The terms used in this Addendum shall have the meanings set out in this Addendum. Capitalised terms not explained in this document are defined in the Commercial Terms of the Software and Services Agreement. Unless modified below, the AIQ General Terms remain in full force and effect.
The parties agree that the terms and conditions below shall be added as an Addendum to the Commercial Terms set out in the Software and Services Agreement.
In this Addendum, the following terms are defined as:
"Authorised Subprocessors" means those Subprocessors set out in Annex 2 (Authorised Subprocessors);
"Data Protection Laws" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK Data Protection Law”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”), in each case as may be amended, superseded or replaced from time to time;
"Delete" means the removal of Customer Personal Data so it cannot be recovered or reconstructed;
"EU" means the European Union;
"EU Data Protection Laws" means the Data Protection Laws of the EU or of any Member State of the European Economic Area;
"Personal Data" means any Personal Data processed, by AIQ in connection with the services we provide underthe Commercial Terms set out in the Software and Services Agreement;
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise Processed;
"Relevant End Date" means the date falling on the earlier of (i) the cessation of Processing of the Customer Personal Data by AIQ; or (ii) termination of the contract between the Customer and AIQ;
"Restricted Transfer" means a transfer of Customer Personal Data by AIQ to a third party (or any onward transfer), where the transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses or other mechanisms provided by the Data Protection Laws.
For the avoidance of doubt where a transfer of Personal Data from one country to another country is of a type authorised by Data Protection Laws in the exporting country (for example in the case of transfers from within the EU to a country or scheme which is approved by the European Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation) such transfer shall not be a Restricted Transfer for the purposes of this Addendum;
"Standard Contractual Clauses" means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
"Subprocessor" means any Processor (including any third party or AIQ Affiliate) appointed by AIQ to process Customer Personal Data on behalf of a Customer or any Customer Affiliate in connection with the services we provide;
"Supervisory Authority" means (a) an independent public authority established by a Member State under Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
"Third Party" means any third party who is not an AIQ Affiliate or Subprocessor;
The terms "Controller", "Processor", "Data Subject", "Personal Data", "Process/Processing" and "Special Categories of Personal Data" shall have the same meaning as described in the Data Protection Laws.
1.1 Customer and each relevant Customer Affiliate (as Controller):
(a) appoints AIQ (as Processor) to process the Customer Personal Data and the parties agree to act in accordance with their respective obligations under the AccountsIQ General Terms; and
(b) instructs AIQ and each AIQ Affiliate (and authorises the AIQ or the relevant AIQ Affiliate to instruct each Subprocessor) to:
Process the Customer Personal Data; and
subject to sections 11 (Subprocessors) and 13 (Restricted Transfers of Customer Personal Data) transfer the Customer Personal Data to any country or territory, in each case solely as reasonably necessary to perform its obligations.
1.2 In providing the Services to Customer and Customer Affiliates under the Software and Services Agreement, AIQ may process Customer Personal Data in accordance with the terms of this Addendum. AIQ agrees to comply with the following provisions for Customer Personal Data submitted by or for a Customer or any Customer Affiliate to AIQ.
1.3 Annex 1 to this Addendum sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Customer Personal Data and categories of Data Subject, and the obligations and rights of the Customer and each relevant Customer Affiliate when acting as Controller, as required by Article 28(3) of the GDPR or equivalent provisions of any Data Protection Law.
1.4 In performing their obligations under the Agreement, the parties shall comply with their respective obligations under applicable Data Protection Laws in respect of their Processing of Customer Personal Data.
The AIQ and each AIQ Affiliate shall not process Customer Personal Data other than on a Customer’s or relevant Customer Affiliate's documented instructions (whether in the AIQ General Terms or otherwise) unless processing is required by EU or Member State law to which AIQ or the relevant AIQ Affiliate is subject, in which case the AIQ or the relevant AIQ Affiliate will inform the Customer or relevant Customer Affiliate of that legal requirement before such processing, unless that law prohibits such information on important grounds of public interest.
3.1 AIQ shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Customer Personal Data as strictly necessary for the purposes set out in section 3 above in the context of that individual's duties to AIQ, ensuring that all such individuals:
(a) are informed of the confidential nature of the Customer Personal Data and are aware of AIQ's obligations under this Addendum in relation to the Customer Personal Data.
(b) have undertaken appropriate training in relation to the Data Protection Laws.
(c) are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AIQ shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) the pseudonymisation and encryption of the Customer Personal Data.
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
(c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident.
