Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the SimpleDocs Enterprise Terms and Conditions or other written or electronic agreement governing Customer’s use of the Services (“Agreement”) between Customer and SimpleDocs. In the course of providing Services to Customer, SimpleDocs may process Customer Personal Data (defined below) and the parties agree to comply with the following provisions with respect to any processing of Customer Personal Data by SimpleDocs as a processor or service provider to Customer.

1. DEFINITIONS. Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement or in the Applicable Data Protection Law

a. “Applicable Data Protection Law” refers to all laws and regulations applicable to Company’s Processing of Personal Data under the Agreement including, without limitation, the GDPR.

b. “Customer Personal Data” means any Personal Data Processed by Company on behalf of Customer pursuant to or in connection with the Agreement, with the explicit exclusions of any information provided by Customer to Company in connection with the creation or administration of its account(s) or billing information for the Services.

c. “CCPA” means Section 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations.

d. “GDPR” means the EU General Data Protection Regulation 2016/679 and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom. References to “Articles” or “Chapters” of the GDPR will be construed accordingly.

e. “Personal Data” shall have the meaning ascribed to it, or to substantially similar phrases, in Applicable Data Protection Law.

f. “Personal Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, stored or otherwise processed by Company in connection with the provision of the Services. “Personal Data Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.

g. “SCCs” means the standard contractual clauses for international transfers annexed to the European Commission’s commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable

h. “Services” means those services and activities to be supplied to or carried out by or on behalf of Company for Customer pursuant to the Agreement.

i. “Subprocessor” means any third party having access to Customer Personal Data and engaged by Company to assist in fulfilling its obligations with respect to providing Services pursuant to the Agreement (excluding any employee, consultant, or independent contractor of Company).

j. “Transfer” means the transfer of Customer Personal Data outside the United Kingdom or EU/European Economic Area (“EEA”).

k. “UK GDPR” means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

l. “UK Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner’s Office on March 21, 2022.

m. The terms “controller”, "data subject", “processor”, “processing”, “personal data” and "sensitive data" shall have the meanings given to them in Applicable Data Protection Laws or if not defined therein, the GDPR, and the terms "service provider", "business", “consumer”, “business purpose”, “sell” (and “selling”, “sale”, and “sold”), “subcontractor” and “service provider” have the meanings given to them in §1798.140 of the CCPA, as applicable.

2. PROCESSING OF CUSTOMER PERSONAL DATA. Company will in the course of providing Services, including with regard to Transfers of Personal Data to a third country, Process Customer Personal Data only on behalf of and under the documented Instructions of Customer unless required to do so otherwise under Applicable Data Protection Law; in such a case, Company will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Schedule 1 specifies the duration of the Processing, the nature and purpose of the Processing, and the types of Personal Data and categories of data subjects. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own Processing of Customer Personal Data and (b) it has, and will continue to have, the right to Transfer, or provide access to, Customer Personal Data to Company for Processing in accordance with the terms of the Agreement and this DPA. Customer appoints Company as a Data Processor to Process Customer Personal Data on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services to Customer (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits and abuse); (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing by the parties (“Permitted Purposes”). Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Company is not responsible for determining which laws are applicable to Customer’s business nor whether Company’s provision of the Services meets or will meet the requirements of such laws. Customer will ensure that Company’s Processing of Customer Personal Data, when done in accordance with Customer’s instructions, will not cause Company to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. Company will inform Customer if it becomes aware or reasonably believes that Customer’s data Processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or Processing, or prior to permitting Customer’s end users to transmit or Process, any Personal Data via the Services.

