1.1. In this Addendum, unless the context otherwise requires:
“Data Protection Laws” means all applicable European Union and UK laws and regulations governing the use or processing of personal data, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any national laws implementing or supplementing or superseding the foregoing; “binding corporate rules”, “controller”, “data subject”, “personal data”, “personal data breach”, “processing”, “processor”, “pseudonymisation” and “supervisory authority” have the meanings given to them in Data Protection Laws and the term “supervisory authority” shall be deemed to include the UK Information Commissioner;
“European Law” means European Union law, member state law and/or the law in any part of the UK;
“International Transfer” means a transfer of Relevant Data from the European Union or the UK to a third country or international organisation;
“Relevant Data” means all Customer Data: (i) which relate to a data subject; and (ii) in respect of which you (the Customer) are the controller; and (iii) which will be processed by us on your behalf in connection with the Agreement, as more particularly described in Schedule 1 (Specification of processing);
“Security Incident” means a personal data breach in respect of the Relevant Data;
“Sub-processor” means another processor engaged by us; and
“Your Data Responsibilities” means your protection responsibilities under or in connection with the Agreement, including:
and otherwise complying with your controller obligations under applicable Data Protection Laws.
1.2. In this Addendum, references to “Services” include as applicable any “Apps”, “Cloud Solution Services”, “Module”, “Product”, “Program”, “Service”, “Software”, “Solution” or “Support” as defined in the Agreement and references to our “website” include as applicable any “Website” defined in the Agreement.
1.3. Where there is any inconsistency between the terms of this Addendum and any other term of the Agreement, the terms of this Addendum shall take precedence.
2.1. The parties acknowledge that, for the purposes of the Agreement, you are the controller and we are the processor of the Relevant Data. Details of the processing of Relevant Data we shall carry out for you are set out in Schedule 1 (Specification of processing), which you agree that you have checked and confirmed as correct or have changed as necessary to reflect the processing of Relevant Data under the Agreement. If you have changed Schedule 1 (Specification of processing), it is your responsibility to provide it to us and to agree the changes with us before you enter into the Agreement. The parties may update Schedule 1 (Specification of processing) during the term of the Agreement, in accordance with the Agreement or by mutual written agreement, to reflect changes in processing or for other reasons. Each updated version shall form part of the Addendum.
2.2. You warrant and represent that:
2.2.1. you will comply, and will ensure that your instructions for the processing of Relevant Data will comply, with Data Protection Laws;
2.2.2. you are authorised by the relevant data subjects, or are otherwise permitted pursuant to Data Protection Laws, to disclose the Relevant Data to us;
2.2.3. you will, where necessary, and in accordance with Data Protection Laws, obtain all necessary consents and rights and provide all necessary information and notices to data subjects in order for:
(i) you to disclose the Relevant Data to us; and
(ii) us to process the Relevant Data for the purposes set out in the Agreement and this Addendum and in accordance with Data Protection Laws; and
2.2.4. your instructions to us and/or to any Sub-processor(s) relating to processing of Relevant Data will not put us or any Sub-processor(s) in breach of Data Protection Laws.
2.3. You acknowledge and agree that we may be required or permitted by European Law to disclose certain personal data or other information relating to you, the Services and/or the Agreement to third parties. We may also be required by European Law to process the Relevant Data other than on your documented instructions under paragraph 1.1. If that happens, we will inform you of that legal requirement before the processing, unless that legal requirement or law prohibits us from doing so on important grounds of public interest. Where we are prohibited from informing you of the legal requirement, and/or where we are subject to an ongoing legal requirement to process, you give us general authorisation and consent to carry out that processing without your specific authorisation or consent. Just to be clear, that authorisation/consent is from you as a business Customer: it is not consent from you as an individual under the GDPR.
