Data Processing Addendum
Updated: July 22, 2024
Data Processing Addendum Effective April 1, 2021This Data Processing Addendum (“DPA”) and the schedules to this DPA apply to the Processing of Client Personal Data on behalf of Client as identified on the Master Services Agreement (the “Client”) in order to provide Services Client may have ordered from Vendr. This DPA forms part of the Master Services Agreement available at https://www.vendr.com/legal or such other location as the Master Services Agreement may be posted from time-to-time or such alternative agreement Client may have entered into with Vendr pursuant to which Client has accessed Vendr’s Services, as defined in the applicable agreement, including, without limitation, the Company’s Terms of Use (the “Agreement”). In the event of a conflict between the terms of this DPA and the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) SCCs; (ii) this DPA; and (iii) the Agreement, unless the Agreement explicitly provides otherwise, identifying the relevant portion of the DPA that it is superseding.
For purposes of this DPA, Client and Vendr agree that Client may be a Data Controller of Client Personal Data and Vendr may be a Data Processor of such data, except when Client acts as a Data Processor of Client Personal Data, in which case Vendr is a subprocessor.
In the course of providing Services to Client pursuant to the Agreement, Vendr may Process Client Personal Data on behalf of Client. Vendr agrees to comply with the following provisions with respect to any Client Personal Data submitted by or on behalf of Client for the Services or collected and Processed through the Services.
1. Definitions
1.1. Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement or in the Applicable Data Protection Law.
a) “Applicable Data Protection Law” refers to all laws and regulations applicable to Vendr’s Processing of Personal Data under the Agreement including, without limitation, the European Data Protection Laws and Non-European Data Protection Laws.
b) “Client Personal Data” means any Personal Data Processed by Vendr on behalf of Client pursuant to or in connection with the Agreement, with the explicit exclusions of Client Feedback, the Personal Data of representatives of third-party organizations such as those the Client wishes to procure from, and records of communications between Vendr and Client.
c) “CCPA” means the California Consumer Privacy Act 2018 Cal. Civ. Code 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Addendum, including, without limitation, the California Privacy Rights Act of 2020 (the “CPRA”).
d) “Contractor” has the meaning set forth in the CPRA.
e) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” will be construed accordingly.
f) “European Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) GDPR; (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the New Swiss Federal Data Protection Act of 01 September 2023 (“Swiss DPA”).
g) “GDPR” means the EU General Data Protection Regulation 2016/679 and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom. References to “Articles” or “Chapters” of the GDPR will be construed accordingly.
h) “Non-European Data Protection Laws” means the CCPA; the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”); the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Connecticut Act Concerning Personal Data Privacy and Monitoring; the Utah Consumer Privacy Act; the Texas Data Privacy and Security Act; the Oregon Consumer Privacy Act; the Montana Consumer Data Privacy Act; and substantially similar privacy or data protection laws applicable to a party, each as may be amended or replaced from time to time.
i) “Personal Data” shall have the meaning ascribed to it, or to substantially similar phrases, in Applicable Data Protection Law, excluding Sensitive Data (which is not collected or Processed by Vendr).
j) “Processed” means any operation or set of operations which is/are performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process,” “Processes,” “Processed,” or “Processing” shall be construed accordingly.
k) “Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under Applicable Data Protection Law.
l) “Services” means those services and activities to be supplied to or carried out by or on behalf of Vendr for Client pursuant to the Agreement.
m) “SCCs” means either (i) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision 2010/87/EU of 5 February 2010 (the “2010 Controller-to-Processor Clauses”); (ii) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “2021 Controller-to-Processor Clauses”); or (iii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “2021 Processor-to-Processor Clauses”).
n) “Transfer” means the transfer of Client Personal Data outside the United Kingdom or EU/European Economic Area (“EEA”).
o) “Subprocessor” means any third party appointed by or on behalf of Vendr to Process Client Personal Data.
p) For clarity, this DPA covers any Processing that takes place pursuant to the CCPA and the CPRA. Therefore, the following references in the CCPA and CPRA have the following meanings in this DPA:
- “Business” means “Vendr”
- “Consumer” means “Client”
- “Third Party” means “Sub-Processor”
2. Processing of Client Personal Data
2.1. Vendr will in the course of providing Services, including with regard to Transfers of Personal Data to a Third Party, Process Client Personal Data only on behalf of and under the documented instructions of Client unless required to do so otherwise under Applicable Data Protection Law; in such a case, Vendr will inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Schedule 1 specifies the duration of the Processing, the nature and purpose of the Processing, and the types of Personal Data and categories of Data Subjects.
