Information Security and Data Protection Addendum

1.1       “Affiliate(s)” means any entity, firm or corporation, directly or indirectly through one or more intermediaries, controlling, controlled by or under common control with Bill.com, LLC, including but not limited to DivvyPay, Inc., Invoice2go, Inc., and Cimrid Pty Ltd.

1.2       “Applicable Law(s)” include, but are not limited to, the CCPA, the GDPR, and any other law, regulation, statute, or directive applicable to a party hereto or the services provided under the Agreement.

1.3       “Authorized Employees” means Service Provider’s employees who have a need to know or otherwise access BILL Information to enable Service Provider to perform its obligations under the Agreement.

1.4       “Authorized Persons” means (i) Authorized Employees; and (ii) Service Provider’s subcontractors or other agents who have a need to know or otherwise access BILL Information to enable Service Provider to perform its obligations under this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect BILL Information in accordance with the terms and conditions of this DPA.

1.5       “BILL Information” means any information about BILL or its affiliates that a Service Provider creates, receives, or distributes, or BILL otherwise controls and relates to BILL or its business, whether exchanged verbally or recorded in any form. BILL Information includes Personal Information.

1.6       “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 et seq.), and any related regulations or guidance issued by the California Attorney General.

1.7       “European Data” means Personal Information that is subject to the protection of European data protection laws, including the GDPR and the UK GDPR.

1.8       “GDPR” means Regulation (EU) 2016/679, the EU General Data Protection Regulation, including as implemented or adopted under the laws of the United Kingdom (“UK GDPR”).

1.9       “Personal Information” means BILL Information that relates to - or can be used to identify - an individual person (e.g., name, phone number, mailing address, email address). In addition, for purposes of this DPA, the term “personal information” as used under the CCPA and the term “personal data” as used under the GDPR constitute Personal Information hereunder. Sensitive Personal Information (see definition below) is a subset of Personal Information that is subject to stricter limits on its collection, use, and protection. For the purposes of this DPA, information about an individual in the business context is considered Personal Information. For example, business contact information is considered Personal Information.

1.10       “Sensitive Personal Information” means information that is subject to specific processing provisions as defined by the Applicable Laws and includes information that (i) can be used to steal an individual’s identity or gain unauthorized access to an individual’s assets or accounts (e.g., government-issued identification number, such as Social Security number or driver’s license number; financial information, such as account number or credit card number; online login credentials, such as online password or answer to a security question; genetic or biometric information); or  (ii) may be considered particularly intimate, embarrassing, or damaging to an individual (e.g., geolocation information, health information, background check results) or (iii) reveals racial or ethnic origin, political opinion or affiliation, religious or philosophical beliefs, trade union membership, details about sex life or sexual orientation, criminal convictions and offenses. Sensitive Personal Information includes any information which, if subject to a Data Breach, would require, under Applicable Law, notification to any U.S. state or federal regulatory agency or EU supervisory authority. All requirements for Personal Information apply to Sensitive Personal Information, except where additional requirements are specified for Sensitive Personal Information. For the purposes of this DPA, information about an individual in the business context is considered Personal Information. For example, business contact information is considered Personal Information. All requirements for Personal Information apply to Sensitive Personal Information, except where additional requirements are specified for Sensitive Personal Information.

1.11       “Standard Contractual Clauses” means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) and (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs”).

2.1       Compliance. Service Provider will comply with the terms of this DPA, any data protection DPAs entered into between the parties, and all Applicable Laws, policies, rules and regulations relating to the collection or use of Personal Information. Service Provider agrees to impose and enforce compliance of this DPA on all its employees, contractors, and third-party service providers with access to Personal Information.

2.2       Handling procedures. Service Provider has documented handling procedures designed to implement technical and organizational measures to protect BILL Information consistent with all Applicable Laws and this DPA. Service Provider will train its employees, contractors, and third-party service providers on and will implement these procedures to keep and maintain BILL Information in strict confidence, using a degree of care as is appropriate to avoid unauthorized access, collection, use, sharing, retention/destruction, or disclosure.

2.3       No sale or sharing. Service Provider will not use, sell, rent, lease, transfer, distribute or otherwise disclose or share BILL Information for Service Provider’s own purposes or for the benefit of anyone other than BILL, without BILL’s prior written consent.

