DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) is an addendum to the Tipalti Services Agreement (“Agreement” or “TSA”) entered into by and between Company (hereinafter referred to as “Controller”) and Tipalti (as defined under the Agreement), on behalf of itself and its Affiliates (hereinafter referred to as “Processor”). Controller and Processor shall be referred to jointly as the “Parties” and individually as a “Party”.
In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
1.1.. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of 100%.
1.2. “Controller Personal Data” means any Personal Data processed by Processor on behalf of Controller pursuant to or in connection with the TSA;
1.3. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or supplemented, including its replacement by GDPR;
1.4. “GDPR” means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements or supplements;
1.5. “Sub Processor” means any third party engaged directly by the Processor to process any Controller Personal Data on behalf of Controller pursuant to or in connection with the TSA. The term shall not include employees or contractors of Processor;
1.6. “Tipalti” means Tipalti Solutions, Ltd., Tipalti Payments, Inc., Tipalti, Inc. and any other Tipalti Affiliates;
1.7. “Tipalti Services” means any services provided by Tipalti to Controller pursuant to a written agreement.
1.8. The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processor“, Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.
1.9. Any capitalized terms not otherwise defined herein shall have the meaning given to them in the TSA.
2. SCOPE OF PROCESSING
2.1. Processor shall process Controller Personal Data as described in Annex 1 (Details of Processing of Controller Personal Data) attached hereto. Processor shall process Controller Personal Data as data processor acting on behalf of the Controller.
2.2. Controller hereby instructs Processor to (i) process Controller Personal Data for the purposes of providing Services under the TSA; and (ii) transfer Controller Personal Data to any country or territory, all as necessary for the provision of the Services. Controller authorizes Processor to instruct each Sub Processor within the scope of the above or any other future instruction from Controller.
2.3. Processor shall not process Controller Personal Data other than on the Controller’s documented instructions unless otherwise required by applicable laws. An instruction, approval, request or similar, given via the Payer platform is considered a Controller’s data processing instruction, if relevant.
2.4. Furthermore, Controller warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions on behalf of each relevant Controller Affiliate.
3.0. Controller hereby grants to Processor and each Processor Affiliate a general authorization to engage Sub Processors for the purpose of providing Services.
3.1. Processor (and each Processor Affiliate) may continue to use those Sub Processors already engaged by Processor or any Processor Affiliates as of the date of this DPA. It is acknowledged and agreed that as of the date of this DPA Processor uses Amazon Web Services and Rackspace as Sub Processors for the purpose of cloud hosting services, which are subject to their respective applicable guidelines. Processor shall give Controller notice of any addition or replacement of a Sub Processor through the Tipalti website, or Processor may sign-up to receive an email with such information. The Controller may, within 7 business days after the receipt of the notice, raise objections to such change through an email to firstname.lastname@example.org. If such objections are not resolved within further 14 days, Processor, through written notice to Controller, may terminate the TSA to the extent that it relates to the Services which require the use of the proposed Sub Processor. Such termination shall have an immediate effect.
3.2. Processor shall:
3.2.1. carry out adequate due diligence to ensure that a Sub Processor is capable of providing the level of protection for Controller Personal Data required by the EU Data Protection Laws; and
3.2.2. ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract or other legal act including terms which offer similar level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of EU Data Protection Laws.
3.3. Processor and each Processor Affiliate may continue to use Sub Processors already engaged by Processor or any Processor Affiliate as of the effective date of this DPA.
4.1. Processor shall ensure that all employees or contractors (“Processor Personnel”) of Processor who may have access to the Controller Personal Data, have such access only as necessary for the purposes of providing the Tipalti Services and complying with applicable laws. Furthermore, all Processor Personnel shall be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.2. Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by processing, in particular from a Personal Data Breach.
5. DATA SUBJECT RIGHTS
5.1. Controller is and shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.) Processor shall reasonably assist Controller to the extent feasible in responding to requests to exercise Data Subject rights under the EU Data Protection Laws.
5.2. Processor shall:
5.2.1. promptly notify Controller if it receives a request from a Data Subject under EU Data Protection Laws in respect of Controller Personal Data; and
5.2.2. ensure that it does not respond to that request except on the documented instructions of Controller or the Controller or as required by applicable laws to which the Processor is subject.
6. PERSONAL DATA BREACH
6.1. Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data. Processor shall provide Controller with sufficient information to the extent in the possession of Processor to allow Controller to meet any obligations to report or inform Data Subjects or Data Protection authorities of the Personal Data Breach under the EU Data Protection Laws. Controller shall not issue any public statements regarding Processor unless Processor has first agreed in writing to the issuance of the public statement. Controller shall notify Processor in advance of any written statements it makes to regulators or law enforcement regarding Tipalti, unless otherwise prohibited by law.
6.2. Processor shall cooperate with Controller and take such commercially reasonable steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
6.3. Notwithstanding the above, Processor may take any steps to remediate or respond to Personal Data Breach, as required by applicable law, including providing notifications to the data subjects and/or relevant authorities.
7. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
7.1. Upon termination of the provision of Services, Processor shall promptly delete or return all copies of Controller Personal Data, except as authorized or required to be retained in accordance with applicable law.
7.2. Upon Controller’s prior written request, Processor shall provide written certification to Controller that it has fully complied with this section.
8. PROVISION OF INFORMATION
8.1. Processor shall provide reasonable assistance to Controller with any data protection impact assessments, prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required under EU Data Protection Law. The scope of such assistance shall be limited to the processing of the Controller Personal Data by the Processor. The Controller shall bear any Processor’s cost associated with providing assistance under this provision.
8.2. As part of the Tipalti Services, Controller may download Controller Personal Data through the Tipalti Services (“Data Portability Right“). This Data Portability Right shall be provided as part of the service at no additional charge for the Controller.
9. AUDIT RIGHTS
9.1. Processor shall make available to Controller, upon prior written request, all information necessary to reasonably demonstrate compliance with this DPA. Processor may provide industry-standard third-party audit certifications to demonstrate compliance.
9.2. Processor shall allow for and contribute to audits, including inspections, by a reputable auditor mandated by the Controller. The scope, duration and methods of such audit will be determined by both parties in good faith. In any event, a third-party auditor shall be subject to confidentiality obligations. Processor may object to the selection of the auditor if it reasonably believes that an auditor does not guarantee confidentiality, security or otherwise puts at risk the Processor’s business.
9.3. Provisions of information and audits are at Controller’s sole expense.
10.1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
11. DPA EXECUTION
11.1. Automatic Execution Option. This DPA amends and forms part of your Tipalti Services Agreement. This DPA has been electronically pre-executed by Tipalti and shall become effective as of May 25, 2018.
11.2. Physical Execution Option. In the event that Company prefers to physically execute this DPA, Company should print it out, sign it, and send it to email@example.com. Physical execution is not required. Click here to print out an execution version of this DPA.
Annex 1: Details of Processing of Controller Personal Data
This Annex 1 includes certain details of the processing of Controller Personal Data.
Subject matter: processing of the Controller owned Personal Data for the purposes of providing Tipalti Services.
Duration of the processing: so long as Tipalti Services are provided, including through Tipalti’s retention period.
The nature and purpose of the processing: providing software and payment services.
Types of personal data processed: contact information, payment method, payment data, tax information, identification, and any other information received from Payor or its Payees.
Categories of data subjects: natural persons and entities to whom Controller sends payments.