint each Sub-processor under a written contract containing materially the same obligations to those of Invoiced in this DPA enforceable by Invoiced; and (ii) ensure each such Sub-processor complies with all such obligations.
f) Customer agrees that Invoiced and its Sub-processors may make Restricted Transfers of Personal Data for the purposes of providing the Services to Customer in accordance with the Agreement to countries outside the EEA, UK, or Switzerland. Invoiced confirms that such Sub-processors (i) are located in a third country or territory recognized by the EU Commission or a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable Standard Contractual Clauses with Invoiced; or (iii) have other legally recognized appropriate safeguards in place.
9. Restricted Transfers
a) The parties agree that, when the transfer of Personal Data from Customer to Invoiced or from Invoiced to a Sub-processor is a Restricted Transfer, it will be subject to the applicable Standard Contractual Clauses.
b) The parties agree that the EU SCCs apply to Restricted Transfers from the EEA. The EU SCCs are deemed entered into (and incorporated into this DPA by reference) and completed as follows:
(i) Module Two (Controller to Processor) applies where Customer is a Controller of Customer Data and Invoiced is processing Customer Data;
(ii) Module Three (Processor to Processor) apples where Invoiced is a Processor of Customer Data and Invoiced uses a Sub-processor to process Customer Data;
(iii) Module Four (Processor to Controller) does not apply;
(iv) in Clause 7 of the EU SCCs, the optional docking clause will not apply;
(v) in Clause 9 of the EU SCCs, Option 2 applies, and the time period for notice of Sub-processors must be as set out in Section 8(c) of this DPA;
(vi) in Clause 11 of the EU SCCs, the optional language does not apply;
(vii) in Clause 17 of the EU SCCs, Option 1 applies, the EU SCCs are governed by Irish law, and the Swiss SCCs are governed by Swiss law;
(viii) in Clause 18(b) of the EU SCCs, disputes must be resolved by: the courts of Ireland for the EU SCCs, and the courts of Switzerland for the Swiss SCCs;
(ix) Annex I of the EU SCCs are deemed completed with the information set out in Schedule 1 of this DPA; and
(xi) Annex II of the EU SCCs are deemed completed with the information set out in Schedule 2 of this DPA.
c) The parties agree that the EU SCCs as amended in Section 9(b) above, shall be adjusted as set out below where the FDPA applies to any Restricted Transfer:
(i) The Swiss Federal Data Protection and Information Commissioner (FDPIC) shall be the sole Supervisory Authority for Restricted Transfers exclusively subject to the FDPA;
(ii) Restricted Transfers subject to both the FDPA and the EU GDPR, shall be dealt with by the EU Supervisory Authority named in Schedule 1 of this DPA;
(iii) The term ’member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
(iv) Where Restricted Transfers are exclusively subject to the FDPA, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA;
(v) Where Restricted Transfers are subject to both the FDPA and the EU GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA insofar as the Restricted Transfers are subject to the FDPA;
(vi) The Swiss SCCs also protect the Personal Data of legal entities until the entry into force of the revised FDPA.
d) The parties agree that the UK SCCs apply to Restricted Transfers from the UK and the UK SCCs are deemed entered into (and incorporated into this DPA by reference), completed as follows:
e) Appendix 1 of the UK SCCs are deemed completed with the information set out in Schedule 1 of this DPA; and
f) Appendix 2 of the UK SCCs are deemed completed with the information set out in Schedule 2 of this DPA.
g) If any provision of this DPA contradicts any Standard Contractual Clauses, the provisions of the applicable Standard Contractual Clauses prevail over this DPA.
10. Liability
a) The parties agree that Invoiced will be liable for any breaches of this DPA caused by the acts and omissions of its Sub-processors to the same extent Invoiced would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
b) The parties agree that Customer will be liable for any breaches of this DPA caused by the acts and omissions of its Affiliates and users as if Customer had committed such acts and omissions itself.
c) The limitations of liability in the Agreement apply to all claims related to or arising under this DPA.
11. Term and Termination
a) Invoiced will only process Personal Data for the term of this DPA. This DPA will automatically terminate upon the termination of the Agreement.
12. Deletion and Return of Data
a) Invoiced will, upon written request and at the choice of Customer either:
(i) make the Services available to Customer for the return of Personal Data to Customer at the expiration of the order within the time periods set out in the termination section of the Agreement; or
(ii) securely delete all Personal Data. Invoiced will in any event securely delete all Personal Data after such time period unless applicable law with respect to Invoiced prevents destruction of the Personal Data; and upon request provide a certification of deletion of Personal Data.
b) Where any Customer Data is retained for such reasons, Customer Data must be treated as Confidential Information and will no longer be actively processed.
c) Where any Personal Data is retained for such reasons, the Personal Data must be treated as Confidential Information and will no longer be actively processed.
