FinQore's Data Processing Agreement
Customer and SaaSWorks, Inc. d/b/a FinQore (“FinQore”) hereby agree to the following Data Processing
Addendum (the “DPA”) to their Customer Terms of Service or other services agreement between the parties
pursuant to which FinQore provides certain services to Customer (the “Agreement. All capitalized terms
not defined herein will have the meaning set forth in the Agreement. This DPA is incorporated into and
made a part of the Agreement as an addendum thereto.
Addendum (the “DPA”) to their Customer Terms of Service or other services agreement between the parties
pursuant to which FinQore provides certain services to Customer (the “Agreement. All capitalized terms
not defined herein will have the meaning set forth in the Agreement. This DPA is incorporated into and
made a part of the Agreement as an addendum thereto.
1. Definitions
2.1 “Controller” means the natural or legal person that determines the purposes and means of the
Processing of Personal Data and/or “controller,” “business” or like term as defined by applicable
Privacy Laws.
2.2 “Customer Personal Data” means Personal Data contained within Customer Data.
2.3 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates
and/or a “data subject,” “consumer,” or like term as defined by applicable Privacy Laws.
2.4 “EU SCCs” the clauses for the transfer of Personal Data from the European Economic Area
(“EEA”) to non-EEA countries that do not provide an adequate level of data protection approved
by the European Commission Implementing Decision of 4 June 2021.
2.5 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of
being associated with, or could reasonably be linked, directly or indirectly, with a particular Data
Subject and/or any information that constitutes “personal data,” “personal information” or a like
term as defined by applicable law.
2.6 “Privacy Laws” means any applicable United States state or federal law, or any international law,
together with any related regulations that are legally binding on Customer and/or FinQore and
regulate the Processing of Customer Personal Data, including the California Consumer Privacy
Act, as modified by the California Privacy Rights Act, along with implementing regulations
(collectively, “CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado
Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CDPA”), the Utah Consumer Privacy
Act (“UCPA”), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), including the
UK implementation of the GDPR (“UK GDPR”) and Swiss Federal Act on Data Protection
(“FADP”), and national implementations thereof by EEA member states, and laws that regulate
notification in the event of a Security Breach.
2.7 “Process” means accessed, used, maintained, collected, modified, merged, shared, disclosed and/or
“process” as defined by applicable Privacy Laws.
2.8 “Processor” means the natural or legal person that Processes Personal Data on behalf of the
Controller and/or “processor,” “service provider” or a like term as defined by applicable Privacy
Laws.
2.9 “Security Breach” a breach of FinQore’s security that leads to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data
transmitted, stored or otherwise Processed by FinQore. Security Breaches do not include
unsuccessful attempts or activities that do not compromise the security of Customer Personal Data,
including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network
attacks on firewalls or networked systems.
2.10 “Subprocessor” means the natural or legal person engaged by FinQore to whom it delegates a
processor activity related to the Processing of Customer Personal Data.
2.11 “UK Addendum” means the international data transfer addendum to the EU SCCs approved by
the UK Information Commissioner’s Office (“ICO”).
Processing of Personal Data and/or “controller,” “business” or like term as defined by applicable
Privacy Laws.
2.2 “Customer Personal Data” means Personal Data contained within Customer Data.
2.3 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates
and/or a “data subject,” “consumer,” or like term as defined by applicable Privacy Laws.
2.4 “EU SCCs” the clauses for the transfer of Personal Data from the European Economic Area
(“EEA”) to non-EEA countries that do not provide an adequate level of data protection approved
by the European Commission Implementing Decision of 4 June 2021.
2.5 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of
being associated with, or could reasonably be linked, directly or indirectly, with a particular Data
Subject and/or any information that constitutes “personal data,” “personal information” or a like
term as defined by applicable law.
2.6 “Privacy Laws” means any applicable United States state or federal law, or any international law,
together with any related regulations that are legally binding on Customer and/or FinQore and
regulate the Processing of Customer Personal Data, including the California Consumer Privacy
Act, as modified by the California Privacy Rights Act, along with implementing regulations
(collectively, “CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado
Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CDPA”), the Utah Consumer Privacy
Act (“UCPA”), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), including the
UK implementation of the GDPR (“UK GDPR”) and Swiss Federal Act on Data Protection
(“FADP”), and national implementations thereof by EEA member states, and laws that regulate
notification in the event of a Security Breach.
