DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) is part of the Tipalti Services Agreement or other underlying services agreement between Tipalti’s customer (“Customer”) and Tipalti (as defined under the Tipalti Services Agreement ) or its Affiliates (the “Agreement”). Tipalti and its Affiliates are hereinafter referred to as “Service Provider”. By agreeing to the underlying Agreement into which this DPA is incorporated, Customer acknowledges that it has read and understood and agrees to comply with this DPA, and is entering into a binding legal agreement with Tipalti to reflect the parties’ agreement with regard to the Processing of Personal Data subject to Data Protections Laws (as such terms are defined below). Both parties shall be referred to as the “Parties” and each, a “Party”.
Service Provider provides the services set forth in the Agreement (collectively, the “Services”) for Customer; and
In the course of providing the Services pursuant to the Agreement, Service Provider may process Personal Data (as defined below) on behalf of the Customer, in the capacity of a Processor (defined below). The Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services, each acting reasonably and in good faith.
The parties hereby agree as follows:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, but not limited to, the EU General Data Protection (“GDPR”), the UK GDPR and Data Protection Act (2018) and the California Consumer Privacy Act of 2018 and California Privacy Rights Act (“California Privacy Laws”), when effective, and each as may be amended from time to time.
“EEA” means the Member States of the European Union, as well as Iceland, Liechtenstein, and Norway.
“EEA Restricted Transfer” means a transfer (or onward transfer) to a non-Adequate Country of Personal Data originating in the EEA that is subject to the GDPR, where any required adequacy means can be met by entering into the EEA Standard Contractual Clauses.
“EEA Standard Contractual Clauses” means the standard contractual clauses annexed to the Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as entered into by the parties under this DPA.
“Personal Data” means any information relating to an identified or identifiable natural person, and as defined in the applicable Data Protection Laws.
“Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-processor” means any Processor engaged directly by the Processor to Process Personal Data on behalf of the Controller.
“Switzerland Restricted Transfer” means a transfer (or onward transfer) to a non-Adequate Country of Personal Data originating in Switzerland that is subject to the Swiss Federal Data Protection Act, where any required adequacy means can be met by entering into the EEA Standard Contractual Clauses in localised form.
“Swiss Standard Contractual Clauses” means the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner.
“UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner in force 21 March 2022 under S119A(1) Data Protection Act 2018 for UK Restricted Transfers, as entered into by the parties under this DPA.
“UK Restricted Transfer” means a transfer (or onward transfer) to a Non-Adequate Country of Personal Data originating in the United Kingdom that is subject to GDPR where any required adequacy means can be met by entering into the UK Addendum.
“UK Standard Contractual Clauses” means the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR.
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor” and “Supervisory Authority” have the meaning set forth in the GDPR.
Any capitalized terms not otherwise defined herein have the meaning given to them in the respective Agreement.
2. Processing Of Personal Data
2.1. Roles of the Parties. The Parties acknowledge that with regard to the Processing of Personal Data on behalf of Customer to provide the Services, Customer is the Controller, and Service Provider is a Processor. Customer authorizes Service Provider to engage Sub-processors in accordance with the terms of this DPA in provision of the Services.
2.2. Customer’s Processing of Personal Data. Customer shall, in its use of the Services and in providing instructions for Processing, Process Personal Data in accordance with the requirements of Data Protection Laws and always comply with the obligations applicable to data controllers (including, without limitation, Article 24 of the GDPR). Customer shall have sole responsibility for how Customer acquired Personal Data. Without limitation, Customer shall comply all transparency-related obligations including, without limitation, displaying any and all relevant and required privacy notices or policies, and shall obtain and maintain any and all required legal bases in order to collect, Process and transfer the Personal Data to Service Provider and to authorize the Processing of the Personal Data by Service Provider.
2.3. Scope of Processing.
(a) Subject to the Agreement, Service Provider shall Process Personal Data only in accordance with Customer’s documented instructions, and as necessary for the performance of the Services under the Agreement, unless otherwise required by applicable law. For legally required Processing, Service Provider shall inform the Customer of the legal requirement before Processing, unless that law prohibits disclosure of such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
(b) To the extent that Service Provider cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer and/or its authorized users relating to Processing of Personal Data or where Service Provider considers such a request to be unlawful, then (1) Service Provider shall inform Customer, providing relevant details of the problem, (2) Service Provider may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing the data), and (3) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Service Provider all the amounts owed to Service Provider as of the date of termination. Customer will have no further claims against Service Provider (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA arising from this section (excluding the obligations relating to the termination of this DPA set forth below).
