Data Processing Addendum
Exhibit A
This Exhibit A sets forth additional responsibilities and obligations of ConnexPay, LLC (“Processor”)in connection with its provision of the Payment Services (as defined in the Agreement) to Company under this Agreement, pursuant to which Processor may have access to, process or otherwise use Protected Information (as defined below) for the Purpose (as defined below), or to the extent Processor otherwise has access to Protected Information. Processor and Company are sometimes referred to, collectively, as the “Parties” and each, individually, as a “Party.”
1. Definitions.
“Affiliate” means, with respect to any specified Person, any other Person that directly, or indirectly through one or more intermediaries, Controls, is Controlled by or is under common Control with, such specified Person.
“Applicable Privacy and Data Security Laws” means all privacy, security, data protection and communications laws, rules and regulations of any applicable jurisdiction that apply to a Party's performance of its obligations under this Exhibit, in each case together with any transposing, implementing, amending or supplemental legislation.
“CCPA” means the California Consumer Privacy Act of 2018.
“Control” (including the terms“ Controlling,” “Controlled by” and “under common Control with”) with respect to the relationship between or among two or more Persons, means the possession, directly or indirectly, of the power to direct or cause the direction of the management and/or policies of a Person, whether through the ownership of voting securities, by contract, or otherwise, and, without limiting the foregoing, any Person that (i) directly or indirectly has the right to vote twenty-five percent (25%) or more of the voting securities of a second Person or (ii) has the power to sell or direct the sale of twenty-five percent (25%) or more of the voting securities of a second Person, shall be deemed to Control that second Person.
“Controller” means (i) “controller” as defined under the Regulation; (ii) “business” as defined under the California Consumer Privacy Act of 2018; and (iii) any other person, company, or body that determines the purpose and means of Processing Personal Data.
“Customer” means a third party from whom Company accepts payments and/or on behalf of whom Company makes payments using the Payment Services.
“End-users” means individuals whose Personal Data is Processed by Processor through the provision to, or use by, the Company of the Payment Services, including Company's Customers and other data subjects (e.g., employees).
“EU SCCs” means Module 2 (Transfer controller to processor) of the standard contractual clauses set out in the European Commission Implementing Decision of 4 June 2021 (2021/914/EU), as updated or replaced by the European Commission from time to time.
“Person” means an individual natural person, a partnership, a corporation, a limited liability company, an association, a joint stock company, a trust, a joint venture, an unincorporated organization, a governmental entity or any other entity.
“Personal Data” means information that can be used to identify, locate, or contact an individual, alone or when combined with other personal or identifying information, that is protected under Applicable Privacy and Data Security Laws and processed in connection with the Payment Services. This includes equivalent concepts as defined by Applicable Privacy and Data Security Laws (for example, “personal” as defined under the Regulation, or "personal information” as defined under the CCPA).
“Process” or “Processing” means “process” as defined under the Applicable Privacy and Data Security Law.
“Processor” means (i) “processor” as defined under the Regulation; (ii) “service provider” as defined under the CCPA; and(iii) any other person (other than an employee of the Controller), company, or other body that Processes Personal Data as instructed by a Controller.
“Protected Information” means Personal Data.
“Purpose” means providing Company with Payment Services and providing access to, servicing, and supporting Company's use of the Payment Services.
“Regulation” means the EU General Data Protection Regulation (EU) 2016/679.
“Sub-processor” means any entity engaged by a Processor that agrees to receive from the Processor Personal Data exclusively intended for the Processing activities to be carried out as part of the Payment Services.
“Transfer Protections” means, in relation to a transfer of Personal Data from the exporting country, measures to enable the transfer to be made in compliance with Applicable Privacy and Data Security Law, including without limitation where the recipient of such data: (i) receives such data in a country that the European Commission has decided provides adequate protection for Personal Data, (ii) has achieved binding corporate rules authorization in accordance with the Regulation, (iii) has executed standard contractual clauses adopted or approved by the European Commission or UK ICO (as applicable), (iv) has in place the UK IDTA or any successor transfer mechanism approved by the UK ICO, or (v) has in place an alternative mechanism that complies with Applicable Privacy and Data Security Law for the transfer of Personal Data from the exporting country.