2.7 “Process” means accessed, used, maintained, collected, modified, merged, shared, disclosed and/or
“process” as defined by applicable Privacy Laws.
2.8 “Processor” means the natural or legal person that Processes Personal Data on behalf of the
Controller and/or “processor,” “service provider” or a like term as defined by applicable Privacy
Laws.
2.9 “Security Breach” a breach of FinQore’s security that leads to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data
transmitted, stored or otherwise Processed by FinQore. Security Breaches do not include
unsuccessful attempts or activities that do not compromise the security of Customer Personal Data,
including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network
attacks on firewalls or networked systems.
2.10 “Subprocessor” means the natural or legal person engaged by FinQore to whom it delegates a
processor activity related to the Processing of Customer Personal Data.
2.11 “UK Addendum” means the international data transfer addendum to the EU SCCs approved by
the UK Information Commissioner’s Office (“ICO”).
2. Designation of the Parties
The parties agree that, for all Customer Personal Data, the Customer shall be the Controller and FinQore shall be the Processor except where Customer is a Processor and FinQore is a Subprocessor. Customer Personal Data shall consist of the data elements described in Annex 1. Customer shall not provide or make available to FinQore other types of Personal Data to FinQore without prior notification and approval from FinQore. Each party shall comply with its relevant obligations under applicable Privacy Laws and this DPA. FinQore shall notify Customer if it believes it can no longer comply process Customer Personal Data in compliance with applicable Privacy Law or this DPA.
3. Processing of Personal Data
Customer Personal Data will be Processed by FinQore only as is necessary for FinQore to perform its obligations under this DPA and the Agreement, as set forth in Annex 1, or as otherwise required by the Customer in writing. When Processing Customer Personal Data, FinQore shall ensure that any person acting on its behalf or under its authority processes the Customer Personal Data only in accordance with the Customer’s written instructions, including as set out in the Agreement
(“Processing Instructions”). FinQore shall not (a) Process Customer Personal Data for any business or commercial purpose other than as necessary to perform the Services; (b) “sell” or “share” Customer Personal Data (as those terms are defined by the CCPA); or (c) Process Customer Personal Data outside of the business relationship between the parties. The Customer shall not provide any Processing Instructions that may infringe any applicable law. Customer represents and warrants that it has obtained all necessary consents and authorizations required under applicable Privacy Laws to permit the Processing of Customer Personal Data pursuant to the Processing Instructions and the international transfer of Customer Personal Data (where applicable) from Customer to FinQore.
(“Processing Instructions”). FinQore shall not (a) Process Customer Personal Data for any business or commercial purpose other than as necessary to perform the Services; (b) “sell” or “share” Customer Personal Data (as those terms are defined by the CCPA); or (c) Process Customer Personal Data outside of the business relationship between the parties. The Customer shall not provide any Processing Instructions that may infringe any applicable law. Customer represents and warrants that it has obtained all necessary consents and authorizations required under applicable Privacy Laws to permit the Processing of Customer Personal Data pursuant to the Processing Instructions and the international transfer of Customer Personal Data (where applicable) from Customer to FinQore.
3. Security Controls
FinQore shall implement and maintain, at its cost and expense, commercially reasonable measures designed to protect the confidentiality of Customer Personal Data Processed by FinQore on behalf of Customer. For more information regarding implemented security controls, upon written request and on a confidential basis, FinQore will supply its most recent SOC 2 Type II report. FinQore shall ensure that each person Processing Customer Personal Data under this DPA is subject to
a duty of confidentiality with respect to the Customer Personal Data. FinQore will not materially decrease overall level of security provided to Customer Personal Data during the term of the Agreement. Customer shall be responsible for the security of its own information systems and platforms, including any relevant third-party platforms holding Customer Personal Data to which Customer provides FinQore with access.
a duty of confidentiality with respect to the Customer Personal Data. FinQore will not materially decrease overall level of security provided to Customer Personal Data during the term of the Agreement. Customer shall be responsible for the security of its own information systems and platforms, including any relevant third-party platforms holding Customer Personal Data to which Customer provides FinQore with access.
