Data Processing Addendum
Last updated: January 24, 2023, v 2.2
This Data Processing Addendum (the “DPA”) is incorporated by reference into the agreement between Tesorio and the Customer (the "Agreement") regarding the Tesorio Services described in the Agreement. This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is processed by Tesorio under the Agreement.
Capitalized terms have the meanings provided in the Agreement except as provided here.
(1) Definitions and interpretation
“Breach” means a breach of security by Tesorio that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data processed by the Services;
“California Data Protection Law” means the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations and their successors.
“Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR and include equivalent terms in California Data Protection Law, in each case as applicable to the Services.
“Data Protection Laws” means GDPR, UK GDPR and California Data Protection Law.
“GDPR” means the EU General Data Protection Regulation 2016/679, and its implementing legislation enacted into local law by European Union member states.
“Personal Data” means any Customer Data: (a) relating to an identified or identifiable individual, within the meaning of GDPR (regardless of whether GDPR applies), and (b) constituting “personal information” as such term is defined in California Data Protection Law.
“SCCs” or “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes A and B of this DPA.
“Security Policy” means Tesorio’s security policy available at https://security.tesorio.com/.
“Sell”, “Service Provider” and “Third Party” have the meanings provided in California Data Protection Law.
“UK GDPR” means the Data Protection Act 2018 and GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018.
(2) Roles and Processing of Personal Data
- (2.1) General Processing Conditions. Tesorio will only process Customer Data: (a) in order to provide the Services to Customer, (b) with Customer’s prior written consent, or (c) as otherwise permitted by Data Protection Laws.
- (2.2) Confidentiality of Processing. Tesorio will treat Customer Data as Customer’s Confidential Information. Tesorio will protect the Customer Data in accordance with the confidentiality obligations in the Agreement.
- (2.3) Processing in Accordance with EU and UK Laws. With respect to Personal Data processed by Tesorio on Customer’s behalf as to which GDPR and/or UK GDPR applies: (a) Customer may be the controller of Personal Data or a processor and Tesorio will act as a processor or sub-processor, as appropriate, (b) each party will comply with the obligations that apply to it under GDPR and/or UK GDPR, and (c) Tesorio will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Laws.
- (2.4) Processing in Accordance with California Law. With respect to Personal Data processed by Tesorio on Customer’s behalf as to which California Data Protection Law applies: (a) Tesorio is a Service Provider and not a Third Party, (b) Tesorio will not Sell such Personal Data; and (c) Tesorio will not retain, use or disclose such Personal Data except as described in Section 2.1. Tesorio certifies that it understands the prohibitions and limitations regarding its use and all other processing activities and related purposes as outlined in this DPA regarding Personal Data, particularly in this Section 2.4, and will comply with them.
(3) Special Undertakings of Customer
Customer undertakes to:
- (3.1) Comply with all applicable requirements of Data Protection Laws.
- (3.2) Advise Tesorio of any requirements under Data Protection Laws applicable to Customer Data other than those provided in GDPR, UK GDPR or California Data Protection Law.
- (3.3) Ensure that there is a legal ground for processing the Personal Data as envisioned under the Agreement.
- (3.4) Not instruct Tesorio to Process Personal Data in violation of Data Protection Laws.
(4) Special Undertakings of Tesorio
Tesorio undertakes to:
- (4.1) Access by Personnel. Ensure that: (a) only Tesorio personnel who must have access to the Personal Data in order to meet Tesorio’s obligations under the Agreement have access to the Personal Data, (b) such personnel have received appropriate training and instructions regarding processing of Personal Data, and (c) such personnel are subject to written agreements of confidentiality or are under an appropriate statutory obligation of confidentiality regarding Customer Data and other Customer Confidential Information.
- (4.2) Technical and Organizational Measures. Ensure that it has in place appropriate technical and organizational measures, without prejudice to Tesorio’s right to make future replacements or updates to the measures that do not lower the level of protection of Personal Data, to protection against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, in each case as described in the Security Policy.
- (4.3) Data Subject Access Requests. As applicable to the Service, reasonably assist Customer in responding (at Customer’s expense) to any request from a Data Subject (including “verifiable consumer requests”, as such term is defined in California Data Protection Law), relating to the Processing of Personal Data under the Agreement.
- (4.4) Breach Notice. Upon becoming aware of a Breach, Tesorio shall notify Customer without undue delay and shall provide timely information relating to the Breach as it becomes known or as is reasonably requested by Customer.
- (4.5) Data Protection Impact Assessments. Taking into account the nature of the Processing and the information available to Tesorio, Tesorio will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Tesorio, and with related consultation with supervisory authorities, by providing Customer with any publicly available documentation for the relevant Service or by complying with Section 7 (Audit Rights). Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of Tesorio’s involvement, and any other terms that the parties deem appropriate.
(5) Subprocessors
- (5.1) Customer hereby consents to Tesorio’s appointment of certain third-party processors of Personal Data under this Agreement (“Subprocessors”). Tesorio’s current Subprocessors are listed at https://www.tesorio.com/subpro.... Tesorio confirms that it:
- (a) has entered (or, for future appointments, will enter) into a written agreement with each Subprocessor incorporating terms which are at least as protective of Personal Data provided by Customer as those set out in this DPA; and
- (b) will update the website above with any intended changes concerning the addition or replacement of Subprocessors, thereby giving Customer the opportunity to object to such changes. That website includes a
self-enrollment system where Customer can add an email address to receive notices of subprocessor changes. Customer’s sole recourse if it objects to a Subprocessor will be to terminate Customer’s subscription to the Service.