“UK IDTA” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time by the UK Information Commissioner's Office.
2. Confidentiality. As between Company and Processor, all Protected Information shall be deemed Company's confidential information and treated in accordance with the confidentiality provisions of the Agreement. Additionally, any account passwords issued to Processor or its agents for purposes of accessing Company’s or its Affiliate’s systems shall be protected as if they were Protected Information for all purposes.
3. Limited Use and Disclosure; Compliance.
(a) Processor agrees that at all times during the term of the Agreement and thereafter, (i) it will comply with all Applicable Privacy and Data Security Laws applicable to Processor in its capacity as a Processor in relation to Protected Information, (ii) it will reasonably cooperate with Company with respect to Company’s obligations under Applicable Privacy and Data Security Laws, including without limitation by (1) reasonably assisting Company in ensuring compliance with its obligations under Applicable Privacy and Data Security Laws, taking into account the nature of the processing and information available to Processor, (2) facilitating the exercise of any data subject’s right to access, correct, complete, receive copies of, or erase Personal Data of such data subject, or to opt out of direct marketing, profiling, automated decision making, or other processing, in each case taking into account the nature of the processing and within reasonable timeframes, (iii) Protected Information will not be utilized, stored, processed or transmitted by Processor or its subcontractors and agents for any purpose other than for the Purpose, and only in accordance with the documented instructions of Company, and (iv) it will promptly notify Company in writing if it determines that it is unable to satisfy any of its obligations under this Exhibit, including if, in Processor's opinion, an instruction from Company infringes Applicable Privacy and Data Security Laws. Neither Processor nor its subcontractors and agents shall, or shall attempt to, re-identify Protected Information that has been provided to Processor or its subcontractors and agents in a de-identified form, except for the sole purpose of determining whether the de-identification processes are compliant with Applicable Privacy and Data Security Laws. Without limiting the foregoing, Processor shall not disclose (and not allow any of its personnel, contractors or permitted agents or representatives to disclose) in any manner whatsoever any Protected Information to any third party without the prior written consent of Company, except as set out herein, as required by applicable law, or as necessary to provide the Payment Services.
(b) Processor will not transfer Personal Data out of the jurisdictions in which it was collected except pursuant to written instructions from Company or as necessary to provide the Payment Services. Without limiting the foregoing, Processor will transfer Personal Data to a “third country” as defined under the Regulation or an international organization only on documented written instructions from Company or as necessary to provide the Payment Services, unless required to do so by Applicable Privacy and Data Security Law to which Processor is subject; in such case, the Processor shall provide written notice to Company of such legal requirement before transferring Personal Data, unless prohibited by applicable law from providing such notice.
4. Security Measures.
(a) Without limiting Processor’s other obligations under this Exhibit, Processor shall implement and maintain appropriate technical and organizational measures designed to safeguard Protected Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage, taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of processing, and the risks involved. Such measures shall: (i) comply with Applicable Privacy and Data Security Laws applicable to Processor; (ii) include appropriate administrative, technical, organizational and physical safeguards; and (iii)ensure that persons authorized to process Protected Information are subject toa duty of confidentiality. Processor shall periodically review and, where appropriate, update such measures.
5. Notification of Data Incident and Incident Response.
(a) If Processor experiences a confirmed Data Incident, Processor shall notify Company as required by Applicable Privacy and Data Laws. Processor shall provide Company with all reasonably available information about the Data Incident as required by Applicable Privacy and Data Security Laws, including the nature of the Protected Information affected and the number and identity of data subjects affected, to the extent available, as such information becomes available, without undue further delay.
(b) Promptly upon learning of an actual Data Incident, Processor shall take reasonable steps to stop any ongoing unauthorized access to such Protected Information, preserve relevant records and information related to such activities, and investigate the nature and scope of the incident. Processor shall promptly take all commercially reasonable steps to contain and remediate the incident.
(c) In the event that applicable law requires that any data subjects or other affected persons be notified of a Data Incident, the Parties shall cooperate in good faith to determine the appropriate notification process, subject to applicable law. Processor shall not be required to make any notification to data subjects or third parties without Company's prior written authorization, except as required by applicable law. Each Party shall bear its own costs in connection with any Data Incident.
