Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the agreement, as updated from time to time, between Finotes and Customer governing Customer’s use of Finotes’s service, whether under Finotes’s Terms of Service available at https://www.finotes.com/terms-of-service/, or, if executed, separate Terms of Service or Master Subscription Agreement (“Agreement”). The effective date of this Addendum is the later of May 25, 2018. 

The Parties agree that the terms and conditions set out below are added as an Addendum to the Agreement.

Agreement to Terms. If you are accessing and using the Services on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to this Addendum. In that case, “Customer” will refer to that company or other legal entity.
Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Finotes’s execution of the Agreement. Customer will be the Controller or Processor of Customer Personal Data and Finotes will be the Processor of Customer Personal Data under Applicable Data Protection Law(s). All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the Agreement. Except as expressly provided herein, nothing in this Addendum shall be deemed to waive or modify any of the provisions of the Agreement, which otherwise remains in full force and effect. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date that the Customer electronically accepts other otherwise agrees or opts-in to this Addendum if it is completed after the effective date of the Agreement. Finotes will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Finotes’s obligations and Customer’s rights under this Addendum will continue in effect so long as Finotes Processes Customer Personal Data.


1. Definitions. The following terms have the meanings set out below for this Addendum:

1.1.  “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data. 

1.2.  “Data Subject” means a natural person whose Personal Data are processed in the context of this Addendum. 

1.3.  “EU Data Protection Law” means the EU General Data Protection Regulation 2016/679 (as amended and replaced from time to time) and the e-   	 Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC, and as amended and replaced from time to time) and its national    		 implementing legislation. 

1.4.  “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be    	 identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online    	 identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural    	 person. 

1.5.  “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure    	 of, or access to, Personal Data transmitted, stored or otherwise Processed. 

1.6.  “Privacy Shield” means the EU-U.S. Privacy Shield framework created by the U.S. Department of Commerce (“DoC”) and the European    		 Commission, and the Swiss-U.S. Privacy Shield framework created by the DoC and the Swiss government. 

1.7.  “Processor” means the entity that processes Personal Data on behalf of a Controller. 

1.8.  “Processing of Personal Data” (or “Processing/Process”) means any operation or set of operations which is performed on Personal Data or on  sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or    	 alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,   restriction, erasure or destruction. 

1.9.  “Services” means any and all services that Finotes performs under the Agreement.

1.10.  “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection set out in the European Commission’s decision (C(2010)593) of 5 February 2010

1.11.  “Sub-Processor” means the entity engaged by the Processor or any further sub-contractor to Process Personal Data on behalf of and under    	 the instructions of the Controller. 

1.12. “Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding    	 countries approved as providing adequate protection for Personal Data by the European Commission from time to time. 
1.13 “Security Breach(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Finotes

Data use and Processing information

 Compliance with Laws. Customer shall ensure that it has obtained any and all authorizations and lawful bases for processing (including verifiable consent where necessary) in accordance with Applicable Data Protections Law(s) in order to provide Customer Personal Data to Finotes for Processing. Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
Documented Instructions. Finotes and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this Addendum, the Agreement, or any applicable Statement of Work. Finotes will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
Authorization to Use Third Parties. To the extent necessary to fulfill Finotes’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes (i) Finotes to engage Third Parties and (ii) Third Parties to engage sub-processors. Any Third Party Processing of Customer Personal Data shall be consistent with Customer’s documented instructions and comply with all Applicable Data Protection Law(s).
Finotes and Third Party Compliance. Finotes agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties (and their sub-processors) data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for Finotes’s Third Parties’ (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.
Right to Object to Third Parties. Prior to engaging any new Third Parties that Process Customer Personal Data, Finotes will notify Customer of these changes by posting its proposed new Third Parties to the following website https://finotes.com/gdpa/subprocessor. Finotes will allow Customer ten (10) calendar days to object after notice is given. It is Customer’s responsibility to check this website regularly for updates. If Customer has legitimate objections to the appointment of any new Third Party that relates to Finotes’s compliance with this Addendum, Finotes will make reasonable efforts to address Customer’s objection. After this process, if a resolution has not been agreed to within five (5) calendar days, Finotes will proceed with engaging the Third Party. Failing any such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by Finotes without use of the objectionable Third Party. No refunds shall be given for any prepaid portion of the Services.
Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
Personal Data Inquiries and Requests. Finotes agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At Customer’s request, Finotes agrees to assist Customer in answering or complying with any Privacy Request in so far as it is possible. Finotes may invoice Customer for costs arising from such assistance.
Data Protection Impact Assessment and Prior Consultation. Finotes agrees to provide reasonable assistance at Customer’s sole expense to Customer where, in Customer’s judgement, the type of Processing performed by Finotes is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
Demonstrable Compliance. Finotes agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request.