2.2. Client is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own Processing of Client Personal Data and (b) it has, and will continue to have, the right to Transfer, or provide access to, Client Personal Data to Vendr for Processing in accordance with the terms of the Agreement and this DPA.
2.3. Client appoints Vendr as a Data Processor to Process Client Personal Data on behalf of, and in accordance with, Client’s instructions (a) as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services to Client (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits and abuse); (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing by the parties (“Permitted Purposes”).
2.4. Client will ensure that its instructions comply with Applicable Data Protection Law. Client acknowledges that Vendr is not responsible for determining which laws are applicable to Client’s business nor whether Vendr’s provision of the Services meets or will meet the requirements of such laws. Client will ensure that Vendr’s Processing of Client Personal Data, when done in accordance with Client’s instructions, will not cause Vendr to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. Vendr will inform Client if it becomes aware or reasonably believes that Client’s data Processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law.
2.5. Client is responsible for ensuring that suitable safeguards are in place prior to transmitting or Processing, or prior to permitting Client’s end users to transmit or Process, any Special Categories of Data via the Services.
2.6. Client specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Client Personal Data, to the extent applicable under the CCPA.
2.7. Client will not provide (or cause to be provided) any Sensitive Data to Vendr for processing under the Agreement, and Vendr will have no liability whatsoever for Sensitive Data, whether in connection with a security incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
3. Security
3.1. Vendr will ensure that its employees (including subprocessors) who Process Client Personal Data for Vendr or who have access to Client Personal Data are authorized to Process this Personal Data, and have undertaken to, or are contractually bound to observe confidentiality. Vendr will ensure that this obligation to maintain confidentiality continues beyond the termination of employment contracts or service contracts, and beyond the termination of this DPA.
3.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Natural Persons, Vendr will in relation to Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Art. 32 GDPR. As appropriate, this may include:
a) the pseudonymization and encryption of Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; and
c) the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident.
3.3. In assessing the appropriate level of security, Vendr will take into account the risks presented by Processing, in particular from a Personal Data Breach. Vendr’s technical and organizational measures specified in Schedule 2 Appendix 2 are subject to technical advancements and development. Vendr will regularly test, assess and evaluate the effectiveness of technical and organizational measures to reasonably ensure the security of the Processing.
4. Subprocessing
4.1. Client agrees that Vendr may use Subprocessors to fulfill its contractual obligations under the Agreement. Where Vendr authorizes any Subprocessor as described in this Section 4, Vendr agrees to impose data protection terms on any Subprocessor it appoints that require it to protect Client Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Client acknowledges and agrees that, where applicable, Vendr fulfills its obligations under Clause 9 of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses, as applicable, by complying with this Section 4 and that Vendr may be prevented from disclosing subprocessor agreements to Client due to confidentiality restrictions but Vendr shall, upon request, use reasonable efforts to provide Client with all relevant information it reasonably can in connection with subprocessor agreements.
4.2. Client provides a general consent for Vendr to engage onward Subprocessors, conditional on the following requirements:
a) Any onward Subprocessor must agree in writing to only Process data in a country that the European Commission has declared to have an “adequate” level of protection; or to only Process data on terms equivalent to the Standard Contractual Clauses, or pursuant to a Binding Corporate Rules approval granted by competent European data protection authorities; and
b) Vendr will restrict the onward Subprocessor’s access to Client Personal Data only to what is strictly necessary to provide the Services, and Vendr will prohibit the Subprocessor from Processing the Client Personal Data for any other purpose.