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
4.2 Without limitation to the generality of the foregoing, and in particular to its obligation to determine the appropriateness of any additional technical and organisational measures, and subject to any higher existing requirements in the Software and Services Agreement, AIQ shall implement and maintain each of the technical and organisational measures listed here.
4.3. In assessing the appropriate level of security, AIQ shall take account of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.
5.1 AIQ shall notify each Customer and relevant Customer Affiliate, without undue delay and in any case within forty-eight (48) hours of AIQ becoming aware of or reasonably suspecting a Customer Personal Data Breach. This notification will include sufficient information to allow the Customer and any Customer Affiliate to meet any obligations to report a Customer Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
(a) describe the nature of the Customer Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Customer Personal Data records concerned.
(b) communicate the name and contact details of the AIQ data protection officer or other relevant person to contact for more informationdescribe the likely consequences of the Customer Personal Data Breach.
(c) describe the measures taken, or proposed to be taken, to address the Customer Personal Data Breach.
5.2 AIQ will co-operate with the Customer and each relevant Customer Affiliate and take all reasonable commercial steps as are directed by the Customer and each Customer Affiliate to assist in the investigation, mitigation and remediation of any Customer Personal Data Breach.
5.3 AIQ will notify Customer without undue delay upon Supplier or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow each Customer Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
5.4 AIQ shall reasonably co-operate with each Customer and relevant Customer Affiliate, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to Data Subjects required following a Customer Personal Data Breach.
6.1 AIQ shall promptly (and in any case within 5 business days) notify each Customer and relevant Customer Affiliate if it receives a request from a Data Subject under any Data Protection Laws in respect of the Customer Personal Data.
6.2 AIQ and each AIQ Affiliate shall reasonably co-operate with the Customer or any Customer Affiliate to enable Customer or any Customer Affiliate to comply with any exercise of rights by a Data Subject under any Data Protection Laws in respect of the Customer Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of the Customer Personal Data, which shall include:
(a) the provision of all data requested by the Customer or any Customer Affiliate within any reasonable timescale specified by them in each case, including full details and copies of the complaint, communication or request and any Customer Personal Data it holds about a Data Subject.
(b) where applicable, providing such assistance as is reasonably requested by a Customer or Customer Affiliate to enable them to comply with the relevant request within the timescales prescribed by the Data Protection Laws.
6.3 Taking into account the nature of the processing, AIQ shall assist any Customer and Customer Affiliate by implementing appropriate technical and organisational measures, asfar as possible, so they can fulfil their obligation (as Controller in each case) to respond to requests for exercising Data Subject rights under the Data Protection Laws.
AIQ shall provide reasonable assistance to Customers and Customer Affiliates with any data protection impact assessments which are required under Article 35 GDPR or equivalent provisions of any Data Protection Law and with any prior consultations to any supervisory authority of Customer or any Customer Affiliate which are required under Article 36 GDPR or equivalent provisions of any Data Protection Law, in each case solely in relation to processing of Customer Personal Data by AIQ or any Subprocessor, and taking into account the nature of the processing and information available to AIQ.
8.1 On a Customer request, AIQ will make available information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by a Customer, or an auditor mandated by a Customer or any Customer Affiliate, or by a Supervisory Authority in each case provided that (except in the case of any audits required by a Supervisory Authority):
(a) AIQ is given at least 60 days’ notice and provided that such audits shall not be performed more than once in any 12 month period (unless otherwise required by a supervisory authority); and
(b) AIQ shall not be required to provide or permit access to information concerning: (i) AIQ's internal pricing information; (ii) information relating to other customers of AIQ; (iii) any AIQ's non-public external reports; (iv) any internal reports prepared by AIQ's internal audit function; or (v) anything which infringes any EU Data Protection Law.
Customer and each relevant Customer Affiliate hereby authorises AIQ to engage the Authorised Subprocessors subject to the Authorised Subprocessors meeting the conditions set out in Article 28 (2) and (4) of the GDPR legislation.
10.1 On termination of the contractual relation, for whatever reason, AIQ shall immediately cease to process the Customer Personal Data and shall promptly and in any event within 30 calendar days of the Relevant End Date: (a) return a complete copy of all the Customer Personal Data to Customer or relevant Customer Affiliate by secure file transfer in such format as notified by Customer and (b) Delete and procure the deletion of all other copies of the Customer Personal Data processed by AIQ or any Authorised Subprocessor.