6. Access and Disposal.
(a) Upon Company's reasonable written request, and subject to applicable law, Processor shall within thirty (30) days provide Company with access to or delivery of the Protected Information, or any portion thereof identified by Company, being stored, processed or transmitted by Processor in connection with the Payment Services, in a structured, commonly used, machine-readable format. Company shall bear any reasonable costs associated with such access or delivery.
(b) Processor shall retain Protected Information only for as long as necessary to fulfill the Purpose. Within thirty (30) days following the later of: (i) termination or expiration of the Agreement, or (ii) the end of any applicable retention period required by applicable law or as instructed by Company in writing, Processor shall, and shall direct each Sub-processor to, return to Company or delete the Protected Information, unless Processor is required by applicable law to retain Protected Information. Upon disposal under any circumstances, unencrypted Protected Information contained in print or electronic media is required to be securely shredded, destroyed, or modified so that it is unreadable and irretrievable. In the event applicable law does not permit Processor to comply with the delivery or destruction of the Protected Information, Processor shall notify Company in writing of the reason and shall ensure the strict confidentiality of the Protected Information and shall not use, disclose or otherwise process any Protected Information after termination of the Agreement except as required by such applicable law.
(c) If Processor receives a legally binding request from a law enforcement or government authority for disclosure of Protected Information, Processor shall, to the maximum extent permitted by applicable law, notify Company promptly in advance of any disclosure. If Processor is legally prohibited from notifying Company, Processor shall use its best efforts to request a waiver of the prohibition and shall document that request. Processor shall notify Company once the prohibition expires or is lifted. Processor agrees to furnish only that portion of the Protected Information which is legally required to be furnished.
(d) Processor shall promptly notify Company of any enquiry received by Processor from an individual relating to the individual’s rights with respect to Personal Data, and shall reasonably cooperate with Company's instructions with respect to any action taken regarding such enquiry, taking into account the nature of the processing.
7. Data Location. Protected Information shall not be accessed, transmitted, processed or stored by Processor or its subcontractors or agents in connection with provision of the Payment Services outside of the United States, the European Economic Area, the United Kingdom, Switzerland or Canada, unless otherwise agreed in writing by the Parties or required to comply with Applicable Privacy and Data Security Laws. Company acknowledges that processing of Protected Information may occur in the United States.
8. Indemnification. Each Party hereby agrees to indemnify, defend and hold harmless the other Party and its employees and agents from and against any and all third-party claims, actions, suits, or proceedings, including any liabilities, obligations, losses, damages, costs, fees, penalties, fines, assessments, settlements, charges or other expenses of any kind (including reasonable attorneys’ fees and legal costs) arising from third-party claims (collectively, “Claims”), where such Claims arise out of the indemnifying Party's material breach of its obligations under this Exhibit or the indemnifying Party's negligence or willful misconduct in connection with the processing of Protected Information. The Indemnifying Party shall have the right to control the defense and/or settlement of any such Claim, provided that the Indemnifying Party shall not settle any Claim that would bind the Indemnified Party to any obligation (other than payment covered by the Indemnifying Party) or require any admission of fault by the Indemnified Party, without the Indemnified Party's prior written consent, such consent not to be unreasonably withheld. The Indemnified Party shall provide the Indemnifying Party with prompt written notice of any Claim and reasonable cooperation in the defense thereof. All indemnification obligations under this Section 8 are subject to the limitation of liability set forth in Section 11.
10. Agents and Subcontractors.
(a) Processor shall maintain an up-to-date list of its subcontractors and agents that have access or exposure to Protected Information ("Subprocessor List"), which shall be made available to Company (e.g., via a URL on Processor's website or upon request). Company consents to Processor's use of its existing Sub-processors and grants Processor a general written authorization to engage Sub-processors to perform all or part of the processing activities required to provide the Payment Services. If Company subscribes to receive notifications of Subprocessor List changes, Processor shall notify Company of any intended changes to the Subprocessor List through the addition or replacement of subcontractors or agents at least thirty (30) days before the change takes effect.