4.3. Client consents to Vendr engaging additional Third Party subprocessors to Process Client Personal Data within the Services for the Permitted Purposes provided that Vendr maintains an up-to-date list of its subprocessors at https://www.vendr.com/legal. Vendr will provide details of any change in subprocessors as soon as reasonably practicable, but in any event will give notice no less than fourteen (14) days prior to any such change.
4.4. The Client may object to the new or changed Subprocessor within five calendar days after receipt of Vendr’s notice. If within ten (10) calendar days of receipt of that notice, Client notifies Vendr of an objection to an appointment (based on reasonable and legitimate grounds relating to data protection), then (i) Vendr will work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (ii) where such a change cannot be made within fourteen (14) days from Vendr’s receipt of Client’s objection notice, notwithstanding anything in the Agreement, Client may, by such notice to Vendr, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor. Such termination will be without prejudice to any fees incurred by Client prior to suspension or termination, and if Client terminates the Services under the Agreement pursuant to this Section 4.4, Client shall not be entitled to any refund of fees due and payable. If no objection has been raised prior to Vendr replacing or appointing a new Subprocessor, Vendr will deem Client to have authorized the new Subprocessor.
4.5. Vendr will remain liable for any breach of this DPA that is caused by its Subprocessors; provided, in each case, that Client shall: (i) first provide Vendr with reasonable notice to enable Vendr to cure any such non-compliance and (ii) reasonably cooperate with Vendr to identify what additional safeguards, if any, may be implemented to remedy such non-compliance.
4.6. Where any Contractor has access to Client Personal Data, it will only do so under a written contract and hereby certifies that it understands and is compliant with Applicable Data Protection Laws.
5. Data Rights Requests
5.1. Vendr’s Services provide Client with a number of self-service features, including the ability to rectify, delete, obtain a copy of, or restrict use of Client Personal Data, which may be used by Client to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from Data Subjects via the Vendr Services at no additional cost. In addition, upon Client’s request, Vendr will provide reasonable additional and timely assistance (at Client’s expense only if complying with Client’s request will require Vendr to assign significant resources to that effort) to assist Client in complying with its data protection obligations with respect to Data Subject rights under Applicable Data Protection Law.
5.2. In the event that any request, correspondence, enquiry or complaint from a Data Subject, regulatory or third party, including, but not limited to law enforcement, is made directly to Vendr in connection with Vendr’s Processing of Client Personal Data, Vendr will inform Client providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Vendr will not respond to any such request, inquiry or complaint without Client’s prior consent. In the case of a legal demand for disclosure of Client Personal Data in the form of a subpoena, search warrant, court order or other compulsory disclosure request, Vendr will attempt to redirect the requesting party or agency to request disclosure from Client. If Vendr is legally compelled to respond to such a request, Vendr will notify Client prior to disclosure of Client Personal Data so that Client may seek a protective order or other relief, if appropriate, unless Vendr is barred by law from giving such notification.
6. Personal Data Breach
6.1. Upon becoming aware of a Personal Data Breach, Vendr will without undue delay and within (48) forty-eight hours inform Client and provide written details (e.g., via electronic means) of the Personal Data Breach reasonably required to fulfill Client’s notification obligations under Applicable Data Protection Law. Where possible, such details will include, the nature of the Personal Data Breach, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Client Personal Data records concerned, the likely consequences, and the measures taken or proposed to be taken to mitigate any possible adverse effects.
6.2. Vendr will promptly work to recover Client Personal Data which is lost, damaged, destroyed or distorted as a result of the Personal Data Breach, and take such reasonable commercial steps as may be directed by Client to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
7. DPIA and Consultation
7.1. Vendr will provide reasonable assistance to Client in connection with data protection impact assessments, and prior consultations with Supervisory Authorities, which Client reasonably considers to be required of Client by Article 35 or 36 of the GDPR, with regards to Processing of Client Personal Data by Vendr.