2.4       Purpose limitation. Service Provider shall under no circumstances collect, access, use, store, destroy, reproduce, disclose, or otherwise handle or process BILL Information other than as specifically authorized by this DPA or the Agreement. Should Service Provider become legally obligated to handle BILL Information other than as permitted by this DPA or the Agreement, it shall, unless legally prohibited from doing so, first provide written notice to BILL.

2.5       Limited to Authorized Persons. Access to BILL Information stored on Service Provider’s systems and with Service Provider’s third-party providers must not be granted to members of Service Provider’s staff, subcontractors, or other agents, unless the following conditions are met:

1. The staff member, subcontractor, or other agent is an Authorized Person;

2. The Authorized Person requesting the access can be uniquely identified (e.g., by a unique user ID);

3. The Authorized Person requesting the access has entered a correct password or other authorizing token to indicate that he/she is an authorized user with permitted access to the BILL Information. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to BILL and Service Provider (e.g., eight characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every ninety (90) days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks;

4. In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each Authorized Person to perform their job function. The ability to read, write, modify or delete BILL Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions and limited to the specific data elements that are needed to perform their job function;

5. The date, time, requestor, and nature of the Authorized Person’s access (i.e., read-only or modify) has been recorded in a log file; and

6. Procedures are in place to modify or revoke access permissions to BILL Information when Authorized Employees leave Service Provider or when their job responsibilities change and when other Authorized Persons should no longer have access to BILL Information.

2.6       Firewalls. BILL Information stored on Service Provider’s systems, whether on premises or cloud-based, must be stored behind firewalls with access to such data limited as described in the Authorized Persons section above. Firewall management must follow a process that includes restriction of administrative access,  and that is documented, reviewed, and approved, with management oversight, on a periodic basis.

2.7       Customer access control. Passwords used by BILL’s customers are not<

2.8       Encryption:

1. Encryption of Sensitive Personal Information and other specific BILL Information. Service Provider must always encrypt Sensitive Personal Information, encryption keys, beneficiary information, and tax return information when it is stored on Service Provider's systems, whether on premises or cloud-based, as well as in transit.

2. Other encryption. In addition, Service Provider must encrypt all Personal Information stored on laptops or other portable devices.

3. Encryption standards. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard BILL Information in Service Provider's systems from retrieval by persons who are not Authorized Persons. Service Provider shall adopt best practices in its industry where appropriate. Whenever possible, message digest algorithms such as SHA-256 (or such other standards as BILL reasonably requests from time to time) shall be used to hash and verify the user's password, and “salt” shall be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.

2.9       Access to printed material. Printed material that contains BILL Information must be stored in secured areas to which access is limited to those Authorized Employees who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of printed BILL Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor shall be implemented.

2.10       Data elements processed by Service Provider. See Appendix A for a chart listing the BILL data elements processed by Service Provider hereunder.

3.1       Security of transmission. Except as restricted by law, Service Provider must not electronically transmit BILL Information over publicly-accessible networks without using industry best practices (e.g., data in transit encryption in line with industry standards) or another mechanism that affords similar or greater security and confidentiality.

3.2       HTTP requests. BILL Information must never be passed in a URL (e.g., using a GET method) in a manner that potentially exposes the information to third parties and causes such information to appear in log files.

3.3       In email. Service Provider shall only send BILL Information in an email message over publicly-accessible networks if one of the following conditions is met:

1. The email message is between representatives of Service Provider and representatives of BILL;

2. The content of the email has been approved in advance by BILL; or

3. The email is encrypted using a previously-approved encryption mechanism or is otherwise made secure with an approach that has been mutually agreed upon in advance by BILL and Service Provider.

4.1       Backups. To protect the accuracy and integrity of BILL Information, all such data must be backed up by Service Provider regularly (no less often than weekly unless otherwise stipulated in this DPA or the Agreement), and the backups stored in secure, environmentally-controlled, limited-access facilities.

4.2       Vulnerability scans. Service Provider must run internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades).