(b) Subject to Section 10(a), to the extent that Processor engages any subcontractor or agent to perform services under the Agreement and such subcontractor or agent has access to any Protected Information, Processor shall contractually require each such subcontractor or agent to comply with data protection obligations substantially similar to those set forth in this Exhibit. Processor shall remain liable for the acts and omissions of its subcontractors and agents to the same extent Processor would be liable if performing such acts or omissions itself, subject to the limitation of liability in Section 11.
11. Limitation of Liability. TO THE MAXIMUM EXTENTPERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTYFOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, ORANY LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITY ARISING OUT OF ORRELATING TO THIS EXHIBIT, REGARDLESS OF THE THEORY OF LIABILITY. The total aggregate liability of each Party to the other Party under or in connection with this Exhibit shall not exceed the total fees paid or payable by Company to Processor under the Agreement in the twelve (12) months preceding the event giving rise to the claim (the "DPA Liability Cap"). The foregoing limitations shall not apply to (a) liability which, by applicable law, cannot be limited, or (b) either Party's liability to data subjects under Applicable Privacy and Data Security Laws.
12. Cost Allocation. Except as otherwise set forth in this Exhibit, each Party's duties under this Exhibit shall be fulfilled at such Party's own expense. Company shall bear the costs of any audits conducted pursuant to Section 4(c). Where Processor provides assistance to Company in connection with data protection impact assessments, data subject requests, or regulatory inquiries beyond what is required by Applicable Privacy and Data Security Laws, Company shall reimburse Processor for its reasonable costs incurred in providing such assistance.
13. Company Obligations. Company represents, warrants, and covenants that (a) it has and shall maintain throughout the term all necessary rights, consents, and authorizations to provide Protected Information to Processor and to authorize Processor to process Protected Information as contemplated by this Exhibit and the Agreement; (b) Company's instructions to Processor shall at all times comply with Applicable Privacy and Data Security Laws; (c) Company shall reasonably cooperate with Processor to assist Processor in performing any of its obligations under Applicable Privacy and Data Security Laws in relation to Protected Information; (d) Company shall not provide to Processor any Protected Information except through agreed mechanisms and in compliance with the Agreement; (e) Company acknowledges and agrees that Company, rather than Processor, is responsible for certain configurations and design decisions for the Payment Services and that Company is responsible for implementing those configurations and design decisions in a secure manner that complies with Applicable Privacy and Data Security Laws; and (f) Company shall not provide to Processor any personally identifiable genetic, biometric or health data, or payment card industry data (such as credit card numbers), unless specifically agreed in writing by the Parties. Company acknowledges that Processor is under no duty to investigate the completeness, accuracy, or sufficiency of any Company instructions or the Protected Information other than as required under Applicable Privacy and Data Security Laws.
14. Cross-Border Data Transfers. If Company transfers Protected Information to Processor that is subject to Chapter V of the Regulation or other Applicable Privacy and Data Security Laws requiring a data transfer mechanism, and such transfer is not subject to an alternative adequate transfer mechanism or otherwise exempt from cross-border transfer restrictions, then Company (as "data exporter") and Processor (as "data importer") agree that the applicable Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated into this Exhibit by reference. The execution of this Exhibit shall constitute execution of the applicable Standard Contractual Clauses as of the effective date of the Agreement. The relevant module selections, clause elections, annex completion, and supplemental provisions set forth in Attachment 1 (Standard Contractual Clauses Selections) to this Exhibit shall apply. The Standard Contractual Clauses shall automatically terminate once the transfer of Protected Information governed thereby becomes lawful under Applicable Privacy and Data Security Laws in the absence of such Standard Contractual Clauses on any other basis. The Parties shall implement additional Transfer Protections as required by Applicable Privacy and Data Security Laws.
Standard Contractual Clauses — Module Selection, Elections, and Annexes
Attachment 1
1. Application of Modules. If Company is acting as a Controller with respect to Protected Information, Module Two (Transfer controller to processor) of the Standard Contractual Clauses shall apply to the relevant transfer. If Company is acting as a Processor to a third-party Controller with respect to Protected Information, Module Three (Transfer processor to processor) of the Standard Contractual Clauses shall apply and Processor shall be treated as a sub-processor for purposes of that Module.