2.4. Where we assist you with your compliance with data protection requirements or where we otherwise assist you under or pursuant to this Addendum, we reserve the right to charge you on the basis of our standard applicable pricing. In addition you will be responsible for the cost of engaging any third-party auditor you wish to commission to conduct an audit. You will reimburse us for all additional costs and liabilities incurred by us resulting from any failure or delay(s) by you to comply with your obligations under this Addendum. Nothing in this paragraph4 shall affect our rights to charge you under the Agreement.
3.1. We shall:
3.1.1. Lawful Instructions: except as indicated in paragraph 3 and paragraph 5.1.5, only process the Relevant Data in accordance with your documented instructions including with regard to International Transfers; you hereby instruct us to process the Relevant Data in order to provide the Services and in accordance with any other instructions set out in the Agreement; nothing in this paragraph 3.1.1 will permit you to vary our obligations and/or any instructions under the Agreement other than with our prior written agreement; if we reasonably consider that any of your instructions may put us and/or any Sub-processor(s) in breach of Data Protection Laws and/or any provision of the Agreement, we shall be entitled not to carry out that processing and will not be in breach of the Agreement or otherwise liable to you as a result of our failure to carry out or delays in carrying out that processing;
3.1.2. Security of Processing: implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Relevant Data), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Relevant Data, as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects, and including, as and where appropriate, measures to ensure:
(a) the pseudonymisation and/or encryption of the Relevant Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability of and access to the Relevant Data in a timely manner in the event of physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
3.1.3. take steps to ensure that any natural person acting under our authority who has access to Relevant Data does not process them except on your instructions, unless he or she is required to do so by European Law; and
3.1.4. operate, maintain and enforce an information security management programme (“Security Programme”) which is consistent with recognised industry practice; the Security Programme contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas:
Information security policies
• Organisation of information security
• Human resources security
• Asset management
• Access control
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Legislative, regulatory and contractual compliance;
3.1.5. Assistance in Compliance: taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests by data subjects exercising their rights under Data Protection Laws; please note that if we assist you in responding to requests, including the provision of tools or reports within the Services to support your searches, we give no warranty and make no representation as to the compliance of the nature and scope of the search with applicable Data Protection Laws, nor do we warrant or represent the accuracy or completeness of the output of our assistance: it is your responsibility, and not our responsibility, to determine the nature and scope of the search, validate the output and ensure that your response to the data subject is compliant in all respects with applicable Data Protection Laws, as further referred to in paragraph 7;
3.1.6. assist you in ensuring compliance with the obligations in Data Protection Laws in respect of security of processing, notification of a Security Incident to a supervisory authority, communication of a Security Incident to the data subject, data protection impact assessments and prior consultation, taking into account the nature of processing and the information available to us;
3.1.7. notify you without undue delay after we become aware of a Security Incident;
3.1.8. Staff Confidentiality Obligations: ensure that our staff who are authorised to process the Relevant Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
3.1.9. Return or Deletion of Relevant Data: at your option (to be exercised by written notice from you) delete or return to you, all the Relevant Data after the end of the provision of the Services relating to the processing, and (in the case of return), delete existing copies of the Relevant Data unless any European Law requires us to store the Relevant Data; however we will be entitled to retain any Relevant Data which: (a) we have to keep to comply with any applicable laws; (b) we are required to keep for insurance, accounting, taxation, legal, regulatory or record keeping purposes; or (c) is necessary to investigate and resolve performance or security issues, and this Addendum will continue to apply to retained Relevant Data; notwithstanding any provision to the contrary in the Agreement, we shall be entitled to delete the Relevant Data in accordance with our normal data cleansing policies; in respect of Relevant Data which are archived/backed up, you instruct us to retain those archived/backed up Relevant Data in accordance with the typical period for which those Relevant Data are archived/backed up by us for the Services in question.
4.1. Without prejudice to any provisions in the Agreement relating to sub-contracting, you hereby give your general written authorisation to us engaging Sub-processors to process the Relevant Data. Where the Sub-processor is in a third country, you hereby instruct us to make an International Transfer under paragraph 5.