4.3       Security fixes. Service Provider must promptly install any security-related fixes identified by its hardware or software vendors, if the security threat being addressed by the fix is one that threatens the privacy or integrity of any BILL Information covered by this DPA or the Agreement in which this DPA is incorporated. Such upgrades must be made as soon as they can safely be installed and integrated into Service Provider’s existing architecture and systems.

4.4       Security threats. BILL may, from time to time, advise Service Provider of recent security threats that have come to its attention, and require Service Provider to implement specific modifications to its software, policies, or procedures that may be necessary to counter these threats. Service Provider will implement these modifications within a mutually-agreed time, or must obtain written permission from BILL to take some other course of action to ensure that the privacy and integrity of any BILL Information is preserved.

4.5       Monitoring. Notwithstanding the minimum standards set forth in this DPA, Service Provider should monitor and periodically incorporate reasonable industry-standard security safeguards, such as ISO 27001 or similar Information Security Management System (“ISMS”) standards. Such security safeguards will be at least as protective as the security requirements set forth in the Agreement. Upon request, Service Provider shall provide copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by BILL to verify Service Provider’s compliance with this DPA.

5.1       SOC reviews and penetration tests. At least annually, Service Provider agrees to, at its own cost and expense, have a qualified independent third party: (i) conduct a review or assessment and provide a full attestation, review or report under (A)(1)(a) SSAE 18 (Statement on Standards for Attestation Engagements No. 18) SOC (Service Organization Control) 1 Type II and (b) SOC 2 Type II; and (ii) conduct and provide a full report of network and application penetration test. Service Provider agrees to mitigate or correct all exceptions in such attestations, reviews, and reports within a mutually agreed upon timeframe; and upon BILL's request, promptly provide BILL with the status of the remediation efforts.

5.2       Records and audit. Service Provider will maintain records sufficient to demonstrate its compliance with the terms of this DPA and shall permit BILL, or a third party chosen by BILL and reasonably acceptable to Service Provider, to audit Service Provider’s books, records, facilities, computer systems, and practices relating to its obligations under this DPA upon reasonable notice and during regular business hours, and at BILL’s expense, at the locations where such records and data are maintained, for purposes of verifying Service Provider’s compliance. Notwithstanding the foregoing, if BILL in good faith believes that a threat to security exists that could affect BILL Information, Service Provider must provide BILL or its agent access immediately upon request by BILL. Such audit shall be limited to once every twelve months, unless material discrepancies are discovered during the course of review or there is an occurrence subject to notification in Section 9 below that occurs.

5.3       Correction of security-related problems. Notwithstanding any time-to-cure provision in this DPA or in the Agreement to the contrary, it shall be completely within BILL’s discretion to require correction of any demonstrated security-related problem within a shorter period of time. BILL shall provide written notice of the problem to Service Provider, and Service Provider must immediately take appropriate steps to correct the problem. If Service Provider fails to correct any demonstrated security problem within a commercially-reasonable time, considering the work that must be completed to address the problem and resulting in the material disclosure or threatened disclosure of BILL Information, BILL may instruct Service Provider to take such interim measures as necessary to protect BILL Information. If Service Provider fails or refuses to take those interim and/or permanent measures which are necessary to prevent the material disclosure of BILL Information within a commercially-reasonable time, BILL may terminate the Agreement(s) between BILL and Service Provider for cause.

7.1       Compliance with laws. In addition to any compliance requirements provided in the Agreement, Service Provider will at all times be in compliance with and shall not violate any applicable privacy and security related international, national, or state and local statutes, laws, rules or regulations.

7.2       CCPA compliance. Service Provider and BILL shall comply, when applicable, with their respective obligations under the CCPA.

1. As used in this section 7.2, “personal information,” “consumer,” “sell,” “business purpose,” “commercial purpose,” and “verifiable consumer request” will have the meaning given to those terms in the CCPA.

2. General. The parties acknowledge and agree that: (i) Service Provider does not receive Personal Information, or access to it, as valuable consideration for providing services to BILL under the Agreement and (ii) Service Provider shall collect, receive, access, retain, use, disclose, or otherwise process Personal Information on behalf of BILL solely for the business purpose of providing the services to BILL and in accordance with the terms and conditions of this DPA.