2. Clause Elections. The Parties agree to the following elections within the Standard Contractual Clauses: (a) Clause 9(a):The Parties select Option 2 (General Written Authorisation), and the advance notice period for new sub-processors shall be the notice period set forth in Section 10(a) of this Exhibit; (b) Clause 11(a): The optional language providing for an independent dispute resolution body is omitted; (c) Clause 17:The Parties select Option 2, and the Standard Contractual Clauses shall be governed by the law of the EU Member State in which Company is established, or, if that law does not permit third-party beneficiary rights, by the law of Ireland; and (d) Clause 18(b): Disputes shall be resolved by the courts of the EU Member State whose law governs the Standard Contractual Clauses pursuant to clause (c) above.
3. Completion of Annexes. The Annexes to the Standard Contractual Clauses shall be completed as follows:(a) Annex I.A (List of Parties): The name, address, contact details, and role of Company as data exporter and Processor as data importer shall be as set forth in the Agreement and this Exhibit; (b) Annex I.B (Description of Transfer): The categories of data subjects, categories of personal data, sensitive data, frequency of transfer, nature and purposes of processing, and retention period shall be as described in the Agreement and this Exhibit; (c)Annex I.C (Competent Supervisory Authority): The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses; where that determination is not clear, it shall be the supervisory authority of the EU Member State in which Company is established; and (d) Annex II (Technical and Organisational Measures): The technical and organisational measures shall be the security measures described in Section 4 of this Exhibit and the Agreement.
4. Supplemental Business-Related Clauses. In accordance with Clause 2 of the Standard Contractual Clauses, the Parties wish to supplement the Standard Contractual Clauses with the following business-related provisions, which shall not be interpreted or applied in a way that contradicts the Standard Contractual Clauses or prejudices the fundamental rights and freedoms of data subjects: (a) Instructions: The processing instructions described in Clause 8.1 of the Standard Contractual Clauses are set forth in Sections 3 and 7 of this Exhibit and the Agreement; (b)Confidentiality of Annexes: In the event a data subject requests a copy of the Standard Contractual Clauses or this Exhibit under Clause 8.3, Processor may make all redactions reasonably necessary to protect business secrets or other confidential information; (c) Deletion or Return: Deletion or return of Protected Information under the Standard Contractual Clauses shall be governed by Section 6(b) of this Exhibit; (d) Audits: Any information requests or audits provided for in Clause 8.9 of the Standard Contractual Clauses shall be fulfilled in accordance with Section 4(c) of this Exhibit; (e) Liability: The limitation of liability provisions in Section 11 of this Exhibit shall apply to Processor's liability under Clauses 12(a), 12(d), and 12(f) of the Standard Contractual Clauses to the maximum extent permitted by applicable law; and (f)Termination: The termination provisions of the Agreement shall apply to any termination pursuant to Clauses 14(f) or 16 of the Standard Contractual Clauses.
5. Transfers from the United Kingdom. If Company transfers Protected Information to Processor that is subject to UK Data Protection Laws, the Parties acknowledge and agree that: (a) the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the UK Information Commissioner's Office (the "UKIDTA"), is hereby incorporated by reference into this Exhibit; (b) the UK IDTA shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply to Company's processing when making the relevant transfer; (c) the information required to be set forth in Part 1 (Tables) of the UK IDTA shall be completed using the information provided in this Attachment 1; and (d) either Party may terminate the UK IDTA in accordance with Section 19 thereof.
6. Transfers from Switzerland. If Company transfers Protected Information to Processor that is subject to the Swiss Federal Act on Data Protection ("Swiss FADP"),the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FADP governs the relevant transfer: (a) the term "EU Member State" shall not be interpreted so as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) references to "Regulation (EU) 2016/679"shall be interpreted to also include the Swiss FADP; and (c) the Swiss Federal Data Protection and Information Commissioner ("FDPIC") shall act as the competent supervisory authority for transfers governed by the Swiss FADP.