Last Updated: March 23, 2023
This agreement is between Invoiced, Inc., a Delaware corporation (Invoiced), and the customer agreeing to these terms (Customer) and is incorporated into and governed by the terms of the Terms of Service Agreement between the parties.
To the extent the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCA) (collectively, State Data Protection Laws) applies to Customer Personal Information:
Invoiced may receive Personal Information from or on behalf of Customer for the purpose of Invoiced performing automated accounts receivable services on behalf of Customer as described in the Agreement and order (Services).
Invoiced will limit Personal Information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Services.
Invoiced will not retain, use, or disclose any Personal Information provided by or on Customer’s behalf or collected by Invoiced on Customer’s behalf for any purpose other than (i) providing the Services as directed by Customer under the terms of the Agreement; (ii) verifying or maintaining the quality of the Services, and improving, upgrading or enhancing the Services; (iii) complying with Invoiced’s legal obligations; or (iv) as allowed by applicable State Data Protection Laws.
Invoiced will advise Customer if Invoiced determines it can no longer meet its obligations under the applicable State Data Protection Laws.
Invoiced will ensure through a nondisclosure agreement that any persons accessing or processing Personal Information is subject to a duty of confidentiality with respect to the Personal Information.
Customer authorizes Invoiced to disclose or transfer Personal Information to or allow access to Customer’s Personal Information by Subprocessors (i.e., subcontractors) solely for purposes of providing the Services under the Agreement.
To the extent Customer, in its use of the Services, does not have the ability to address a consumer's request from within the Service, Invoiced must, upon Customer’s request, and to the extent possible, provide commercially reasonable efforts to assist Customer in responding to such consumer request, to the extent Invoiced is legally permitted to do so and the response to such consumer request is required under State Data Protection Laws.
Customer represents and warrants, in its use of the Services, that it will comply with applicable State Data Protection Laws, including any applicable requirements to provide notice to or obtain consent from consumers for processing by Invoiced. All Affiliates of Customer who use the Services will comply with the obligations of Customer set out in this addendum.
Customer represents and warrants that, as having sole responsibility for the quality, legality, and accuracy of Personal Information, has obtained all necessary permissions and authorizations necessary to permit Invoiced, its Affiliates, and Subprocessors, to execute their rights or perform their obligations under this addendum.
In order to protect Customer’s Personal Information, Invoiced will (i) implement and maintain all reasonable security measures appropriate to the nature of the Personal Information including without limitation, technical, physical, administrative and organizational controls, and will maintain the confidentiality, security and integrity of such Personal Information; (ii) implement and maintain industry standard systems and procedures for detecting, preventing and responding to attacks, intrusions, or other systems failures and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures; (iii) designate an employee or employees to coordinate implementation and maintenance of its security measures; and (iv) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of Customer’s Personal Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.
If Invoiced knows or has a confirmed suspicion that Customer Personal Information has been accessed, disclosed, or acquired without proper authorization and contrary to the terms of this addendum, Invoiced will alert Customer of any such data breach within 2 business days, and immediately take such actions as may be necessary to preserve forensic evidence and eliminate the cause of the data breach. Invoiced will give highest priority to immediately correcting any data breach and devote such resources as may be required to accomplish that goal. Invoiced will provide Customer with all information necessary to enable Customer to fully understand the nature and scope of the data breach. To the extent that Customer, in its sole reasonable discretion, deems warranted, Customer may provide notice to any or all parties affected by any data breach. In such case, Invoiced will consult with Customer in a timely fashion regarding appropriate steps required to notify third parties. Invoiced will provide Customer with information about what Invoiced has done or plans to do to minimize any harmful effect or the unauthorized use or disclosure of, or access to, Personal Information.
Invoiced will allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor. Alternatively, if required by the applicable State Data Protection Laws, Invoiced may arrange for a qualified and independent assessor to assess Invoiced’s policies and technical and organizational measures in support of Invoiced’s privacy obligations under State Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments.
Any audit conducted under this addendum by Customer will consist of examination of the most recent reports, certificates or extracts prepared by an independent auditor. If this is not sufficient in the reasonable opinion of Customer, Customer may conduct a more extensive audit which will be: (i) at Customer’s expense; (ii) limited in scope to matters specific to Customer and agreed in advance; (iii) carried out during Invoiced’s business hours and upon reasonable notice which must be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with Invoiced’s day-to-day business. Any such audit must be conducted remotely, except Customer or its regulatory agency, or both, may conduct on-site audit at Invoiced’s premises if required by the State Data Protection Laws. In no event will any audit of a Subprocessor, beyond a review of reports, certifications and documentation made available by the Subprocessor, be permitted without the Subprocessor’s consent.
Customer may not perform an audit more than once in any 12-month period.
At Customer’s request prior to termination or expiration of an order, Invoiced will delete or make available for return all Personal Information to Customer as described in the Agreement, unless retention of the Personal Information is required by a law applicable to Invoiced. Where any Personal Information is retained beyond termination, Personal Information must be treated as confidential and will no longer be actively processed.
The term of this addendum continues for the duration of the Agreement, and this addendum will automatically terminate upon the termination or expiration of the Agreement.
This addendum is governed by the terms of the Agreement between the parties. All terms not defined in this addendum have the meanings ascribed to such terms in the agreement. If there is a conflict between this addendum and the agreement the addendum governs, except that in all instances the limitation of liability and disclaimer of damages in the agreement applies. This addendum and the agreement constitute the entire agreement between the parties, and supersede all prior or contemporaneous negotiations, agreements and representations, whether oral or written, related to this subject matter. No modification or waiver of any term of this addendum is effective unless both parties sign it.