‍

3. CCPA. If Company is processing Customer Personal Data within the scope of the CCPA (“CCPA Personal Data”), the Parties agree as follows. CCPA Personal Data is disclosed by Customer only for limited and specified purposes of providing Services to Customer pursuant to the terms of the Agreement. Each party agrees to comply with applicable obligations under CCPA and shall provide the same level of privacy protection to CCPA Personal Data as required by CCPA. Customer shall have the right to take reasonable and appropriate steps to help ensure that Company uses the CCPA Personal Data in a manner consistent with its obligations under CCPA. Company shall notify Customer if it makes a determination that it can no longer meet its obligations under CCPA. Upon such notice, Company may take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Personal Data. Company agrees not to retain, use or disclose CCPA Personal Data obtained in the course of providing services for any purpose other than for the Business Purposes set forth in the agreement, including retaining, using or disclosing CCPA Personal Data for a commercial purpose other than the Business Purpose set forth in the Agreement, or as otherwise permitted by CCPA. Company will not (a) sell (as defined in CCPA) or share (as defined in CCPA) any CCPA Personal Data, (b) retain, use or disclose CCPA Personal Data outside of the direct business relationship between Company and Customer, (c) combine CCPA Personal Data with personal data received by Company from or on behalf of another person or persons, or collects from its own interactions with the consumer, provided that Company may combine CCPA Personal Data to perform any Business Purpose as defined as defined in regulations adopted pursuant to paragraph (10) of subdivision(a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by the California Privacy Protection Agency. Notwithstanding the foregoing, Company may (i) to process or maintain personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA, (ii) to retain and employ another service provider (as defined in CCPA) as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and applicable regulations, (iii) for internal use by Company to build or improve the quality of its services it is providing to Customer, even if this Business Purpose is not specified in the Agreement, provided that Company does not use the CCPA Personal Data to perform services on behalf of another person, (iv) to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement or (v) for the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7). If Company receives a request to know or a request to delete from a consumer with respect to CCPA Personal Data, the Company shall either act on behalf of Customer in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.

4. SECURITY. Company will ensure that its employees who Process Customer Personal Data for Company or who have access to Customer Personal Data are authorized to Process this Personal Data, and have undertaken to, or are contractually bound to observe confidentiality. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Art. 32 GDPR, as set forth at www.simpledocs.com/security-measures (“Security Measures”). As appropriate, this may include: the pseudonymization and encryption of Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; and the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident. In assessing the appropriate level of security, Company will take into account the risks presented by Processing, in particular from a Personal Data Breach. Company’s technical and organizational measures are subject to technical advancements and development. Company will use commercially reasonable efforts to regularly test, assess and evaluate the effectiveness of technical and organizational measures to reasonably ensure the security of the Processing. SimpleDocs may make such changes to the Security Measures as SimpleDocs deems necessary or appropriate from time to time, including without limitation to comply with applicable law, but no such changes will materially reduce the overall level of protection.

5. SUBPROCESSING. Customer agrees that Company may use Subprocessors to fulfill its contractual obligations under the Agreement. Where Company authorizes any Subprocessor as described in this Section 5, Company agrees to impose data protection terms on any Subprocessor it appoints that require it to protect Customer Personal Data to the standard required by Applicable Data Protection Law. Customer provides a general consent for Company to engage onward Subprocessors, conditional on the following requirements: Company will provide details of any change in Subprocessors as soon as reasonably practicable, but in any event will give notice no less than fourteen (14) days prior to any such change. The Customer may object to the new or changed Subprocessor within ten (10) calendar days of Company’s notice. If within ten (10) calendar days of notice, Customer notifies Company of an objection to an appointment (based on reasonable grounds relating to data protection) and provides documentary evidence that reasonably shows that the proposed Subprocessor does not or cannot comply with the requirements of this DPA or Applicable Data Protection Law, then (i) Company will work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (ii) where such a change cannot be made within thirty (30) days from Company’s receipt of Customer’s objection notice, notwithstanding anything in the Agreement, either party may, by at least 30 days’ prior written notice to the other party, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor. During such notice period, Company may suspend the affected portion of the Services. If no objection has been raised within the 10-day period noted above prior to Company replacing or appointing a new Subprocessor, Company will deem Customer to have authorized the new Subprocessor. Company will remain liable for any breach of this DPA that is caused by its Subprocessors.

6. DATA RIGHTS REQUESTS. If Company receives a request from a Data Subject that relates to Customer Personal Data and identifies Customer (a “Data Subject Request”), Company will (a) advise the Data Subject to submit the Data Subject Request to Customer, and (b) use commercially reasonable efforts to notify Customer of the Data Subject Request. Where required by Applicable Data Protection Law, to the extent Customer is unable through its use of the Services to address a particular Data Subject Request, Company will, upon Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance to Customer in fulfilling the Data Subject Request. To the extent permitted by Applicable Law, Customer will be responsible for any costs arising from Company’s assistance.