4. Agents and Subcontractors
The Customer authorizes FinQore to engage Subprocessors to perform specific processing activities involving Customer Personal Data on behalf of the Customer. As of the Effective Date, this shall include the Subprocessors identified in Annex 1. Prior to engaging any Subprocessor, FinQore shall enter into a binding written contract with the Subprocessor (“Processor Contract”) which imposes ubstantially the same material data protection obligations contained in this DPA on the sub-processor. Prior to providing Customer Personal Data to a new Subprocessor, FinQore shall update its list of subprocessors available at https://finqore.trustshare.com/home and notify Customer. Customer may reasonably object (on data protection grounds) to the provision of Customer Personal Data to the new Subprocessor within ten (10) days, after which, the Subprocessor may begin Processing Customer Personal Data. If Customer objects to a Subprocessor, and FinQore cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may
discontinue the use of the affected Services by providing written notice to FinQore.
discontinue the use of the affected Services by providing written notice to FinQore.
5. Cooperation
To the extent required under applicable Privacy Laws, FinQore shall provide reasonable
assistance, information, and cooperation to assist Customer in complying with its obligations under relevant Privacy Laws with respect to: (i) data security; (ii) data breach notification; (iii) responding to inquiries from regulators regarding compliance with applicable Privacy Laws; and (iv) conducting privacy impact assessments. FinQore shall reasonably cooperate with the Customer in the Customer's efforts to monitor FinQore’s compliance with this DPA and Customer will have the right, upon notice, to take reasonable and appropriate steps to stop unauthorized Processing of Customer Personal Data by FinQore. In addition, to the extent that Customer is unable to independently process or comply with a data subject access request under applicable Privacy Law (“DSAR”), then, upon written request, FinQore will make commercially reasonable efforts to assist Customer in complying with such DSARs. If FinQore receives a DSAR ndirectly from a Data Subject, FinQore will notify Customer and will not directly respond other than advising the Data Subject to submit their request to Customer. Customer shall be solely responsible for responding to and processing DSARs.
assistance, information, and cooperation to assist Customer in complying with its obligations under relevant Privacy Laws with respect to: (i) data security; (ii) data breach notification; (iii) responding to inquiries from regulators regarding compliance with applicable Privacy Laws; and (iv) conducting privacy impact assessments. FinQore shall reasonably cooperate with the Customer in the Customer's efforts to monitor FinQore’s compliance with this DPA and Customer will have the right, upon notice, to take reasonable and appropriate steps to stop unauthorized Processing of Customer Personal Data by FinQore. In addition, to the extent that Customer is unable to independently process or comply with a data subject access request under applicable Privacy Law (“DSAR”), then, upon written request, FinQore will make commercially reasonable efforts to assist Customer in complying with such DSARs. If FinQore receives a DSAR ndirectly from a Data Subject, FinQore will notify Customer and will not directly respond other than advising the Data Subject to submit their request to Customer. Customer shall be solely responsible for responding to and processing DSARs.
6. Audits
To the extent required under applicable Privacy law, FinQore, upon reasonable notice and at Customer’s sole expense, shall cooperate with reasonable audits and inspections in connection with its obligations under this DPA. Customer shall not request an audit more than once per twelve (12) months. To request an audit, Customer must submit a detailed proposed audit plan to FinQore at least thirty (30) days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. FinQore will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise FinQore security, privacy, employment or other relevant policies). FinQore will work cooperatively with Customer to agree on a final audit plan. In addition, upon written request and upon a confidential basis, FinQore will supply its most recent SOC 2 Type II report in order to demonstrate compliance with applicable Privacy Laws and this DPA. Notwithstanding anything to the contrary above, if the requested audit scope is addressed in the most recent SOC 2 Type II report or similar audit report
performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and FinQore confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and FinQore confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
7. Cross Border Data Transfers
For any Customer Personal Data relating to Data Subjects located in the EEA, UK, or Switzerland, the parties agree to the following additional provisions:
7.1 EEA. To the extent applicable, Module Two (Controller to Processor) of the EU SCCs shall apply nwhere Customer is a Controller and FinQore is a Processor of Customer Personal Data. To the extent applicable, Module Three of the EU SCCs shall apply where Customer is a Processor and FinQore is a Subprocessor of Customer Personal Data. For purposes of the EU SCCs, the following terms will apply: (i) Customer and FinQore will be deemed to have executed the EU SCCs as of the Effective Date; (ii) Customer will be referred to as the “Data Exporter” and FinQore will be referred to as the “Data Importer” in the clauses with relevant company name and address and details from the Agreement being inserted accordingly; (iii) Annex 1 below will provide supplementary information required, as appropriate; (iv) in Clause 7, the optional docking clause
will apply; (v) in Clause 9, Option 2 will apply and the time period for prior notice of Subprocessor changes shall be ten (10) days; (vi) in Clause 11, the optional language will not apply; and (vii) in Clauses 17 and 18(b), the EU SCCs, and any disputes therein, will be governed by the law and courts of Ireland. The parties agree that by executing this DPA they are also executing the EU SCCs (if applicable).