(c) Service Provider is not liable for any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Service Provider to the extent resulting from Customer’s instructions.
2.4. Service Provider Personnel. Service Provider shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality. Service Provider may also disclose and Process the Personal Data (1) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws, and (2) on a need-to-know basis under an obligation of confidentiality to its legal counsels, data protection advisors, and accountants.
2.5. Data Processor Obligations. Service Provider will take all measures required pursuant to Articles 30 of the GDPR (including but not limited to security of Processing) necessary for the provision of the Service. Upon Customer’s request, Service Provider will provide Customer with reasonable cooperation and assistance as needed to fulfill Customer’s obligation to carry out a data protection impact assessment, or to otherwise meet its obligations under Article 28 of the GDPR related to the Customer’s use of the Service. Service Provider shall provide reasonable assistance to Customer in response to any request made by a supervisory authority under the GDPR.
2.6. California Privacy Laws Obligations. The parties acknowledge and agree that Tipalti is a Service Provider for the purposes of the California Privacy Laws. Tipalti certifies that it understands the rules, restrictions, requirements and definitions of the California Privacy Laws. Tipalti (a) acknowledges and confirms that it does not receive any Personal Information from Company as consideration for any services or other items provided to Company and (b) agrees to refrain from taking any action that would cause any transfers of Personal Information from Tipalti to a third party to qualify as a Sale or unauthorized Sharing of Personal Information under the California Privacy Laws. The terms “Service Provider”, “Sale”, and “Sharing” are as defined in the California Privacy Laws.
3. Rights Of Data Subjects
3.1. Customer is and shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Customer Personal Data, etc.)
3.2. If Service Provider receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Service Provider shall, to the extent legally permitted, promptly notify and forward the Data Subject Request to Customer. Taking into account the nature of the Processing, Service Provider shall reasonably assist Customer to the extent feasible in responding to requests to exercise Data Subject rights under the Data Protection Laws. Service Provider will not respond to a Data Subject Request except on the documented instructions of Customer or as required by applicable law, except to confirm that such request relates to Customer.
4.1. Authorization. Service Provider may continue to use those Sub-processors it has already engaged as of the date of this DPA. Service Provider shall use only Sub-processors who maintain at least the same level of security measures and adequate safeguards as required under this DPA and who have entered into a written agreement with Service Provider containing such safeguards. Upon Customer’s request, Service Provider will provide Customer with a list of Sub-processors. Service Provider shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
4.2. Objection Right for New Sub-processors. Service Provider shall give Customer at least 7 days’ notice of any addition or replacement of a Sub Processor through the Tipalti website, or Customer may sign-up to receive an email with such information by emailing firstname.lastname@example.org. The Customer may, within 7 business days after the receipt of the notice, raise objections to such change through an email to email@example.com. If such objections are not resolved within further 14 days, Service Provider, through written notice to Customer, may terminate the TSA to the extent that it relates to the Services which require the use of the proposed Sub Processor with immediate effect. Customer may continue using Services that are not related to the use of the proposed Sub Processor. Upon termination, Customer shall pay all amounts due under the Agreement before the termination date to Service Provider. Until a decision is made regarding the new Sub-processor, Service Provider may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Service Provider due to (1) the temporary suspension of the Processing and/or (2) the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
5.1. Controls for the Protection of Personal Data. Taking into account the state of the art, Service Provider shall maintain appropriate technical and organizational measures required pursuant to the Data Protection Laws for ensuring the security, confidentiality, and integrity of Customer’s Personal Data, as set out in Schedule 2. Service Provider will reasonably cooperate with Customer to provide the information necessary for Customer to assess the security of the Services for Customer’s compliance with Data Protection Laws.
5.2. Third-Party Certifications and Audits. Upon Customer’s written request but no more than once annually, Service Provider shall make available to Customer (or Customer’s independent, third-party auditor) a copy of Service Provider’s then-most-recent third-party audits or equivalent certifications, as applicable. Customer shall only use such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, to assess compliance with this DPA, and not for any other purpose. Customer shall not disclose such information to any third party without Service Provider’s prior written approval. At Customer’s cost and expense, Service Provider shall allow for and contribute to audits conducted by the Customer or another auditor mandated by the Customer, provided that the parties agree in advance on the scope, methodology, timing and conditions of such audits and inspections. Service Provider may object to the selection of the auditor if it reasonably believes that an auditor does not guarantee confidentiality, security, or otherwise puts the Service Provider’s business at risk. These audits and inspections are limited to once a year, during ordinary business hours. Customer will not have access to any third-party confidential information and Customer shall not harm, and shall minimize disruption to, Service Provider’s premises and personnel.