(6) Transfer of Personal Data Outside of the EU/EEA
- (6.1) Consent. Tesorio may not transfer Personal Data to, or process such data in, a location outside of the European Economic Area or the UK without Customer’s prior written consent, except in compliance with Section 6.2 below (in each case a “Transfer”).
- (6.2) Compliant Transfer Mechanisms. Without prejudice to the foregoing, Customer consents to Transfers where Tesorio has implemented a Transfer solution compliant with GDPR and UK GDPR, which for example may include: (a) an adequacy decision by applicable authorities; (b) the Standard Contractual Clauses; (c) another appropriate safeguard pursuant to Article 46 of GDPR or UK GDPR equivalent; or (d) a derogation pursuant to Article 49 of GDPR or UK GDPR equivalent.
(7) Audit Rights
On written request from Customer, Tesorio shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its processing of Personal Data, including responses to information security and audit questionnaires that are strictly necessary to confirm Tesorio’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any rolling 12 month period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Tesorio has experienced a Breach, or other reasonably similar basis.
(8) General Terms
- (8.1) This DPA is part of the Agreement and is governed by its terms and conditions including limitations of liability.
- (8.2) This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless required otherwise by GDPR, in which case this DPA will be governed by the laws of the Republic of Ireland.
- (8.3) In the event of inconsistencies between this DPA and the SCCs, this DPA shall prevail to the extent this DPA offers a stronger privacy protection for data subjects. Otherwise, the SCCs shall apply.
APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS
(1) Incorporation of Standard Contractual Clauses
The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
- (1.1) Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Tesorio Processes Personal Data as a Controller, Tesorio and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
- (1.2) Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Tesorio Processes Personal Data as a Processor, Tesorio and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
- (1.3) Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Tesorio Processes Personal Data as a Processor, Tesorio and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
(2) Standard Contractual Clause Optional Provisions
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
- (2.1) Clause 7 (Docking Clause) is omitted;
- (2.2) In Clause 9(a) (Use of sub-processors) – Option 2 shall apply and the parties shall follow the process and timing agreed in the DPA to appoint sub-processors;
- (2.3) In Clause 11(a) (Redress) – the Optional provision shall NOT apply;
- (2.4) In Clause 16(b) (Suspension of transfers) if Tesorio is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
- (2.5) In Clause 17 (Governing Law) – the laws of the Republic of Ireland shall govern; and
- (2.6) In Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of Ireland shall have jurisdiction.
(3) Supplementary Terms to Standard Contractual Clauses
- (3.1) Documentation and compliance. For the purposes of Clauses 8.9(b) and 8.9(e) the review and audit provisions in the Agreement and DPA shall apply.
- (3.2) Notification and Transparency.
- (a) The Parties acknowledge and agree that Tesorio, where required by the Standard Contractual Clauses to notify the competent supervisory authority, shall first provide Customer with details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly.
- (b) For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Tesorio to make the appropriate communications to data subjects and accordingly, Customer shall (following notification from Tesorio) have the option to be the party who communicates with the data subject, and Tesorio shall provide the level of assistance set out in the DPA.
- (3.3) Liability. For the purposes of Clause 12(a), the liability of the Parties shall be limited in accordance with the limitation of liability provisions in the Agreement.
- (3.4) Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Tesorio and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
(4) Swiss Law Provisions
- (4.1) Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
(a) references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
- (b) In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.
(5) United Kingdom Law Provisions
- (5.1) Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
- (5.2) In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement, DPA and these SCCs.
- (5.3) The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.
- (5.4) References to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to the United Kingdom, UK GDPR and the ICO.
- (5.5) In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.
ANNEX A: DESCRIPTION OF DATA PROCESSING
The data processing activities carried out by Tesorio under the Agreement may be described as follows:
Categories of data subjects whose personal data is transferred
- Data subjects are: (a) Customer’s personnel who use the Service by or at the direction of Customer, and (b) users of Customer’s product or service, if Customer imports their Personal Data into the Service.
Categories of personal data transferred
- The categories of Personal Data are: (a) the name, email and telephone contact information for Customer personnel who use the Service, (b) other Personal Data that users may provide to Tesorio, and (c) contact information for users of Customer’s product or service, if Customer stores such information and imports it into the Service.
Sensitive data transferred
- (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions
(including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous
Nature of the processing
- Tesorio will process Personal Data to provide the Service identified in the Agreement.
Purpose(s) of the data transfer and further processing
- Tesorio will transfer Personal Data to provide the Service identified in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- As described in the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- The subprocessors referenced in the DPA provide portions of the platform used by Tesorio to provide the Service
ANNEX B - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
- System Access Controls: Tesorio shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
- Data Access Controls: Tesorio shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing.
- Further detailed information regarding Tesorio’s security controls may be found in its SOC 1 and SOC 2 reports, PCI-DSS attestation and other reports and attestations available at security.tesorio.com