The General Data Protection Regulations (GDPR) is a regulation in the European Union (EU) law on data protection and privacy for all individuals within EU. It comes into effect on May 25, 2018 and applies to all organizations which collect, store and/or process EU personal data.
At Certify, we value privacy and transparency and we want to let our customer know that Certify has taken complete measures to comply with these regulations. To that end we have created this Data Processing Addendum ("DPA") which describes our data processing practices.
This Data Protection Addendum ("Addendum") forms part of the Terms ("Principal Agreement") between: (i) Certify Inc., including its brands Certify, Certify Travel, Nexonia, Tallie, ExpenseWatch and SpringAhead ("Vendor or Certify Inc.") acting on its own behalf and as agent for each Vendor Affiliate; and (ii) its customer ("Company") acting on its own behalf and as agent for each Company Affiliate.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
Certify Inc., warrants and represents that, before any Vendor Affiliate Processes any Company Personal Data on behalf of Company, entry of Certify Inc., into this Addendum as agent for and on behalf of that Vendor Affiliate will have been duly and effectively authorised (or subsequently ratified) by that Vendor Affiliate.
Certify Inc., and each Vendor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Certify Inc., shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 30 days of receipt of that notice, Company notifies Certify Inc., in writing of any objections (on reasonable grounds) to the proposed appointment:
Certify Inc., and each Vendor Affiliate shall provide reasonable assistance to each Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required of Company by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
where Company or the relevant Company Affiliate undertaking an audit has identified its concerns or the relevant requirement or request in its notice to Certify Inc., or the relevant Vendor Affiliate of the audit or inspection.]
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.
This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.
The subject matter and duration of the Processing of the Company Personal Data are set out in the Principal Agreement and this Addendum.
Certify has developed a software to provide services for travel booking and management, expense tracking and management, time tracking and management, and vendor procurement and invoice management for which Certify collects and processes Company Personal Data.
Name, email, phone number (optional), employee and payroll ID (optional), credit card transaction data (optional), credit card user credentials (optional), and direct deposit banking information (for ACH, wire transfer service).
The obligations and rights of Company and Company Affiliates are set out in the Principal Agreement and this Addendum.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
The data exporter has entered into a data processing addendum ("DPA") with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
For the purposes of the Clauses:
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
The data exporter agrees and warrants:
The data exporter agrees and warrants:
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is:
The data importer is:
The personal data transferred concern the following categories of data subjects:
Employees, Managers, Accountants, Administrators, Payees
The personal data transferred concern the following categories of data:
Identifying information as pertinent for the purposes involved with travel and expense tracking and management such as name, email, phone number (optional), credit card (only for credit card data feed service), direct deposit (for ACH, wire transfer service).
The personal data transferred concern the following special categories of data:
The personal data transferred will be subject to the following basic processing activities:
Providing services for travel and expense tracking and management.
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Firewalls, SSL certificates, web application firewalls, secure development lifecycle management, secure coding practices, 2FA access, Client-based VPN access, PCI Level 1 Service Provider, SOC 2 Type II audit, third party vulnerability assessments, internal vulnerability assessments, continuous employee education, virus/malware scanning, phishing protection, and more.