1 Background 

(A) This Data Processing Agreement (“DPA”) forms an integral and inseparable part of the Service Agreement or, where applicable, the Non-disclosure Agreement (“Agreement”), subject to which the Customer has agreed to purchase or trial and the Company has agreed to supply the Services (as defined in the Agreement) to the Customer.  

(B) This DPA applies to Personal Data Processing done by the Company on behalf of the Customer within the scope of the Services.  

2 Definitions 

For the purpose of this DPA, the capitalised terms “Personal Data”, “Controller”, “Processor”, “Processing” (covering herein also the derivative verb “Process”), and “Personal Data Breach” shall have the meanings set forth in the General Data Protection Regulation (EU) 2016/679 (“GDPR”), unless expressly otherwise stated or evident in the context. The singular (where appropriate) shall include the plural and vice versa. Otherwise the definitions of the Agreement shall apply. 

3 Parties and roles 

3.1 The Customer shall be the Controller of the Personal Data, and the Company shall be the Processor of the Personal Data. The subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are set out in the Appendix 1 (Service Description) of the Agreement.

3.2 For the sake of clarity, when Processing is carried out for purposes of and by means decided by the Company, it shall be the Controller of any Personal Data concerned, and such Processing falls out of scope of this DPA. Such Processing includes for example processing of log data for purposes related to data security. 

4 Processing of Personal Data 

4.1 The Customer is accountable for the lawful basis of the Processing, including that the Company has a right to Process Personal Data under the Agreement. The Company shall Process Personal Data only in accordance with the documented lawful instructions of the Customer. The Agreement shall construe the final and complete instructions of the Customer, and any further instructions shall be separately agreed between the Parties. The Company may refrain from following the Customer’s instruction, if it considers an instruction to be against applicable legislation or any regulatory guidance. In such case, the Company shall notify the Customer of such legal requirement, except where the applicable legislation prohibits such notification.

4.2 The Company shall ensure that the persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Company shall not transfer or in any way make available Personal Data to third parties without a written authorisation from the Customer.

4.3 The Company shall implement the technical and organisational measures to ensure a level of security, which is considered to be appropriate by the Parties taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. These measures may include, but are not limited to:

  • Encryption
  • Audit logging
  • Security logging and threat detection
  • Regular third-party penetration testing
  • Regular security and data protection training for staff
  • Network access controls
  • Backups
  • Strong multi-factor authentication required for production data access

5 Subprocessing 

5.1 The Company may engage, and the Customer hereby authorises (general authorisation) the Company to engage Subprocessors in the Processing of Personal Data, providing that the same data protection obligations as set out in this DPA shall be imposed by the Company on such Subprocessors.  

5.2 The Company shall inform the Customer of all Subprocessors engaged by the Company in the Processing of Personal Data on the effective date of the Agreement as well as of any intended changes thereto. List of Subprocessors is available on Any intended changes to the Subprocessor list will be notified to the Customer through email. The Customer may, on material and cogent grounds, object to the change of a Subprocessor within fourteen (14) days from the notification; otherwise, the Subprocessor is deemed to be approved. If the Customer objects to a Subprocessor change, the Company may restrict the Customer’s use of the Services to the extent affected by the Customer’s objection, and such restriction shall not be construed to constitute a breach of the Agreement. Respectively, the Customer has a right to refrain from making any payments to the extent its use of the Services has been restricted, until the Parties have agreed on sufficient measures to minimise the adverse effects based on which the Customer has objected the change of the Subprocessor or have reached another a mutually satisfactory solution. 

5.3 If a Subprocessor engaged by the Company for the Processing of Personal Data on behalf of the Customer fails to fulfil its data protection obligations referred in the Section 5.1, the Company shall remain fully liable to the Customer for the performance of such Subprocessor’s obligations. 

6 Location of Personal Data Processing  

6.1 The Company shall implement appropriate technical and contractual measures to ensure that Personal Data is Processed primarily within the EU/EEA. Due to engaging sub-contractors in the Processing of Personal Data, Personal Data may be Processed outside the EU/EEA to facilitate certain services. Personal Data is transferred only to countries for which the European Commission has issued a decision on an adequate level of protection for personal data (adequacy decision).

6.2 Upon the Customer’s request, the Company shall provide the Customer with written details of the location or locations of the Personal Data Processing in accordance with this DPA. 

7 Obligations of the Company 

7.1 The Company shall assist the Customer by appropriate technical and organisational measures, insofar as this is reasonably possible taking into account the nature of the Processing, in the fulfilment of the Customer's obligation to respond to Data Subject requests to exercise the Data Subject's rights laid down in the GDPR. Should the Data Subjects make any such requests directly to the Company, the Company shall convey the requests to the Customer.  
7.2 In case of a Data Breach, the Company shall inform the Customer without undue delay after becoming aware of the Data Breach and take all necessary measures to mitigate any adverse effects arising from such Data Breach. Taking into account the nature of the Processing and the information available to the Company, it shall assist, insofar possible, the Customer with notifying a Personal Data Breach to the supervisory authority and communication thereof to the Data Subjects.  

7.3 The Company shall assist with data protection impact assessments and prior consultations with the supervisory authority, as laid down by the GDPR, provided that the necessary information is available to the Company. 

7.4 The Company shall make available to the Customer all information necessary to demonstrate its compliance with the obligations laid down for the Company in this DPA. The Company shall also allow for and contribute to audits conducted by the Customer or another auditor mandated by the Customer and approved by the Company. The Customer shall notify the Company in writing of any audit thirty (30) days in advance. Each Party shall be responsible for the costs that it has incurred to itself in the audit. If the audit proves that the Company has materially breached this DPA, the Company shall compensate the Customer for the third-party costs incurred from inspecting the reported shortcomings per the invoice of the auditor. Except for as required by the mandatory provisions of the applicable legislation, the Company shall not be under any obligation to disclose any Confidential Information of the Company to Customer or auditor in or in connection with any audit.

7.5 To the extent the amount of work required by the Company to execute its obligations under this Section 7 exceeds one person-day per month, the Company shall have the right to charge reasonable costs from the Customer for the performance of its obligations under this Section 7. 

8 Termination

8.1 This Data Protection Agreement shall enter into force upon the signature of the Accounts Payable Software Service Agreement and shall remain in force as long as the Company Processes Personal Data on behalf of the Customer within the scope of the Services.  

8.2 Upon termination of the Agreement, and on the Customer’s request, the Company (including any respective subcontractors) shall delete or return all Personal Data of the Customer to the Customer after thirty (30) days. The Company may charge from the Customer reasonable costs arising from the returning of the Personal Data. The Company shall delete the existing copies of Personal Data after the Company has returned the Personal Data to the Customer (if applicable) or if the Customer has not requested the Company to return the Personal Data within three (3) months from the termination of the Agreement. Notwithstanding the foregoing, the Company may refrain from deleting Personal Data when retention is necessary to comply with applicable legislation or for the establishment, exercise or defence of a legal claim. The Company shall confirm the deletion and any further retention of data to the Customer in writing.