3. Data processing obligations. Service Provider shall not, directly or indirectly: (i) sell Personal Information; (ii) collect, access, retain, use, disclose, or otherwise process Personal Information: (a) for any purpose other than for the specific business purpose of performing the services specified in the Agreement; (b) for a commercial purpose other than providing BILL the services specified in the Agreement; or (c) outside the direct business relationship between BILL and Service Provider; or (iii) attempt to or actually re-identify any previously aggregated, de-identified, or anonymized Personal Information and Service Provider shall contractually prohibit permitted downstream data recipients from attempting to or actually re-identifying such data.

4. Certification. Service Provider certifies that it understands the foregoing restrictions in subsection 7.2(c) and will comply with them.

5. Subcontractors. The parties agree that, to the extent permitted under the Agreement, Service Provider may use subcontractors to provide all or part of the services, provided that, to the extent any such engagement involves the collection, access, retention, use, disclosure, or other processing of Personal Information: (i) Service Provider shall provide BILL with a list that includes: (a) the name, address and contact information of each such subcontractor; (b) the type(s) of services provided by each such subcontractor; and (c) the categories of Personal Information disclosed, made available or otherwise processed by each such subcontractor; (ii) Service Provider does not make any disclosures to any subcontractor that would be considered a sale under the CCPA; (iii) Service Provider ensures that the arrangement between each subcontractor and Service Provider is governed by a written contract that includes terms substantially similar, but no less restrictive, as those set forth in this section about CCPA compliance; and (iv) Service Provider remains fully liable to BILL for each subcontractor's performance of the obligations set forth in these sections about CCPA compliance.

6. Assistance with CCPA obligations. Service Provider shall: (i) upon BILL’s written request, reasonably assist BILL in fulfilling BILL’s obligation to respond to a verifiable consumer request under the CCPA; and (ii) if Service Provider receives a verifiable consumer request related to any Personal Information, immediately notify BILL in writing and shall not respond to any such verifiable consumer request, except as may be instructed by BILL in writing or as required by applicable law.

7. Subpoenas and Court Orders. If Service Provider receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Information, Service Provider shall not disclose any information but shall immediately notify BILL in writing of such request, and reasonably cooperate with BILL if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.

8. Data Protection Impact Assessments (“DPIA’s”). To the extent Service Provider is required under Applicable  Laws, Service Provider will assist BILL to conduct a DPIA and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.

7.3       GDPR compliance. Service Provider and BILL shall comply, when applicable, with their respective obligations under the GDPR.

1. Roles of the Parties. The parties agree that for the purposes of this Section 7.3, BILL is a “Controller” and Service Provider is a “Processor” as those terms are defined in the GDPR.

2. Data Controller Instructions. Notwithstanding anything in the Agreement to the contrary, Processor will only Process Personal Data on documented instructions from Controller, including with regard to transfers of Personal Information to a third country or an international organization, unless required to do so by applicable law to which Processor is subject. Processor will promptly inform Controller if following Controller’s instructions would result in a violation of Applicable Law or where Processor must disclose Personal Information in response to a legal obligation (unless the legal obligation prohibits Processor from making such disclosure). For avoidance of doubt, Controller’s documented instructions include the Agreement and this DPA.

3. Cross-Border Transfers Mechanisms–EU.  The parties agree that the if provision of the service under the Agreement will require transfer of European Data outside of Europe to countries which are not recognized by the European Commission as providing an adequate level of protection of Personal Information, the parties acknowledge and agree that such transfers will be made pursuant to the transfer mechanisms outlined in Module Two of the EU SCCs.

   Specifically: (1) in Clause 7, the optional docking clause will not apply; (2) in Clause 9, Option 2 will apply, subject to section 7(e) of this DPA; (3) in Clause 11, the optional language will not apply; (4) in Clause 17, the EU SCCs will be governed by the laws of Ireland; (5) in Clause 18(b), disputes will be resolved before the courts of Ireland.