4.2. We shall respect the conditions referred to in Article 28(2) GDPR for engaging a Sub-processor.
4.3. If we appoint a Sub-processor, we will put a written contract in place between us and the Sub-processor that specifies the Sub-processor’s processing activities and imposes on the Sub-processor substantially similar terms, appropriate to the sub-processing they will undertake. If that Sub-processor fails to fulfil its data protection obligations, we shall remain liable to you for the performance of that Sub-processor's obligations.
5.1. We shall only make an International Transfer to a recipient:
5.1.1. on the basis of an adequacy decision made under Data Protection Laws;
5.1.2. on the basis of appropriate safeguards that are in place, and you agree to execute any documents (including data transfer agreements) relating to that International Transfer which we request that you to execute from time to time for that purpose;
5.1.3. on the basis of binding corporate rules approved by a competent supervisory authority; or
5.1.4. on the basis of an applicable derogation in Data Protection Laws
which in each case applies to the International Transfer in question; or
5.1.5. if we are required to make the International Transfer to comply with European Law, in which case we will notify you of the legal requirement prior to that International Transfer unless the European Law prohibits us from notifying you on public interest grounds. Where we are prohibited from informing you of the legal requirement, and/or where we are subject to an ongoing legal requirement to transfer, you (a business Customer) give us general authorisation and consent to carry out that transfer without your specific authorisation or consent.
5.2. You acknowledge and agree that you shall be responsible, and we shall not be responsible, for the compliance of any International Transfers that occur when Users access the Services through a browser from a third country or international organisation, as further referred to in paragraph 7.
6.1. At your reasonable request and subject to you (and any third-party auditor) entering into an appropriate confidentiality agreement, we shall:
6.1.1. make available to you such information as may reasonably be necessary to demonstrate compliance with the obligations for processor agreements laid down in Data Protection Laws; and
6.1.2. subject to paragraphs 3 and 6.4 below, allow you (or an independent, third-party professional auditor mandated by you and acceptable to us, both of us acting reasonably) to conduct an audit, including inspection, of our processing of Relevant Data pursuant to the Agreement, and contribute to that audit,
except that you agree that nothing in this paragraph 6.1 shall require us to act in breach of an obligation of confidentiality owed to a third party.
6.2. With respect to paragraph 6.1, we shall immediately inform you in writing, but without any obligation to monitor or enquire as to the legality of your instructions or to give legal advice if, in our opinion, to follow an instruction given by you would give rise to a breach of applicable Data Protection Laws.
6.3. Where we have commissioned audit report(s) which we offer to make available to you, you agree that you may only proceed with your own audit/inspection if, acting in good faith, you are reasonably dissatisfied with the audit report(s), and that your own audit/inspection is subject to our rights in paragraph 4. You must coordinate with us on the timing and scope of any such audit/inspection and refrain from any act or omission that could lead to the degradation, overload or unavailability of the Services. The scope of your audit must exclude other customers’ data. Any testing, probing or scanning tools used on our infrastructure must be pre-approved by us. You must not and must instruct any third-party auditor not to) include in your audit report any sensitive information that could be used by a third party to the detriment of the security of the Services (including, but not only, details of vulnerabilities). You must instruct any third-party auditor to give us the reasonable opportunity to review the report before it is provided to you in final form and to communicate with the auditor to resolve any questions or issues of fact. You and the auditor must keep the results and findings of any audits confidential and disclose them to third parties only to the extent required by law.
6.4. In relation to any Sub-processors that are engaged pursuant to paragraph 4 and/or any data centre facilities used by us, you acknowledge and agree that it is sufficient, for the purposes of satisfying the requirements of paragraph 1, that we shall have a right to audit or inspect those Sub-processors and/or those data centre facilities on your behalf, subject to reasonable restrictions.
