Data Processing Addendum

1.   Definitions

1.1   “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

12.3.1   “EU SCCs” which are Standard Contractual Clauses approved by the European Commission in decision 2021/914.

1.3   “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), and any related regulations or guidance issued by the California Attorney General or the California Privacy Protection Agency.

1.4   “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.5   “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA; in each case as amended, repealed, consolidated, or replaced from time to time.

1.6   “Data Subject” means the identified or identifiable individual to whom Personal Data relates.

1.7   “End Customer” means any individual or entity that Customer pays or is paid by through the BILL Service.

1.8   “End Customer Data” means Personal Data relating to an End Customer. California End Customer Data means California Personal Information consisting of End Customer Data. European End Customer Data means European Data consisting of End Customer Data.

1.9   “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

1.10   “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

1.11   “European Data Protection Laws” means data protection laws applicable in Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU General Data Protection Regulation” or “GDPR”); (ii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; in each case, as may be amended, superseded, or replaced.

1.12   “Personal Data” means information relating to an identified or identifiable individual.

1.13   “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

1.14   “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

1.15   “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.16   “Standard Contractual Clauses” means means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs").

1.17   “Subcontractor” or “Subprocessor” means an entity engaged by a party to provide Processing services to assist in fulfilling the party’s obligations outlined in the Agreement or this DPA where such entity processes Personal Data. Subcontractors or subprocessors may include BILL affiliates or third parties.

2.   Compliance with Laws. Within the scope of the Agreement and in the use or provision of the BILL Service, the parties agree to comply with all requirements that apply under applicable Data Protection Laws with respect to the Processing of Personal Data.

3.   Confidentiality. BILL will ensure that any personnel authorized to Process Personal Data are subject to appropriate (contractual and/or statutory) confidentiality obligations with respect to that data. BILL will ensure that such confidentiality obligations survive the termination of the authorized personnel engagement.

4.   BILL's Processing of Personal Data.

4.1   BILL will collect, use, and share Personal Data as set forth in its Privacy Notice.

4.2   BILL will Process End Customer Data only for the purposes of providing the BILL Service in accordance with Customer’s written instructions as specified in the Terms of Service, this DPA and in accordance with applicable Data Protection Laws.

5.   Information Security. BILL will maintain commercially reasonable technical and organizational security measures and procedures designed to provide an industry-level of safeguards to protect the security, confidentiality, and integrity of Personal Data. Such measures are designed to protect Personal Data from loss, alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction.

6.   Personal Data Breach. In accordance with applicable Data Protection Laws, BILL will notify Customer without undue delay after becoming aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, BILL will promptly provide such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under applicable Data Protection Laws.

7.   Data Subject Requests. BILL agrees to promptly cooperate and provide commercially reasonable assistance to Customer to enable Customer to respond to requests from a Data Subject seeking to exercise their rights under applicable Data Protection Law. BILL shall not respond to data subject request itself, except to inform the Data Subjects that they should direct their request to the Customer for appropriate handling.

8.   Subcontractors. Where BILL engages any Subcontractors to Process Personal Data on its behalf, it will enter into a written contract with the Subcontractor that contains security terms substantially similar as those set out in this DPA and requires the Subcontractor to maintain the security and confidentiality of any Personal Data it Processes on BILL’s behalf.

9.   Verification of Compliance. Upon Customer’s written request, at reasonable intervals and subject to Customer agreeing to confidentiality terms, BILL will make available copies of the most recent audit report for Service Organization Controls (SOC) Type 2 (or similar report), so that Customer can verify BILL’s compliance with the audit standards against which it has been assessed, and this Data Processing Addendum.

10.   Return or Deletion of Data. On termination of the Agreement for any reason or expiry of its term, Customer will have thirty (30) calendar days to request a download of Customer’s transaction history by contacting BILL Customer Support. In the event Customer does not contact BILL Customer Support for this purpose within 30 calendar days after the end of the provision of the BILL Service, BILL will delete or de-identify Personal Data except for (i) back-ups deleted in ordinary course, and (ii) retention as required for legal, regulatory, and compliance purposes. In the event of either (i) or (ii), BILL will continue to comply with the relevant provisions of this DPA until such data has been deleted.

11.   Additional Provisions for California Personal Information

11.1   Scope. This Section will apply only with respect to California Personal Information, if applicable to the BILL Services.

11.2   Roles of the Parties. With respect to California End Customer Data, BILL is a “Service Provider” as that term is defined in the CCPA. With respect to all other California Personal Information, the parties acknowledge and agree that they are each a “Business” as that term is defined in the CCPA.

11.3   Responsibilities. The parties agree that their respective Processing of California Personal Information under the Agreement will be consistent with the requirements of the CCPA. BILL will collect, use, and share California Personal Information as set forth in its Privacy Notice. If BILL determines that it cannot comply with this DPA or the CCPA, it will notify the Customer and allow Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.

12.   Additional Provisions for European Data

12.1   Scope. This Section will apply only with respect to European Data, if applicable to the BILL Services.

12.2   Definitions. For the purposes of this section 12 these terms are defined as follows:

12.3   “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following:

12.3.2   “UK SCCs” which are the template Addendum issued by the Information Commissioner’s Office (ICO) and laid before Parliament in accordance with S119A(1) of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.

12.4   Roles of the Parties. With respect to European End Customer Data, BILL is a Processor for purposes of European Data Protection Law. With respect to all other European Data, the parties acknowledge and agree that they are each a Controller for purposes of European Data Protection Law and that they act as independent Controllers with respect to Personal Data Processed as part of the services.