6. Personal Data Breach Procedures
6.1. Service Provider shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data Processed by Service Provider or its Sub-processors.
6.2. Service Provider shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps as Service Provider deems necessary and reasonable to remediate the Personal Data Breach, and as required by applicable law. The obligations herein do not apply to incidents that are caused by Customer or Customer’s users. Service Provider shall provide Customer with sufficient information about the Personal Data Breach, including a brief description of the incident, the nature of the breach, the date it occurred and if known, the type of data involved. Customer shall not issue any public statements unless Service Provider has first agreed in writing to the issuance of the public statement. Customer shall notify Service Provider in advance of any written statements it makes to regulators or law enforcement regarding Service Provider, unless otherwise prohibited by law.
7. Return And Deletion of Personal Data
7.1. Subject to the Agreement, Service Provider shall, at the request of Customer, delete or return the Personal Data to Customer after termination of the provision of the Services, and shall delete existing copies, except as authorized or required to be retained in accordance with applicable law. If the Customer requests the Personal Data to be returned, the Personal Data will be returned in the format and method generally available for Service Provider’s customers.
8. Transfers Of Data
8.1. Customer acknowledges and accepts that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA, Switzerland or the United Kingdom (“UK”). To the extent such processing of Personal Data by Service Provider requires Service Provider to act as a data exporter in connection with a transfer of Personal Data to such sub-processors outside the EEA, Switzerland or the UK, then Service Provider will comply with the requirements of Data Protection Laws to effectuate such transfer.
8.2. Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the EEA, Switzerland and the UK to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA (including the Commission), Switzerland, or the UK (“Adequacy Decisions”), without any further safeguards being necessary.
8.3. EEA Restricted Transfers. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA that do not offer adequate level of data protection or that have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with Chapter V of the GDPR, including, if necessary, executing the EEA Standard Contractual Clauses, which are incorporated herein by reference and will apply to any transfers not covered by other legal mechanisms for the transfer of Personal Data, and completing a Transfer Impact Assessment with Customer. Service Provider will comply with the appropriate legal mechanisms provided for in the GDPR when transferring Personal Data to such Other Countries. The EEA Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA. For the purpose of any such transfers form the EEA to countries outside the EEA, the EEA Standard Contractual Clauses will be completed as follows:
(a) Customer will be considered the “Data Exporter” and “Controller”, and Service Provider will be considered the “Data Importer” and “Processor”.
(b) Module 2 of the EEA Standard Contractual Clauses shall apply.
(c) in Clause 7, the optional docking clause will apply;
(d) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in clause 4.2 of this DPA;
(e) in Clause 11, the optional language will not apply;
(f) in Clause 17, Option 1 will apply, and the EEA Standard Contractual Clauses will be governed by the law of the Netherlands;
(g) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands, unless otherwise agreed between the Parties;
(h) Annex I of the EEA Standard Contractual Clauses shall be deemed completed with the information set out in Schedule 1 to this DPA, as applicable; and
8.4. Subject to clause 5 of this DPA, Annex II of the EEA Standard Contractual Clauses shall be deemed completed with the information set out in Schedule 2 to this DPA. UK Restricted Transfers. If and to the extent Service Provider’s performance of the Services involve a UK Restricted Transfer, the terms of this Section 8.4 will apply with respect to such UK Restricted Transfer(s). Where Service Provider is located in Other Countries and acts as the data importer with respect to a UK Restricted Transfer, the EEA Standard Contractual Clauses will apply as amended by the UK Addendum and Part 1 of the UK Addendum shall be populated as set out below:
(a) Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter and the Service Provider as importer.
(b) Table 2. The “Transfer Details” are set out in the Agreement between the Parties.
(c) Table 3. The “Appendix Information” is as set out in Schedule 1 and Schedule 2 of this DPA.
(d) Table 4. The exporter may end the UK Addendum in accordance with its Section 29. Unless the EEA Standard Contractual Clauses, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR in which case the UK Standard Contractual Clauses shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK Standard Contractual Clauses shall be populated using the information contained in Schedule 1 and 2 of this DPA (as applicable).