will apply; (v) in Clause 9, Option 2 will apply and the time period for prior notice of Subprocessor changes shall be ten (10) days; (vi) in Clause 11, the optional language will not apply; and (vii) in Clauses 17 and 18(b), the EU SCCs, and any disputes therein, will be governed by the law and courts of Ireland. The parties agree that by executing this DPA they are also executing the EU SCCs (if applicable).
7.2 UK. To the extent applicable, the EU SCCs as set forth in Section 7.1 above and amended by the UK Data Transfer Addendum, attached below as Annex 3, shall apply only to Customer Personal Data subject to the UK GDPR that is transferred to a recipient in a country not recognized by the UK Secretary of State or UK GDPR as providing an adequate level of protection for such Customer Personal Data, and where Customer is a data exporter and FinQore is a data importer of such Customer Personal Data. The parties agree that by executing this DPA they are also executing the
UK Data Transfer Addendum (if applicable).
7.3 Switzerland. To the extent applicable, the EU SCCs as set forth in Section 7.1 above and amended in this Section 7.3 shall apply only to Customer Personal Data subject to the Swiss FADP that is transferred to a recipient in a country not recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) as providing an adequate level of protection for such Customer Personal Data, and where Customer is a data exporter and FinQore is a data importer of such Customer Personal Data. The EU SCCs shall be deemed to be amended to the extent necessary to operate to provide appropriate safeguards for such transfers in accordance with the FADP. For avoidance of doubt, the “competent supervisory authority” shall be read as the Swiss FDPIC.
UK Data Transfer Addendum (if applicable).
7.3 Switzerland. To the extent applicable, the EU SCCs as set forth in Section 7.1 above and amended in this Section 7.3 shall apply only to Customer Personal Data subject to the Swiss FADP that is transferred to a recipient in a country not recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) as providing an adequate level of protection for such Customer Personal Data, and where Customer is a data exporter and FinQore is a data importer of such Customer Personal Data. The EU SCCs shall be deemed to be amended to the extent necessary to operate to provide appropriate safeguards for such transfers in accordance with the FADP. For avoidance of doubt, the “competent supervisory authority” shall be read as the Swiss FDPIC.
8. Breaches
In the event of a Security Breach, FinQore shall notify Customer without undue delay. If there has been a Security Breach of Customer Personal Data, FinQore will ensure that all responsive steps will be documented and FinQore will reasonably cooperate with the Customer in the Customer's handling of the matter, including reasonably responding to and attempting to mitigate any damage caused by the Security Breach.
9. Information Management
The duration of FinQore’s Processing of Customer Personal Data shall be the duration of the Agreement unless otherwise instructed by Customer in writing. As soon as reasonably possible upon completion of the Services under the Agreement, FinQore shall securely delete all existing copies of Customer Personal Data, unless storage of any data is required by applicable law. If FinQore is required to retain Customer Personal Data following termination of the Agreement, FinQore shall notify the Customer in writing.
10. Indemnification
The Customer agrees that it shall reimburse, indemnify, and hold FinQore harmless
for all costs incurred in responding to and/or mitigating damages relating to a third-party claim brought against FinQore regarding the Customer’s Processing of Customer Personal Data where such Processing is consistent with this DPA and the Processing Instructions.
11. Conflicts
In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail. For the avoidance of doubt, all non-conflicting provisions of the Agreement will continue to apply to this DPA. In the event and to the extent of any conflict or inconsistency between the body of this DPA and the EU SCCs or the UK Data Transfer Addendum, the EU SCCs or the UK Data Transfer Addendum shall prevail.
12. Severability
In the event any provision of this DPA, in whole or in part, is invalid, unenforceable or in conflict with the applicable laws or regulations of any jurisdiction, such provision will be replaced, to the extent possible, with a provision which accomplishes the original business purposes of the provision in a valid and enforceable manner, and the remainder of this DPA will remain unaffected and in full force.