Data transfer

4. Data Transfers. Finotes shall not transfer any Personal Data to a Third Country unless the following conditions are fulfilled.
   	 
4.1.  Finotes complies with reasonable instructions notified to it in advance by Customer with respect to the processing of the Personal Data.

4.2.  If the transfer is to Finotes:

4.2.1.  In the US, Finotes shall maintain its certification under Privacy Shield to process such Personal Data; 

4.2.2.  Finotes shall comply with the data importer obligations in the Standard Contractual Clauses which are hereby incorporated into and form part of this Addendum and Customer shall comply with the data exporter obligations.

4.3  If the transfer is to a Sub-Processor in a Third Country, Finotes shall:

4.3.1.  if the transfer is to the US, ensure that the receiving party is certified to process such Personal Data under Privacy Shield; or 
4.3.2.  ensure that the Sub-Processor shall comply with the data importer obligations in the Standard Contractual Clauses. For the purpose of this Section 4.3.2, Customer hereby grants Finotes a mandate to execute the Standard Contractual Clauses with any relevant Sub-Processor it appoints on behalf of the Customer.

Information security

1.Information Security . Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Finotes shall implement and maintain appropriate technical and organizational measures in such a manner that its Processing of Personal Data will meet the requirements of Applicable Data Protection Law(s), ensure the protection of the rights of the data subjects, and ensure a level of security appropriate to the risk.

Security Breach

Security Breach Procedure. Upon becoming aware of a Security Incident, Finotes shall without undue delay inform Customer and provide written details of the Security Breach reasonably required to fulfill Customer’s Security Breach reporting obligations under Applicable Data Protection Law(s). Where possible, such details shall include, the nature of the Security Breach, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned, the likely consequences of the Security Breach, and the measures taken or proposed to be taken to mitigate the Security Incident’s possible adverse effects.


Audit
1. Audits. If Applicable Data Protection Law affords Customer an audit right, Customer (or its appointed representative) may, no more than once annually, carry out an inspection of Finotes’s operations and facilities with respect to the Processing of Customer Personal Data. Customer must provide Finotes forty-five (45) days written notice of such intention to audit, conduct its audit during normal business hours, and take reasonable measures necessary to prevent unnecessary disruption to Finotes’s operations. Prior to any audit being conducted, the Parties will agree Any such audit shall be subject to Finotes’s security and confidentiality terms and guidelines. Customer shall be responsible for any costs arising from such audit.


Data deletion and Archiving

1.Data Deletion. At the expiry of termination of the Agreement, Finotes will, at Customer’s option, delete or return all Customer Personal Data to Customer, except where Finotes is required to retain copies under applicable laws, in which case Finotes will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
Finotes also provides and option to archive customer data.

2.Deletion/archiving request can be made at support.finotes.com using your registered email address and raise a new ticket with “[DP]” tag in the subject line

Processing


Subject Matter of Processing: The provision of the Service to the Customer, and related technical support.
Duration of the Processing: The Processing will continue until the expiration or termination of the Agreement or until directed by customer to end processing
Nature and Purpose of the Processing: Finotes will process Personal Data submitted to, stored on, or sent via the Service for the purpose of providing the Service and related technical support in accordance with this Addendum.
Types of Customer Personal Data: Personal data submitted to, stored on, or sent via the Service may include, without limitation, the following categories of data: IP addresses, Device data, browser agents, email addresses, usernames, password, full names, browser and operating system identifiers, and any other personal data that Customer chooses to send us related during the course of our provision of the Service and technical support.
Categories of Data Subjects: Personal data submitted, stored, sent or received via the Service may concern the following categories of data subjects, without limitation: Customer’s employees, contractors, and agents; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via the Service.


All collectors can avail an option to digitally sign the Data processor addendum on request to support@finotes.com