13. General
a) This DPA sets out the entire understanding of the parties, and supersedes all prior and contemporaneous agreements and understandings, with regards to the subject matter. No modification or waiver of any term in this DPA is effective unless both parties sign it.
b) Should a provision of this DPA be invalid or become invalid, then the legal effect of the other provisions will be unaffected. A valid provision is deemed to have been agreed upon, which comes closest to what the parties intended commercially and will replace the invalid provision. The same will apply to any omissions.
c) To the extent of any conflict or inconsistency between the terms of this DPA, the Standard Contractual Clauses, and the Agreement, the following order of precedent applies: the applicable Standard Contractual Clauses, followed by the Agreement, and then this DPA, provided that, in all instances the disclaimer of damages and limitation of liability in the Agreement applies. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
d) Customer may send any questions or concerns regarding this DPA to: support@invoiced.com.
SCHEDULE 1
List of parties, description of processing and transfer of personal data, competent supervisory authority
MODULE TWO: CONTROLLER TO PROCESSOR
A. LIST OF PARTIES
The Controller: Customer
| Address: | As set out for Customer in the Agreement. |
| Contact person’s name, position, and contact details: | As provided by Customer in its account and used for notification and invoicing purposes. |
| Activities relevant to the data transferred under the SCCs: | Use of the Services. |
| Signature and date: | By entering into the Agreement, the Controller is deemed to have signed the SCCs incorporated into this DPA and including their Annexes, |
| Role: | Data Exporter. |
| Name of Representative | Osano International Compliance Services Limited |
The Processor: Invoiced
| Address: | 21750 Hardy Oak Blvd |
| Contact person’s name, position, and contact details: | Parag Patel |
| Activities relevant to the data transferred under the SCCs: | The provision of cloud computing solutions to the Controller under which the Processor processes Personal Data upon the instructions of the Controller in accordance with the terms of the Agreement. |
| Signature and date: | By entering into the Agreement, the Processor is deemed to have signed the SCCs, incorporated into this DPA, including their Annexes. |
| Role: | Data Importer |
| Name of representative (if applicable): | Osano International Compliance Services Limited |
B. DESCRIPTION OF PROCESSING AND TRANSFERS
| Categories of data subjects: | Customers and Vendors of the Controller. |
| Categories of Personal Data: | The Controller may submit personal data to the Services, the extent of which is determined and controlled by the Controller. The personal data includes but is not limited to:
|
| Sensitive Data: | No sensitive data will be processed or transferred and may not be contained in the content of or attachments to emails. |
| The frequency of the processing and transfer (e.g., whether the data is transferred on a one-off or continuous basis): | Continuous basis for the duration of the Agreement. |
| Nature of the processing: | Processing operations include but are not limited to: invoice management and payment processing. |
| Purpose(s) of the data transfer and further processing: | Personal Data is transferred to sub-contractors who need to process some of the Personal Data in order to provide their services to the Processor as part of the Services provided by the Processor to the Controller. |
| The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: | Unless agreed otherwise in writing, for the duration of the Agreement, subject to Section 11 of this DPA. |
| For transfers to (Sub-) processors, also specify subject matter, nature, and duration of the processing: | The Sub-processor list in Schedule 3 of this DPA sets out the Personal Data processed by each Sub-processor and the services provided by each Sub-processor. |
C. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 of the SCCs) | Where the EU GDPR applies, the Irish Data Protection Authority – The Data Protection Commission (DPC). Where the UK GDPR applies, the UK Information Commissioner’s Office (ICO). Where the FDPA applies, the Swiss Federal Data Protection and Information Commissioner (FDPIC). |
MODULE THREE: PROCESSOR TO PROCESSOR
A. LIST OF PARTIES
The Data Exporter: Invoiced
The Data Importers: Sub-processors named in the Sub-processor list which contains the name, address, contact details and activities relevant to the data transferred to each Data Importer.
В. DESCRIPTION OF PROCESSING AND TRANSFERS
The Sub-processor list includes the information about the processing and transfers of the Personal Data, for each Data Importer:
- categories of data subject;
- categories of Personal Data;
- the nature of the processing; and
- the purposes of the processing.
Personal Data is processed by each Sub-processor:
- on a continuous basis;
- to the extent necessary to provide the Services in accordance with the Agreement and the Data Exporter’s instructions; and
- for the duration of the Agreement and subject to Section 11 of this DPA.
