State Data Processing Addendum

Last Updated: March 23, 2023

This agreement is between Invoiced, Inc., a Delaware corporation (Invoiced), and the customer agreeing to these terms (Customer) and is incorporated into and governed by the terms of the Terms of Service Agreement between the parties.

To the extent the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCA) (collectively, State Data Protection Laws) applies to Customer Personal Information:

1. Limitations on Use of Personal Information

a. As Part of Performing Services

Invoiced may receive Personal Information from or on behalf of Customer for the purpose of Invoiced performing automated accounts receivable services on behalf of Customer as described in the Agreement and order (Services).

  • Personal Information means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or any information that is linked or reasonably linkable to an identifiable natural person or an identified or identifiable individual.

b. General Limits

Invoiced will limit Personal Information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Services.

c. Specific Limits

Invoiced will not retain, use, or disclose any Personal Information provided by or on Customer’s behalf or collected by Invoiced on Customer’s behalf for any purpose other than (i) providing the Services as directed by Customer under the terms of the Agreement; (ii) verifying or maintaining the quality of the Services, and improving, upgrading or enhancing the Services; (iii) complying with Invoiced’s legal obligations; or (iv) as allowed by applicable State Data Protection Laws.

d. Non-Compliance Notice

Invoiced will advise Customer if Invoiced determines it can no longer meet its obligations under the applicable State Data Protection Laws.

2. Invoiced Obligations

a. Confidentiality

Invoiced will ensure through a nondisclosure agreement that any persons accessing or processing Personal Information is subject to a duty of confidentiality with respect to the Personal Information.

b. Subprocessors

Customer authorizes Invoiced to disclose or transfer Personal Information to or allow access to Customer’s Personal Information by Subprocessors (i.e., subcontractors) solely for purposes of providing the Services under the Agreement.

  • Subprocessor means any third party (including Invoiced’s Affiliates) engaged by Invoiced to process Personal Information under the Agreement.
  • Affiliate means any company controlled by or under common control with Customer, directly or indirectly, with an ownership interest of at least 50%.
  • Flow downPrior to any disclosure, Invoiced will impose on the Subprocessor, in writing, obligations concerning Personal Information substantially like those in this Agreement and consistent with Invoiced’s privacy obligations.
  • New Subprocessors and ObjectionsUpon request, Invoiced will give Customer a list of each Subprocessor used. Customer may object to Invoiced’s use of a new Subprocessor by notifying Invoiced in writing within 30 days after receipt of a notice from Invoiced regarding any new Subprocessor. If Customer objects to a new Subprocessor as permitted in the preceding sentence, Invoiced will use commercially reasonable efforts to make available to Customer a change in Services or recommend a change to Customer’s configuration or use of Services, to avoid processing of Personal Information by the objected-to new Subprocessor without unreasonably burdening Customer. If Invoiced is unable to make available such change in Services, or to recommend such a change to Customer’s configuration or use of Services that is reasonably satisfactory to Customer, within a reasonable period of time (which shall in no event exceed 30 days), Customer may terminate the applicable orders by providing written notice to Invoiced. In such event, Invoiced will refund to Customer any prepaid fees covering the remainder of the term of such orders following the effective date of termination.

c. Assistance

To the extent Customer, in its use of the Services, does not have the ability to address a consumer’s request from within the Service, Invoiced must, upon Customer’s request, and to the extent possible, provide commercially reasonable efforts to assist Customer in responding to such consumer request, to the extent Invoiced is legally permitted to do so and the response to such consumer request is required under State Data Protection Laws.

3. Customer Obligations

a. Compliance

Customer represents and warrants, in its use of the Services, that it will comply with applicable State Data Protection Laws, including any applicable requirements to provide notice to or obtain consent from consumers for processing by Invoiced. All Affiliates of Customer who use the Services will comply with the obligations of Customer set out in this addendum.

b. Quality, Legality, and Accuracy of Personal Information

Customer represents and warrants that, as having sole responsibility for the quality, legality, and accuracy of Personal Information, has obtained all necessary permissions and authorizations necessary to permit Invoiced, its Affiliates, and Subprocessors, to execute their rights or perform their obligations under this addendum.