7.1. You shall comply with Your Data Responsibilities. We are not in any way responsible for Your Data Responsibilities.
8.1. We will process personal data as a controller under the Agreement and/or this Addendum, for example but not exhaustively, in the management of our relationship with you, in our use of Usage Data under paragraph 9, for analytics under paragraph 10 or for marketing under paragraph 12. Please see our website privacy notice for further details. Paragraphs 1 (and Schedule 1) and paragraphs 3 to 6 inclusive of this Addendum shall not apply to personal data of which we are a controller.
9.1. We may collect or create data resulting from Users’ use of the Services, such as metadata, performance metrics, and usage trends or volume (“Usage Data”). We may use Usage Data for our legitimate business purposes, including network and information security, Customer support, data analytics and marketing, provided that, except to provide the Services or as required or permitted by law, any external disclosure of Usage Data by us will be in an aggregated form that does not identify or otherwise permit the identification of you, any Users or other persons, unless you consent otherwise or initiate the sharing of Usage Data yourself.
10.1. We may use the Customer Data, Usage Data and other data to run statistical reports within the Services for our own use; for example, showing which features are the most popular with Users, which features cause issues, for benchmarking in aggregate form and/or to gain insights. We may use Customer Data internally for product research, development and innovation; for example to improve the Services, add new features and functionality, such as receipt recognition and cashflow forecasting, and provide you with insights. You (as a business Customer) consent to and authorise our access to and use of the Customer Data for those purposes and agree that our use of the Customer Data is legitimate, proportionate and, in the case of support, network and information security, may be necessary, given the negligible impact on you and the benefit you and your Users will receive in terms of technical support and from product improvements and enhancements. For further information, including our legitimate interests for conducting analytics, please see our website privacy notice.
10.3. This paragraph 10 is in addition to any provisions on data analytics in the main body of the Agreement.
11.1. As at the date of the Agreement, the parties do not consider themselves to be joint controllers (that is, where two or more controllers jointly determine the purposes and means of processing) for the purpose of the processing activities referred to in this Addendum.
11.2. If and to the extent that the parties later determine that their arrangement has become one of joint controllers, they shall comply with the requirements set out in article 26 GDPR.
12.1. Please bring this paragraph 12 to the attention of any of your staff who will act as key contacts for us.
12.2. Unless you (as an individual) have opted out of direct marketing communications (e.g. told us not to start them or told us to stop them), you acknowledge and agree that we may use personal data (such as the telephone and email contact details we have collected for you) to provide direct marketing communications to you which may be of interest, based on the individual recipient’s use of the Services or areas of interest. Direct marketing communications include telephone, email and other forms of electronic communication. We track whether marketing emails are opened and whether links in the emails are clicked on. This is built into the emails and to stop this occurring you need to unsubscribe from the emails. Please be assured that we will not take contact details from the Relevant Data and use them to send direct marketing communications – we only use contact details we collect separately from the Relevant Data.
12.3. How to opt out of direct marketing. If you prefer not to receive direct marketing from us, please tell the caller, click on the ‘unsubscribe’ button in the relevant communication (to stop email marketing only) or contact us at [email protected]. It may take up to one month for your preferences to be updated across our systems.
12.4. For further information, please see our website privacy notice.
Schedule 1 - Specification of processing
Subject matter and duration of the processing of Relevant Data:
Subject matter: the provision of our Services.
Duration: the term of the Agreement including any transitional periods on entrance or exit from the Agreement.
Nature and purpose of the processing of Relevant Data:
Any or all of the following processing operations for the purpose of providing the Services, depending on the Services chosen by you; your use of and requirements for the Services; the requirements in the Agreement; and third party requests and other extraneous events (the “Purposes”):
Type of Relevant Data (including any special categories of Relevant Data or other sensitive data):
Any or all of the following depending on the Purposes:
Categories of data subjects:
Any or all of the following depending on the Purposes:
Controller’s obligations and rights:
The obligations in paragraph 2.2 and paragraph 7.
The rights to enforce the data processing terms in paragraphs 3, 4, 5 and 6 against us as your processor.