8. Return and Deletion of Client Personal Data
8.1. Subject to Section 8.2 below, Vendr will (i) within forty-five (45) days of a Client end user’s request, respond to such deletion request (unless Vendr notifies Client of its intent to extend such response deadline by an additional forty-five (45) days) and delete such Personal Data for the respective Client end user. Further, except (i) as required under applicable law, or (ii) as indicated in Section 8.2 below, Vendr will in each case delete all Client Personal Data (or, if requested by Client, return to Client all Client Personal Data) within three (3) months after the expiration or termination of the Agreement. After such period, Vendr shall have no obligation to maintain or destroy any such Personal Data except in accordance with applicable law and without liability to Client .
8.2. Vendr may retain Client Personal Data after the expiry or termination of the Agreement: (i) to the extent required by Applicable Data Protection Law, and only to the extent and for such period as required by applicable laws and always provided that Vendr will ensure the confidentiality of all such Client Personal Data and will ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Data Protection Law requiring its storage and for no other purpose; and (ii) provided, however, Vendr may retain such Client Personal Data in accordance with its standard backup, log, or record retention policies.
8.3. The parties agree that the certification of deletion of Personal Client Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses, as applicable, shall be provided by Vendr to Client only upon Client’s written request.
9. De-Identified Data
9.1. "De-identified Data" means Client Personal Data that has been Processed such it can no longer be linked to an identified or identifiable Natural Person, or a device linked to such person.
9.2. Vendr may Process Client Personal Data to create de-identified data for Vendr’s legitimate business purposes. De-identified data will not be considered Client Personal Data and Vendr may retain such data at its discretion.
10. Audits
10.1. Vendr will make available information to Client at Client’s request which is reasonably necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Client or another auditor, as requested by Client on reasonable, legitimate grounds for suspecting a breach of this DPA. Vendr will provide for such audits by allowing Client to review confidential summary reports ("Audit Report") prepared by third-party security professionals at Vendr's selection and Expense.
10.2. If Client can demonstrate that it requires additional information, beyond the Audit Report, then Client may request, at Client's cost, Vendr to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Vendr clients or suppliers, Vendr's technical and organizational measures or any trade secrets; and (ii) be performed upon no less than sixty (60) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Vendr’s normal business activities. If Vendr is unable to follow Client's instructions (for example, where Client's request relates to a subprocessor that will not provide such information or right to Vendr) or declines, Client may terminate the Agreement.
11. International Data Transfers
11.1. Client authorizes Vendr and its subprocessors to Transfer and Process Client Personal Data across international borders, including from the UK, European Economic Area and anywhere else in the world where Vendr, its affiliates or its subprocessors maintain data processing operations to and in the United States. Vendr shall at all times ensure that such Transfers are made in compliance with the requirements of Applicable Data Protection Law and this DPA.
11.2. To the extent that Vendr is a recipient of Client Personal Data protected by the Australian Privacy Law, the parties acknowledge and agree that Vendr may Transfer such Client Personal Data outside of Australia as permitted by the terms agreed upon by the parties and subject to Vendr complying with this DPA and the Australian Privacy Law.
11.3. To the extent that Vendr is a recipient of Client Personal Data protected by European Data Protection Laws (“European Data”) in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable European Data Protection Laws), the parties agree to abide by and process European Data in compliance with the SCCs, which shall be incorporated into and form an integral part of this DPA as follows: (a) if Client started using the Service before 27 September 2021, the 2010 Controller-to-Processor Clauses shall apply (regardless of whether Client is a controller or a processor) until December 27, 2022, and thereafter the 2021 Controller-to-Processor Clauses and/or the 2021 Processor-to-Processor Clauses shall automatically apply (according to whether Client is a controller and/or a processor) thereafter; (b) if Client started using the Service on or after 27 September 2021, the 2021 Controller-to-Processor Clauses and/or the 2021 Processor-to-Processor Clauses shall apply (according to whether Client is a controller and/or a processor) immediately.
11.4. The parties agree that if Vendr cannot ensure compliance with the SCCs, it shall promptly inform Client of its inability to comply. If Client intends to suspend the Transfer of European Data and/or terminate the affected parts of the Service, it shall first provide notice to Vendr and provide Vendr with a reasonable period of time to cure such non-compliance, during which time Vendr and Client shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required. Client shall only be entitled to suspend the Transfer of data and/or terminate the affected parts of the Service for non-compliance with the SCCs if Vendr has not or cannot cure the non-compliance within a reasonable period.