10.2 AIQ may retain the Customer Personal Data to the extent required by EU or Member State law and only to the extent and for such period as required by such law and always provided that AIQ shall ensure the confidentiality of all such Customer Personal Data and that such Customer Personal Data is only processed as necessary for the purpose(s) specified in such law requiring its storage and for no other purpose.
AIQ warrants that:
(a) Standard Contractual Clauses are in place to legitimise all Restricted Transfers; and
(b) except in relation to any onward transfers, Annex 3 to this Addendum contains a complete and accurate list of Restricted Transfers and of the corresponding sets of Standard Contractual Clauses which have been populated and executed by the relevant parties to legitimise those Restricted Transfers.
12.1 Subject to section 14.2, the parties agree that this Addendum and the Standard Contractual Clauses shall terminate automatically upon (i) termination of the relevant AIQ General Terms; or (ii) expiry or termination of all service contracts, statements of work, work orders or similar contract documents entered into by AIQ and/or any AIQ Affiliate with the Customer and/or Customer Affiliate pursuant to the AIQ General Terms, whichever is later.
12.2 The provisions of this Addendum are supplemental to the provisions of the Software and Services Agreement and replace any existing addendum or schedule relating to the Processing of Personal Data, other than (i) terms in such existing addendum or schedule that set out obligations to implement and maintain in place, or comply with, specified IT Security requirements; and (ii) any description of Processing.
12.3 in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Software and Services Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties to such Software and Services Agreement) agreements to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail. Where an agreement applies different data protection terms without reference to this Addendum, then any inconsistencies shall be construed so as to give the maximum possible protection to data subjects.
12.4 AIQ may notify the Customer in writing from time to time of any variations to this Addendum, including within the Standard Contractual Clauses, which are required as a result of a change in Data Protection Laws. Any such variations shall take effect on the date falling 30 (thirty) calendar days after the date such written notice is sent by AIQ to the Customer.
12.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This Annex 1 includes certain details of the Processing of the Customer Personal Data as required by Article 28(3) GDPR or equivalent provisions of any Data Protection Law.
Subject matter and duration of the Processing of the Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the AccountsIQ General Terms.
The nature and purpose of the Processing of the Customer Personal Data
The purpose of the data processing under this DPA is the provision of the AIQ services and the performance of AIQ’s obligations under the principal contract and this DPA or as otherwise agreed by the parties.
These purposes include, but are not limited to:
The categories of Data Subject to whom the Customer Personal Data relates
(i) current, Prospective (including applicants) and former employees, contractors, agents, officers, directors and other representatives of Customer and Customer Affiliates;
(ii) shareholders of Customer and Customer Affiliates;
(iii) suppliers to, or customers of, Customer and Customer Affiliates;
The types of the Customer Personal Data to be Processed
The Customer Personal Data includes, without limitation, the following categories of data:
(i) Customer’s representative data, including work contact details (forename, middle name(s) and surname, address, telephone number and email address).
(ii) Customer’s authorised user data, including work contact details (forename, middle name(s) and surname, and email address).
(iii) Integrator representative data (Customer or third party), including work contact details (forename, middle name(s) and surname, and email address) and technical information (access key).
(iv) Customer’s employees, customer’s customers and/or customer’s suppliers accounting related data, including work contact details (forename, middle name(s) and surname, address, telephone number and email address), bank details, accounting transactions details.
(v) Data related to staff engagement with direct users of AIQ, including work contact details (forename, middle name(s) and surname, telephone number and email address), employer details (company name, business address) and technical information (ticket ID, the operating system of the device, browser version, Group ID, Entity ID).
|Hosting AIQ platforms
|Headquarters - US (Washington)
EEA storage option
|User engagement tool
|Headquarters - US (North Carolina)
|SCC - EXHIBIT A
|User engagement tool
|Headquarters - US (Delaware)
|SCC - Art. 5.2/Annex I B
|User engagement & customer communication tool
|Headquarters - US (California)
EEA storage option
|SCC - Art. 6.3/Annex I
|Production management tool
|Headquarters - US (New York)
EEA storage option
|SCC - Art. 12.1
|Emailing deliverability services
|Headquarters - US Texas
EEA storage option
|SCC - ANNEX 1
This Annex 3 sets out all Restricted Transfers of Personal Data between AIQ and/or any AIQ Affiliate and its Subproccessors (onward transfer).
|Full Legal Name of Data Exporter
|Full Legal Name of Data Importer
|Type of SCCs in place*
|Processor to Processor
|Processor to Processor
|Processor to Processor
|Processor to Processor
|Processor to Processor
* E.g.: Processor Standard Contractual Clauses