4. Notification of Security Breach

a. Security Measures

In order to protect Customer’s Personal Information, Invoiced will (i) implement and maintain all reasonable security measures appropriate to the nature of the Personal Information including without limitation, technical, physical, administrative and organizational controls, and will maintain the confidentiality, security and integrity of such Personal Information; (ii) implement and maintain industry standard systems and procedures for detecting, preventing and responding to attacks, intrusions, or other systems failures and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures; (iii) designate an employee or employees to coordinate implementation and maintenance of its security measures; and (iv) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of Customer’s Personal Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.

b. Notice of Data Breach

If Invoiced knows or has a confirmed suspicion that Customer Personal Information has been accessed, disclosed, or acquired without proper authorization and contrary to the terms of this addendum, Invoiced will alert Customer of any such data breach within 2 business days, and immediately take such actions as may be necessary to preserve forensic evidence and eliminate the cause of the data breach. Invoiced will give highest priority to immediately correcting any data breach and devote such resources as may be required to accomplish that goal. Invoiced will provide Customer with all information necessary to enable Customer to fully understand the nature and scope of the data breach. To the extent that Customer, in its sole reasonable discretion, deems warranted, Customer may provide notice to any or all parties affected by any data breach. In such case, Invoiced will consult with Customer in a timely fashion regarding appropriate steps required to notify third parties. Invoiced will provide Customer with information about what Invoiced has done or plans to do to minimize any harmful effect or the unauthorized use or disclosure of, or access to, Personal Information.

5. Audit

a. Cooperation Regarding Assessments

Invoiced will allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor. Alternatively, if required by the applicable State Data Protection Laws, Invoiced may arrange for a qualified and independent assessor to assess Invoiced’s policies and technical and organizational measures in support of Invoiced’s privacy obligations under State Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments.

b. Method

Any audit conducted under this addendum by Customer will consist of examination of the most recent reports, certificates or extracts prepared by an independent auditor. If this is not sufficient in the reasonable opinion of Customer, Customer may conduct a more extensive audit which will be: (i) at Customer’s expense; (ii) limited in scope to matters specific to Customer and agreed in advance; (iii) carried out during Invoiced’s business hours and upon reasonable notice which must be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with Invoiced’s day-to-day business. Any such audit must be conducted remotely, except Customer or its regulatory agency, or both, may conduct on-site audit at Invoiced’s premises if required by the State Data Protection Laws. In no event will any audit of a Subprocessor, beyond a review of reports, certifications and documentation made available by the Subprocessor, be permitted without the Subprocessor’s consent.

c. Frequency

Customer may not perform an audit more than once in any 12-month period.

6. Deletion and Return of Personal Information

a. Destroy or Return Prior to Termination

At Customer’s request prior to termination or expiration of an order, Invoiced will delete or make available for return all Personal Information to Customer as described in the Agreement, unless retention of the Personal Information is required by a law applicable to Invoiced. Where any Personal Information is retained beyond termination, Personal Information must be treated as confidential and will no longer be actively processed.

7. General

The term of this addendum continues for the duration of the Agreement, and this addendum will automatically terminate upon the termination or expiration of the Agreement.

This addendum is governed by the terms of the Agreement between the parties. All terms not defined in this addendum have the meanings ascribed to such terms in the agreement. If there is a conflict between this addendum and the agreement the addendum governs, except that in all instances the limitation of liability and disclaimer of damages in the agreement applies. This addendum and the agreement constitute the entire agreement between the parties, and supersede all prior or contemporaneous negotiations, agreements and representations, whether oral or written, related to this subject matter. No modification or waiver of any term of this addendum is effective unless both parties sign it.