7. PERSONAL DATA BREACH. Upon becoming aware of a Personal Data Breach, Company will without undue delay inform Customer and provide written details of the Personal Data Breach reasonably required to fulfill Customer’s notification obligations under Applicable Data Protection Law. Where possible, such details will include, the nature of the Personal Data Breach, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned, the likely consequences, and the measures taken or proposed to be taken to mitigate any possible adverse effects. Company will promptly work to recover Customer Personal Data which is lost, damaged, destroyed or distorted as a result of the Personal Data Breach, and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. DPIA AND CONSULTATION. Taking into account the nature of the Processing and the information available to Company, Company will, when required by Applicable Data Protection Law, assist Customer with its obligations related to data protection impact assessments (where related to the Services, and only to the extent that Customer does not otherwise have access to the relevant information) and prior consultation with supervisory authorities, including by providing the information contained in the Audit Report as set forth in Section 10 below. To the extent permitted by Applicable Law, Customer will be responsible for any costs arising from Company’s assistance.

9. RETURN AND DELETION OF CUSTOMER PERSONAL DATA. Company will delete all Customer Personal Data upon the completion of the Permitted Purpose or request by Customer, whichever is earlier. Company may retain Customer Personal Data to the extent required by applicable laws, and only to the extent and for such period as required by applicable laws and provided that Company will maintain the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

10. AUDITS. Company will make available information to Customer at Customer’s request which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer on reasonable, legitimate grounds for suspecting a breach of this DPA. Company will provide for such audits by allowing Customer to review confidential summary reports ("Audit Report")prepared by third-party security professionals at Company's selection and expense. If Customer can demonstrate that it requires additional information, beyond the Audit Report, to comply with Applicable Data Protection Law, then Customer may request, at Customer's cost, Company to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Company clients or suppliers, Company's proprietary technology or any trade secrets; and (ii) be performed not more than once per year, unless otherwise mandated by a supervisory authority, upon no less than sixty(60) days’ notice where practicable, during regular business hours and in such a manner as not to unreasonably interfere with Company’s normal business activities. The results of any such audit shall promptly made available to Company and shall be considered Company’s confidential information.

11. INTERNATIONAL DATA TRANSFERS. Customer authorizes Company and its subprocessors to Transfer Customer Personal Data across international borders, including from the UK or European Economic Area to the United States:

a. Transfers from the EEA. Where a Transfer is made from the European Economic Area (“EEA”), the SCCs are incorporated into this DPA and apply to the transfer as follows:

i. with respect to Transfers from Customer to Company, Module One applies where both Customer and Company are Controllers, Module Two applies where Customer is a Controller and Company is a Processor, and Module Three applies where both Customer and Company are Processors;

ii. in Clause 7, the optional docking clause does not apply;

iii. in Clause 9(a) of Modules Two and Three, Option 2 applies, and the period for prior notice of subprocessor changes is set forth in Section 6 of this DPA;

iv. in Clause 11(a), the optional language does not apply;

v. in Clause 17, Option 1 applies with the governing law being that of Ireland;

vi. in Clause 18(b), disputes will be resolved before the courts in Dublin, Ireland;

vii. Annex I of the SCCs is completed with the information in Schedule A to this DPA;

viii. Annex II of the SCCs is completed with the information in Section 3 above of this DPA; and

ix. Annex III of the SCCs is completed with the information in Schedule B to this DPA.

b. Transfers from Switzerland. Where a Transfer is made from Switzerland, the SCCs are incorporated into this DPA and apply to the transfer as modified in Section 10(a) above, except that:

i. in Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Transfer is governed by the Swiss Federal Act on Data Protection;

ii. references to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland; and

iii. references to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).

c. Transfers from the UK. Where a Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer. The UK Transfer Addendum is completed with the information in Section10(a) above, the Annexes to this DPA; and both “Importer” and “Exporter” are selected in Table 4.

d. Specific application of the SCCs. The following terms apply to the SCCs:

i. Customer may exercise its audit rights under the SCCs as set out in Section 10 above.

ii. Company may appoint Subprocessors under the SCCs as set out in Section 5 above.

iii. With respect to Transfers made to Company, Company may neither participate in, nor permit any Subprocessor to participate in, any further Transfer unless the further Transfer is made in full compliance with Data Protection Laws and in accordance with applicable SCCs or an alternative legally compliant transfer mechanism adopted by the importer.

iv. If any provision of this Section 10 is inconsistent with any terms in the SCCs, the SCCs will prevail

12. LIABILITY Each Party’s liability taken together in the aggregate, arising out of or related to this DPA and the Agreement, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Applicable Data Protection Law.

13. GENERAL This DPA will continue in force until the termination of the Agreement, unless earlier terminated as provided herein. In the event of a conflict or inconsistency between the Agreement, this DPA, and the SCCs, the terms of the following documents will prevail (in order of precedence): the SCCs; then this DPA; and then the Agreement.