C. COMPETENT SUPERVISORY AUTHORITY
The competent Supervisory Authority is:
- Where the EU GDPR applies, the Irish Data Protection Authority – The Data Protection Commission (DPC);
- Where the UK GDPR applies, the UK Information Commissioner’s Office (ICO); and
- Where the FDPA applies, the Swiss Federal Data Protection and Information Commissioner (FDPIC).
Schedule 2
Technical and Organizational Security Measures
(Including Technical and Organizational Measures to Help Ensure the Security of Data)
Below is a description of the technical and organisational measures implemented by the Processor as a Data Importer (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Full details of the Processor’s technical and organisational security measures used to protect Personal Data is available at
Where applicable, this Schedule 2 will serve as Annex II to the SCCs.
| Measure | Description |
| Measures of pseudonymisation and encryption of Personal Data | The Controller’s archived data is encrypted at rest using AES256 bit encryption and data in transit is protected by Transport Layer Security (“TLS”). |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and “need-to-know” principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person. To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk. |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | The Processor shall maintain a multi-layered approach to achieve continued system availability and allow for continued use of the application by end-users without noticeable impact. |
| Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | The Processor performs periodic internal web application vulnerability assessments to ensure security controls are properly applied and operating effectively as designed. On at least an annual basis, the Processor performs external vulnerability assessments using third-party web application and pen-testing assessors. The scope of these external audits assesses compliance with the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities. Vulnerability assessment results are incorporated into the Invoiced Software Development Lifecycle (SDLC) to remediate vulnerabilities and internally tracked through resolution. |
| Measures for user identification and authorisation | Access to system components and sensitive information shall be restricted to only those individuals whose job requires such access. Access rights for privileged user IDs shall be restricted to least privileges necessary to perform job responsibilities. All passwords used by Processor personnel shall meet minimum requirements, including length and strength, in order to minimize the risk of unauthorized access. Authorized employees must use individual account and multi-factor authentication to gain access to customer information. Authorization is done on a ‘least privilege’ model. |
| Measures for the protection of data during transmission | Data in transit is protected by Transport Layer Security (“TLS”). |
| Measures for the protection of data during storage | Personal Data is only retained internally, and on the third party data centre servers, which are covered by AWS certifications. The Controller’s archived data is encrypted at rest using AES256 bit encryption. |
| Measures for ensuring physical security of locations at which Personal Data are processed | Due to their respective security requirements, business premises and facilities are subdivided into different security zones with different access authorisations. Third party data centres are monitored by security personnel. Physical access to facilities shall be secured with badge readers, security cameras, and visitor logging. |
| Measures for ensuring events logging | Logging and audit trails are enabled. |
| Measures for ensuring system configuration, including default configuration | Systems are hardened, with unnecessary functions removed. |
| Measures for internal IT and IT security governance and management | Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g., service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems. The Controller’s Personal Data is stored in a way that logically separates it from other customer data. The Processor employs role-based access controls to servers containing customer information which are consistent with job duties and contractual requirements. Access to customer information is limited to authorized company employees having a ‘need to know.’ Authorized employees must use individual account and multi-factor authentication to gain access to customer information. Authorization is done on a ‘least privilege’ model. |
| Measures for certification/assurance of processes and products | The Processor utilizes third party data centres that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. The Processor will not utilise third party data centers that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations. |
| Measures for ensuring data minimisation | The Processor shall only store data for as long as is necessary to provide the Services and shall securely erase data when it is no longer needed. |
| Measures for ensuring data quality | All the data that the Processor possess is provided by the Controller. The Processor does not assess the quality of the data provided by the Controller. The Processor provides reporting tools within its product to help the Controller understand and validate the data that is stored. |
| Measures for ensuring limited data retention | The Processor shall only store data for as long as is necessary to provide services and shall securely erase data when it is no longer needed. |
| Measures for ensuring accountability | The Processor internally reviews its information security policies annually to ensure they are still relevant and are being followed. All employees that handle sensitive data must acknowledge the information security policies. These employees are re-trained on information security policies once per year. A disciplinary policy is in place for employees that do not adhere to information security policies. |
| Measures for allowing data portability and ensuring erasure | The Services has built-in tools that allows the Controller to export and permanently erase data. |
| Measures to be taken by the Sub- processor to be able to assist to the Controller (and, for transfers from a Processor to a Sub-processor, to the Data Exporter). | The transfer of Personal Data to a third party (e.g., customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union’s data protection requirements, e.g., by employing contracts based on the EU SCCs. |