   In Annex I, Part A-List of Parties:

   Data Exporter: BILL and its Affiliates
   Contact Details: BILL Privacy - privacy@hq.bill.com;
   Data Exporter Role: As outlined in Section 7(d)(a) of this DPA.
   Signature & Date: By entering into the DPA, BILL is deemed to have signed these SCCs incorporated herein, including the Annexes, as of the Effective Date.
   Data Importer: Service Provider
   Contact Details: Service Provider’s email address, or the email address(es) for which Service Provider elects to receive privacy communications.
   Data Importer Role: As outlined in Section 7(d)(a) of this DPA.
   Signature & Date: By entering into the DPA, Service Provider is deemed to have signed these SCCs, incorporated herein, including the Annexes, as of the Effective Date.

   In Annex I, Part B–Description of Transfer

   Categories of Data Subjects: Categories of data subjects may include exporter’s customers, employees and other business contacts.

   Categories of Personal Data: See Appendix A for a chart listing the Controller data elements processed by Processor hereunder.

   Frequency of Transfer:  Transfers may be continuous for the duration of the Agreement.

   Nature of Processing: The nature of processing is as set forth in the Agreement.

   Purposes of the Data Transfer and Further Processing: The purpose of transfer may include performance of Service, fraud detection, compliance with applicable laws, and any other purpose set forth in the Agreement or this DPA.

   Subcontractors. The parties agree upon a  general authorization to engage Sub-processors to process European Data on Controller’s behalf. Upon Controller’s request, Processor will provide a list of Sub-Processors processing European Data. If the Controller objects to the appointment of a Sub-Processor, it must notify the Processor within thirty (30) days of such notice and the Processor will work in good faith with the Controller to find an alternative solution.

   Data Retention Period: The data importer will retain the data as described in section 6 of this DPA.

   In Annex I, Part C-Supervisory Authority

   In accordance with Clause 13(a) of the EU SCCs, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority.  Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2)  and has appointed a representative pursuant to Article 27 of the GDPR, the supervisory authority of the member state where the representative is established shall act as the competent supervisory authority.  Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2)  and has not appointed a representative pursuant to Article 27 of the GDPR, the Irish Data Protection Commission shall act as the competent supervisory authority. Where the data exporter is established in the UK, the Information Commissioner’s Office shall act as the competent supervisory authority.

   In Annex II, Technical and Organizational Measures to Ensure The Security of Data

   Processor will maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of Personal Data as set forth in this DPA.

4. Cross-Border Transfers Mechanisms–UK

   With respect to  transfers of Personal Information protected by the UK GDPR, the EU SCCs will apply as set forth herein, with the following modifications:

   Any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR;

   References to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;

   Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts"

5. Sub-Processors. To the extent permitted under the Agreement, Processor may use Sub-processors to provide all or part of the services with the prior written consent of Controller upon at least 30 days prior written notice to Controller, provided that, to the extent any such engagement involves the collection, access, retention, use, disclosure, or other processing of Personal Information: (i) Processor shall provide Controller with a list that includes: (a) the name, address and contact information of each such Sub-processor; (b) the type(s) of services provided by each such Sub-processor; and (c) the categories of Personal Information disclosed, made available or otherwise processed by each such Sub-processor; (ii) the arrangement between each Sub-Processor and Processor is governed by a written contract that includes terms substantially similar, but no less restrictive, as those set forth in this section about GDPR compliance; and (iii) where a Sub-processor fails to fulfill its data protection obligations, Processor will remain fully liable to Controller for the performance of that Sub-processor’s obligations. Where Processor engages a Sub-processor for carrying out specific Processing activities on behalf of Controller, the same data protection obligations as set out in this DPA will be imposed on that Sub-processor by way of a contract or other legal act under EU, or Member State law, or the UK law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the applicable data protection laws.

6. Data Protection Impact Assessments (“DPIA’s”). Processor will cooperate to the extent reasonably necessary in connection with Controller’s requests related to data protection impact assessments and consultation with supervisory authorities as well as for the fulfillment of Controller’s obligation to respond to requests for exercising a data subject’s rights in Chapter III of the GDPR. In particular, (a) upon a request issued by a supervisory authority for records regarding Personal Data, Processor will cooperate to provide the supervisory authority with records related to Processing activities performed on Controller’s behalf, including information on the categories of Personal Data Processed and the purposes of the Processing, the use of service providers with respect to such Processing, any data disclosures or transfers to third parties and a general description of technical and organizational measures to protect the security of such data and (b) Processor has implemented and will maintain appropriate technical and organizational measures needed to enable Controller to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by Processor.