11.5. To extent that and for so long as the SCCs as implemented in accordance with Section 11.3 cannot be relied on to lawfully Transfer personal data in compliance with UK Data Protection Laws, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”) shall be incorporated by reference and deemed completed with the relevant information set out in the Annexes of this DPA. Additionally, to the extent Vendr adopts an alternative lawful data transfer mechanism for the transfer of European Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Laws and extends to the countries to which European Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully Transfer European Data (within the meaning of applicable European Data Protection Laws), Vendr may implement any additional measures or safeguards that may be reasonably required to enable the lawful Transfer of European Data.
11.6. Vendr and Client will use the Standard Contractual Clauses described Schedule 2 as the adequacy mechanism supporting the Transfer and Processing of Client Personal Data.
12. Jurisdiction Specific Terms
12.1. Where Vendr Processes Client Personal Data protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 3, the terms specified in Schedule 3 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this DPA. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence.
13. Liability
13.1. Client and Vendr will each be separately liable to the other party for damages it causes by any breach of the clauses in this DPA. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party will be liable to Data Subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its Applicable Data Protection Law. Any claims made against Vendr or its affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Client that is a party to the Agreement.
14. Failure to Perform
14.1. In the event that changes in law or regulation render performance of this DPA impossible or commercially unreasonable insofar as it concerns the processing of Client Personal Data under these clauses, the Parties may renegotiate this DPA in good faith, provided, for the avoidance of doubt, that one of the following shall have first occurred: (i) Client has suspended the transfer of Client Personal Data to Vendr and Vendr does not restore compliance hereunder within one month of Client’s suspension, (ii) Vendr is in substantial or persistent breach of these clauses, or (iii) Vendr fails to comply with the binding decision of a competent court or supervisory authority regarding its obligations hereunder . If (i), (ii) or (iii) has occurred and renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement in accordance with the Agreement’s termination provisions. Notwithstanding the foregoing, where the Agreement involves more than two parties, the terminating party may exercise this right only with respect to the applicable counterparty, unless all parties have agreed otherwise.
15. Updates
15.1. Vendr may update the terms of this DPA from time to time; provided, however, Vendr will provide at least thirty (30) days prior written notice (e.g., via electronic means) to Client when a material update is required as a result of (a) the release of new products or services or material changes to any of the existing Services that require a change to the DPA; (b) changes in Applicable Data Protection Law; or (c) a merger, acquisition, or other similar transaction. The then-current terms of this DPA are available at https://www.vendr.com/legal.
16. Duration and Survival
16.1. This DPA will become legally binding upon the Effective Date of the Agreement or upon the date that the Parties sign this DPA if it is completed after the effective date of the Agreement. Vendr will Process Client Personal Data until the relationship terminates as specified in the Agreement. Any obligation imposed on Vendr under this DPA in relation to the Processing of Client Personal Data will terminate when Vendr no longer Processes Client Personal Data.
Schedule 1
Client Personal Data Processing Details
Schedule 2
Cross Border Data Transfer Mechanisms
1. Definitions
i. “EC” means the European Commission
ii. “EEA” means the European Economic Area
iii. “Standard Contractual Clauses” means, depending on the circumstances unique to Client, any of the following:
1. UK Standard Contractual Clauses, and
2. 2021 Standard Contractual Clauses
iv. “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the EC in decision 2010/87/EU (“UK Controller to Processor SCCs”), and
v. “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the EC in decision 2021/914
2. Cross Border Data Transfer Mechanisms
i. Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2(ii) (UK Standard Contractual Clauses) or Section 2(iii) (2021 Standard Contractual Clauses) of this Schedule 2; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
ii. UK Standard Contractual Clauses. The parties agree that the UK Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
1. The UK Controller to Processor SCCs will apply where Vendr is processing Personal Data. The illustrative indemnification clause will not apply. Appendix 1 (Subject Matter and Details of the Processing) of this DPA serves as Appendix I of the UK Controller to Processor SCCs. Appendix 2 (Security Measures) of this DPA serves as Appendix II of the UK Controller to Processor SCCs.
iii. 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
1. Module Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Client is a controller of Personal Data and Vendr is processing Personal Data.