8.5. Switzerland Restricted Transfers. If and to the extent Service Provider’s performance of the Services involve a Switzerland Restricted Transfer, the terms of this Section 8.5 will apply with respect to such Switzerland Restricted Transfer(s). Where Service Provider is located in Other Countries and acts as the data importer with respect to a Switzerland Restricted Transfer the EEA Standard Contractual Clauses will apply in accordance with clause 8.3 above, with the following modifications:
(a) any references in the EEA Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Data Protection Act;
(b) references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
(c) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland, unless the EEA Standard Contractual Clauses, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the Swiss Federal Data Protection Act in which case the Swiss Standard Contractual Clauses shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss Standard Contractual Clauses shall be populated using the information contained in Schedule 1 and 2 to this DPA (as applicable).
9.1. This DPA automatically terminates upon the termination or expiration of the Agreement under which the Services are provided. Sections 2.2, 2.3(c), and 10 survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately from the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA will automatically terminate.
10.2. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will either be (1) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein.
11.1 This DPA may be amended at any time by a written instrument duly executed or signed by each of the Parties. Notwithstanding the foregoing, Service Provider reserves the right to amend the terms of the Agreement, at its sole discretion, where such amendment is required by applicable law, as determined by Service Provider.
12. Legal Effect
12.1. This DPA only becomes legally binding between Customer and Service Provider after it, or the Agreement into which it is incorporated, has been executed by both parties’ authorized signatories or representatives. Any Service Provider obligation hereunder may be performed (in whole or in part), and any Service Provider right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Service Provider.
12.2. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws, the EEA Standard Contractual Clauses, or the UK IDTA, as applicable.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Service Provider will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing
1. Providing the Services to Customer, including conducting accounts payable operations, invoice management, including processing and approvals.
2. Performing the Agreement, this DPA and/or other contracts executed by the Parties.
Duration of Processing
Subject to this DPA and the underlying Agreement, Service Provider will Process Personal Data for the duration of the Agreement, and in accordance with applicable laws and relevant data retention periods.
Frequency of the transfer
The Personal Data will be transferred on a continuous basis.
Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Customer’s name, address, phone number, email address, bank details, department role and grade, URL/website, to the extent that such information contains Personal Data
- Payment information realized via Service Provider’s Services, to the extent that such information contains Personal Data, such as
- Any other information received from Customer to the extent that such information contains Personal Data of Customer or its users.
The Customer and the Data Subjects shall provide the Personal Data to Service Provider by supplying the Personal Data to Service Provider’s Service(s) and/or personnel.
In some limited circumstances Personal Data may also come from other sources, for example, in the case of anti-money laundering research, fraud detection or as required by applicable law.
Categories of Data Subjects
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Customer’s users authorized by Customer to use the Services and natural person or entitles to whom Customer sends payments
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Prospects, customers, business partners, and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors
SCHEDULE 2 – TECHNICAL AND ORGANIZATIONAL MEASURES
Tipalti will maintain administrative, technical and organizational security measures to safeguard the security, confidentiality and integrity of Personal Data. The specific measures that Tipalti implements are detailed as follows.
Customer Data is encrypted in transit and encrypted at rest (and remains encrypted at rest). The connection to the Services is encrypted with AES-256 encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS. All servers in Tipalti’s environment protected by an active anti-malware software where supported, a network anti-malware component and intrusion detection system.
Tipalti maintains an information security program, which includes: (a) having a security risk program; (b) conducting periodic risk assessments of all systems and networks that process Customer Data on at least an annual basis; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data; (e) penetration testing performed by a qualified third party on an annual basis; and (f) having resources responsible for information security efforts.
Tipalti takes daily snapshots of its databases and securely copies them to a separate data center for restoration purposes in the event of a regional AWS failure. Backups are encrypted and have the same protection in place as production.
On an annual basis, Tipalti performs on its own and engages third-parties to perform a variety of testing to protect against unauthorized access to Customer Data and to assess the security, reliability, and integrity of the Services. To the extent Tipalti determines, in its sole discretion, that any remediation is required based on the results of such testing, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue. As of the Effective Date, Tipalti undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls. Tipalti makes our SOC 2 Report available to all Customers upon request.
Access Management and Control
Access to manage Tipalti’s AWS environment requires multi-factor authentication, access to the Service is logged, and access to Customer Data is restricted to a limited set of approved Tipalti employees. Employees are trained on documented information security and privacy procedures. Every Tipalti employee signs a data access policy that binds them to the terms of Tipalti’s data confidentiality policies and access to Tipalti systems is promptly revoked upon termination of employment.
Tipalti uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in the United States. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.
Data Minimization and Retention
Tipalti only collects information that is necessary in order to provide the Services outlined in our Terms of Service. Our employees are directed to access only the minimum amount of information necessary to perform the task at hand.