7. If Processor receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Processor shall not disclose any information but shall immediately notify BILL in writing of such request, and reasonably cooperate with BILL if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.

9.1       Data Breach notification. Upon discovery, Service Provider must notify BILL without undue delay if it knows or suspects that BILL Information has been the subject of attack, compromised, disclosed to or accessed by unauthorized persons, or used in an unauthorized manner (“Data Breach”), and if so, (i) the nature of the Data Breach; (ii) the number and categories of data records affected; (iii) the number, nationalities, and U.S. state residencies if applicable of individual consumers / data subjects affected; and (iv) confirm the name and contact information of the Service Provider SPOC in Section 10(b) below.  Additionally, Service Provider must immediately notify the BILL Security Operations Center (infosec@hq.bill.com) of any relevant, urgent security issues identified by Service Provider, including, but not limited to, ongoing denial of service attacks, actively exploited vulnerabilities, and ongoing exposure of BILL Information.

9.2       Other notifications.Immediately upon discovery, Service Provider must notify BILL (a) if there have been any complaints about Service Provider’s information and collection practices as they relate to BILL Information, (b) if there has been any material deviation from the confidentiality requirements of the Agreement or this DPA, (c) it becomes aware or believes that any data processing instruction from BILL violates Applicable Law, (d) it is unable to comply with BILL’s data processing instructions for any reason, and/or (e) it is unable to comply with the terms of the Agreement as they relate to or govern the processing of Personal Data and/or the security of BILL Information for any reason.

9.3       Right to participate/control and reimbursement. Service Provider agrees that BILL shall have the right to participate in the investigation, response and/or correction of any of the above. In addition, unless otherwise required by law, BILL shall have the right (i) to reimbursement for the reasonable costs for BILL to prepare and send all notifications that are legally required or reasonably necessary (as determined in the sole discretion of BILL). At the written request of BILL, Service Provider agrees to provide, at its sole expense, credit monitoring and identity theft protection services to individuals affected by a Data Breach involving Personal Data of those individuals; and (ii) to control and direct any public communication, including but not limited to communication with BILL customers, regarding the same.

10.1       Privacy and Security Coordinator. Service Provider will designate a single point of contact as its Privacy and Security Coordinator. This Privacy and Security Coordinator will (i) be responsible for ensuring BILL Information is adequately protected, (ii) oversee Service Provider’s compliance with the requirements of this DPA, and (iii) serve as a single point of contact for communications with BILL pertaining to this DPA.

11.1       General. This DPA will be governed by the laws of the state specified in the underlying Agreement. Any failure to enforce any provision of this DPA will not constitute a waiver thereof or of any other provision. This DPA may not be amended, nor any obligation waived, except by a writing signed by both parties hereto. The obligations placed upon the Service Provider under this DPA shall survive so long as the Service Provider and/or its Sub-processors process Personal Information on behalf of BILL. The provisions contained in this DPA and its attachments, exhibits and schedules that by their context are intended to survive termination or expiration will survive. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

11.2       Order of precedence. If there is a conflict between the Agreement and the DPA pertaining to the subject matter of this DPA, the DPA shall control.

11.3       Indemnity. Without limiting BILL’s indemnity rights under the Agreement, Service Provider shall also indemnify, defend, and hold harmless BILL and its respective officers, directors, employees, agents, successors, and assigns (each, a “BILL Indemnitee”) from and against any and all losses, damages, claims, actions, judgments, settlements, interest, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees (“Losses”) incurred by a BILL Indemnitee resulting from any claim, action, demand, lawsuit, arbitration, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise, to the extent that such Losses arise out of or result from, or are alleged to arise out of or result from, any violation of this DPA by Service Provider, its subcontractors, and/or their principals, employees, or contractors.

11.4       This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions set forth in the Agreement, unless otherwise required by Applicable Laws.

11.5       This DPA may be executed in two or more counterparts, each of which shall be deemed an original and all of which taken together shall be deemed to constitute one and the same document. The parties may sign and deliver this DPA by facsimile or email transmission.