2. Module Three (Processor to Processor) of the 2021 Standard Contractual Clauses will apply where Client is a processor of Personal Data and Vendr is processing Personal Data.
3. For each Module, where applicable:
a. in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;
b. in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 5 (Sub-Processors) of this DPA;
c. in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;
d. in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;
e. in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
f. in Annex I, Part A of the 2021 Standard Contractual Clauses:
- Data Exporter: Client.
- Contact Details: The email address(es) designated by Client in Client’s account via its notification preferences.
- Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Processing of Personal Data) of this DPA.
- Signature and Date: By entering into the Master Services Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Master Services Agreement.
- Data Importer: Vendr, Inc.
- Contact details: Vendr Privacy Team – privacy@vendr.com
- Data Importer Role: Data Processor.
- Signature and Date: By entering into the Services Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Services Agreement.
g. in Annex I, Part B of the 2021 Standard Contractual Clauses:
- The categories of Data Subjects are described in Appendix 1 (Details of Processing) of this DPA.
- The Sensitive Information transferred is described in Appendix 1 (Details of Processing) of this DPA.
- The frequency of the transfer is a continuous basis for the duration of the Services Agreement.
- The nature of the processing is described in Appendix 1 (Subject Matter and Details of the Processing) of this DPA.
- The purpose of the processing is described in Appendix 1 (Subject Matter and Details of the Processing) of this DPA.
- The period for which the Personal Data will be retained is described in Appendix 1 (Subject Matter and Details of the Processing) of this DPA.
- For transfers to subprocessors, the subject matter, nature, and duration of the processing is set forth at https://www.vendr.com/legal.
h. in Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
i. Appendix 2 (Security Measures) of this DPA serves as Annex II of the Standard Contractual Clauses.
Appendix 1 to Schedule 2
This Appendix 1 forms part of the Clauses and must be completed and signed by the Parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix 1.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
- The Data Exporter is the Client of Vendr’s Services as defined in the Agreement.
Data importer
The data importer is (please specify briefly your activities relevant to the transfer):
- The Data Importer is Vendr which offers services to Client through its online platform with respect to the Services.
Data subjects
The Personal Data transferred concern the following categories of Data Subjects (please specify):
- See Schedule 1 of the DPA.
Categories of data
The Personal Data transferred concern the following categories of Data Subjects (please specify, tick the applicable):
- See Schedule 1 of the DPA.
Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify, tick the applicable):
- See Schedule 1 of the DPA.
Processing operations
The Personal Data transferred will be subject to the following basic Processing activities (please specify):
- See Schedule 1 of the DPA.
On behalf of the data exporter (Client):
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
On behalf of the data importer (Vendr):
Name (written out in full):
Position:
Address: 501 Boylston Street, 10th Floor Boston, MA 02116, United States
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
Appendix 2 to Schedule 2
This Appendix forms part of the Clauses and must be completed and signed by the Parties.
Description of the Technical and Organizational Security Measures implemented by the Data Importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Vendr will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, availability, resilience and integrity of Client Personal Data, as described in the DPA. Vendr will not materially decrease the overall security of the Services during the term.
Subprocessors will be bound to adhere to similar but not identical organizational security measures which will not fall below the level of data security as agreed herein. Any organizational security measures are subject to change of technical standards and can be adopted. If so requested, Vendr will provide Client with a description of the then current measures.
Vendr shall:
1. ensure that Client Personal Data can be accessed only by authorized personnel for the purposes set forth in Schedule 1 of this DPA;
2. take all reasonable measures to prevent unauthorized access to Client Personal Data through the use of appropriate physical and logical passwords entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
3. build in system and audit trails;
4. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and malware and virus protection;
5. account for material risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Client Personal Data;
6. ensure pseudonymisation and/or encryption of Client Personal Data, where appropriate;
7. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
8. maintain the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident;
9. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing of Client Personal Data;
10. monitor compliance on an ongoing basis;
11. implement commercially reasonable measures to identify vulnerabilities with regard to the processing of Client Personal Data in systems used to provide services to Client;
12. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.