12.5   Cooperation. The parties agree to provide each other with commercially reasonable assistance with any data protection impact assessments or prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

12.6   Cross Border Transfer Mechanisms. If provision of the BILL Service will require transfer of European Data outside of Europe to countries which are not recognized by the European Commission as providing an adequate level of protection of Personal Data, the parties acknowledge and agree that such transfers will be made pursuant to the transfer mechanisms set forth below.

12.6.1   EU SCC-Module One (Controller to Controller) will apply where BILL is processing European Data as a Controller.

12.6.2   EU SCC-Module Two (Controller to Processor) will apply where Customer is a Controller of European Customer Data and BILL is a Processor of European Data.

12.6.3   EU SCC–Module Three (Processor-to-Processor) will apply where Customer is a processor of European Customer Personal Data and BILL is a Sub–Processor of European Data.

For each module, where applicable:

12.6.4   in Clause 7, the optional docking clause will not apply;

12.6.5   in Clause 9, Option 2 will apply, and the process for providing notice and the time period for objections of sub-processor changes will be as set forth in Section 12.8 (Subcontractors) of this DPA;

12.6.6   in Clause 11, the optional language will not apply;

12.6.7   in Clause 17, the EU SCCs will be governed by the laws of Ireland.

12.6.8   in Clause 18(b), disputes will be resolved before the courts of Ireland.

12.6.9   In Annex I, Part A–List of Parties:

Data Exporter: Customer and their authorized Affiliates

Contact Details: Customer’s account owner email address, or the email address(es) for which Customer elects to receive privacy communications.

Data Exporter Role: The Data exporter’s role is outlined in Section 12.4 of this DPA.

Signature & Date: By entering into the DPA, Data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date.

Data Importer: BILL

Contact Details: BILL Privacy - privacy@hq.bill.com;

Data Importer Role: The Data importer’s role is outlined in Section 12.4 of this DPA.

Signature & Date: By entering into the DPA, Data importer is deemed to have signed these SCCs, incorporated herein, including their Annexes, as of the Effective Date.

12.6.10   In Annex I, Part B–Description of Transfer

Categories of Data Subjects: Categories of data subjects may include exporter’s customers, employees and other business contacts.

Categories of Personal Data: Categories of personal data may include name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, card expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by BILL under the Agreement.

Sensitive Data: Collection and processing of Sensitive Data is not required in connection with the provision of the BILL Service and BILL does not intentionally collect or process Sensitive Data. Customers will not provide or cause to be provided any Sensitive Data to BILL for processing under the Agreement, and BILL will have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise. As used herein, “Sensitive Data” means Personal Data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, (iii) relating to criminal convictions and offenses; or (iv) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law or regulation relating to privacy and data protection.

Frequency of Transfer: Transfers may be continuous for the duration of the Agreement.

Nature of Processing: The nature of processing is as set forth in the Agreement to provide the BILL Service.

Purposes of the Data Transfer and Further Processing: The purpose of transfer may include performance of BILL Service, fraud detection, compliance with applicable laws, and any other purpose set forth in this DPA.

Subcontractors. Notwithstanding the provisions of section 8, Customer provides BILL with general authorization to engage Subcontractors to process European End Customer Data on Customer’s behalf. Upon Customer’s request, BILL will provide a list of Subcontractors processing European Data consisting of End Customer Data. If Customer objects to the appointment of a Subcontractor, it must notify BILL within thirty (30) days of such notice and work in good faith with BILL to find an alternative solution.

Data Retention Period: The data importer will retain the data as described in section 10 of this DPA.

12.6.11   In Annex I, Part C-Supervisory Authority

In accordance with Clause 13(a) of the EU SCCs, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority. Where the data exporter is not established in an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has appointed a representative pursuant to Article 27 of the GDPR, the supervisory authority of the member state where the representative is established shall act as the competent supervisory authority. Where the data exporter is not established in an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has not appointed a representative pursuant to Article 27 of the GDPR, the Irish Data Protection Commission shall act as the competent supervisory authority. Where the data exporter is established in the UK, the Information Commissioner’s Office shall act as the competent supervisory authority.

12.6.12   In Annex II, Technical and Organizational Measures to Ensure The Security of Data

BILL will maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of Personal Data as set forth in sections 3 and 5 of this DPA.

12.7   IWith respect to transfers of Personal Data protected by the UK GDPR , the UK SCCs will apply as set forth herein, with the following modifications:

12.7.1   Table 1 of the UK SCCs: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer. The Key Contacts shall be the individual signatories below.

12.7.2   Table 2 of the UK SCCs: The Approved EU SCCs shall be the EU SCCs as executed by the Parties pursuant to this DPA.

12.7.3   Table 3 of the UK SCCs: Annex 1A – see 12.6.9 above; Annex 1B – see 12.6.10 above; Annex II – see 12.6.12 above.

12.7.4   Table 4 of the UK SCCs: Either party may end the UK SCCs when the Approved Addendum Changes as set out in Section 19 of the UK SCCs.

13.   General Provisions

13.1   Amendments. Subject to section 19 of the Terms of Service, BILL may, in its sole discretion, modify, change or terminate this DPA, as reasonably determined by BILL is necessary to address the requirements of applicable Data Protection Laws.

13.2   Severability. If any individual provision of this Addendum is determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum will not be affected.

13.3   Indemnity. The indemnities arising out of or related to this Addendum are limited to those indemnities stated in the Agreement.

13.4   Limitation of Liability. BILL’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Agreement.

13.5   Order of Precedence. With regard to the subject matter of this Addendum, in the event of inconsistencies conflicts between this Addendum and the Agreement, the provisions of this Addendum will control. All other provisions of the Agreement apply to this Addendum.