13. Maintain compliance with appropriate system and operating controls.
On behalf of the data exporter (Client):
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
On behalf of the data importer (Vendr):
Name (written out in full):
Position:
Address: 501 Boylston Street, 10th Floor, Boston, MA 02116, United States
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
Schedule 3
Jurisdiction Specific Terms
1. Australia:
1.1. The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2. The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
1.3. The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
2. Brazil:
2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
2.2 The definition of “Data Processor” includes “operator” as defined under Applicable Data Protection Law.
3. Canada:
3.1. The definition of “Applicable Data Protection Law” includes The Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
3.2. Vendr’s subprocessors, as described in Schedule 1 of this DPA, are Third Parties under Applicable Data Protection Law, with whom Vendr has entered into a written contract that includes terms substantially similar to this DPA. Vendr has conducted appropriate due diligence on its subprocessors.
3.3. Vendr will implement technical and organizational measures as set forth in Section 3 (Security) of this DPA.
4. Israel:
4.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
4.2 The definition of “Data Controller” includes “Database Owner” as defined under Applicable Data Protection Law.
4.3 The definition of “Data Processor” includes “Holder” as defined under Applicable Data Protection Law.
4.4 Vendr will require that any personnel authorized to process Client Personal Data comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Vendr in accordance with Section 3 (Security) of this DPA.
4.5 Vendr must take sufficient steps to ensure the privacy of Data Subjects by implementing and maintaining the security measures as specified in Section 3 (Security) of this DPA and complying with the terms of the Agreement.
4.6 Vendr must ensure that the personal data will not be transferred to a subprocessor unless such subprocessor has executed an agreement with Vendr pursuant to Section 4 (Subprocessing) of this DPA.
5. Japan:
5.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
5.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
5.3 The definition of “Data Controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Vendr is responsible for the handling of Personal Data in its possession.
5.4 The definition of “Data Processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, Vendr will ensure that the use of the entrusted Personal Data is securely controlled.
6. Singapore:
6.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
6.2 Vendr will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 3 (Security) of this DPA and complying with the terms of the Agreement.
7. United Kingdom:
7.1 References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018)
7.2 The Standard Contractual Clauses will also apply to Client in the United Kingdom as data exporter and to Vendr as data importer for Transfers of Personal Data to countries that are not deemed to have an adequate level of data protection under the United Kingdom's Applicable Data Protection Law.
8. United States - California:
8.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act of 2018 (CCPA), including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Addendum, including, without limitation, the California Privacy Rights Act of 2020 (CPRA).
8.2 The definition of “Data Controller” includes “Business” as defined under Applicable Data Protection Law.
8.3 The definition of “Data Processor” includes “Service Provider” as defined under Applicable Data Protection Law.
8.4 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Client Personal Data.
8.5 The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law. Any Data Subject rights, as described in Section 5 (Data Rights Requests) of this DPA, apply to Consumer rights.
8.6 Vendr will Process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Vendr agrees not to (a) sell (as defined by the CCPA) Client Personal Data or Client end users’ Personal Data; (b) retain, use, or disclose Client Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Client Personal Data outside of the scope of the Agreement. Vendr shall notify Client if it determines that it cannot meet its obligations under the CPRA. Upon receiving written notice from Client that Vendr has Processed Client Personal Data without authorization, Vendr will terminate such Processing.
8.7 Vendr certifies that its subprocessors, as listed in Schedule 1 of this DPA, are Service Providers under Applicable Data Protection Law, with whom Vendr has entered into a written contract that includes terms substantially similar to this DPA. Vendr conducts appropriate due diligence on its subprocessors.
8.8 Vendr will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it Processes as set forth in Section 3 (Security) of this DPA.
8.9 Vendr will not combine Client Personal Data that is receives from, or on behalf of, Client with Personal Data it receives from, or on behalf of, another person, subject to the exceptions set forth under the CPRA, including that Vendr may combine such Client Personal Data to perform any business purposes defined in applicable CPRA regulations.