The General Data Protection Regulations (GDPR) is a regulation in the European Union (EU) law on data protection and privacy for all individuals within EU. It comes into effect on May 25, 2018 and applies to all organizations which collect, store and/or process EU personal data.
At Certify, we value privacy and transparency and we want to let our customer know that Certify has taken complete measures to comply with these regulations. To that end we have created this Data Processing Addendum ("DPA") which describes our data processing practices.
This Data Processing Addendum, including its Schedules and Appendices ("DPA") forms part of the Terms and Conditions or other written or electronic agreement for the purchase of Emburse services (the "Agreement"). This DPA applies to Personal Data processed by Emburse and its Subprocessors in connection with its provision of the Service.
By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Emburse processes Personal Data for which such Authorized Affiliates qualify as the Controller. For purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
If in the course of providing the Services to Customer pursuant to the Agreement, Emburse may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. For purposes of this DPA, the Emburse entity that is the party to the executed Order Form with Customer is the party to this DPA.
Emburse and its Sub-processors shall take reasonable steps to ensure the reliability of any employee, agent or contractor who have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or have access to the relevant Personal Data. Emburse shall ensure all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Emburse and its Sub-processors will regularly train personnel having access to Personal Data in applicable data security and data privacy measures.
Emburse shall, to the extent legally permitted, promptly notify Customer if Emburse receives a request from a Data Subject to exercise the Data Subject’s rights of access, rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, or objection to the Processing (each a "Data Subject Request") without itself responding to such request. Taking into account the nature of the Processing, Emburse shall reasonably cooperate with Customer and Controllers in dealing with Data Subject Requests by appropriate technical and organizational measures, in so far as this is possible.
If, pursuant to Data Protection Law, Emburse shall provide reasonable assistance and cooperation to fulfill Controller’s obligation to carry out a data protection impact assessment, or prior consultation with a Supervisory Authority, which are required under the GDPR or equivalent provisions of any other Data Protection Law solely in relation to Customer’s use of the Service and to the extent Customer does not otherwise have access to the relevant information and such information is available to Emburse.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
The Data Exporter is the Customer to subscribed to the Service that allows Authorized Users to enter, amend, user, delete or otherwise Process Personal Data. Where the Customer allows other Controllers to also use the Service, these other Controllers are also Data Exporters.
Emburse is a provider of services for travel booking and management, expense tracking and management, time tracking and management, and vendor procurement and invoice management for which Emburse processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement
Duration of Processing
Subject to Section 9 of the DPA, Emburse will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Unless provided otherwise by the Data Exporter, the Personal Data transferred hereunder relates to the following categories of Data Subjects: Authorized Users provided access to use the Services by Customer, employees, contractors, business partners or other individuals having Personal Data Processed by the Service
The transferred Personal Data concerns the following categories of data:
Customer may submit Personal Data to the Services, the extent of which is determined by the Customer per the Service that is subscribed. Customer can configure data fields during the implementation of the Service or as otherwise provided by the Service. The transferred Personal Data typically relates to the following categories of data: Name, email, phone number, address, system access/usage/authorization data, company name, invoice data, and application-specific data that Authorized Users enter into the data and may include employee ID, payroll ID, bank account data, credit or debit card data.
Special Data Categories (if appropriate)
The transferred Personal Data concerns the following special categories of data: as set out in the Agreement, if any.
Processing Operations / Purposes
The Personal Data is subject to the following basic processing activities:
Description of the technical and organisational security measures implemented by the data importer in for the Processing of Personal Data:
Data Importer will maintain administrative, technical, and physical safeguards for protection of the security, integrity, and confidentiality of Personal Data Processed by the Tallie Service as further described below.
At least annually and at no expense to Customer, Tallie conducts a SOC 1 (ISAE3402/SSAE18) Type 1 audit of controls relating to the Tallie Service, which audits will be performed by an independent certified public accounting firm. Upon Customer’s request, Tallie will provide Customer with copies of documentation relevant to such audit to the extent permitted by law and subject to applicable regulatory restrictions and confidentiality obligations
Tallie maintains an information security policy that is approved annually by management and published and communicated to all Tallie employees and relevant third parties. Emburse maintains a dedicated security function on behalf of all affiliated companies to design, maintain, and operate security within the organization. This function focuses on developing policy and procedures for system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk management and treatment, and statements of applicability.
Other Information Security policies and statements include:
Tallie maintains appropriate systems security for the Tallie Service in accordance with commercially reasonable industry standards and practices designed to protect Customer Data from theft, unauthorized disclosure and unauthorized access. Such systems security includes, among other things, the following practices and procedures with respect to the Service:
Tallie maintains commercially reasonable Internet-industry standard firewall protection for all of the networks, databases, and computer systems utilized in performing the Tallie Service. Tallie updates its firewall software promptly following the availability of updates by the software provider.
Encryption of Stored Data
Tallie uses commercially reasonable Internet-industry standard secure encryption methods for the entire Tallie database using AES-256-bit block level encryption tool.
Tallie maintains appropriate practices designed to protect Customer Data in the Tallie Service from system and application vulnerabilities, including:
Physical and Environmental Security
Security Incident Management
Emburse maintains a group-wide business continuity plan that is tested on an annual basis to assist in reacting to a disaster in a planned and tested manner. Emburse will provide a copy of its then-current business continuity plan promptly following Customer’s written request for same.
Contingency plans have been developed and implemented to ensure that business processes can be restored within identified time-frames. These plans are to be maintained and practiced so as to become an integral part of all other management processes.
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation:
Customer, on behalf of itself and the other Controllers
(hereinafter referred to as the "data exporter")
(hereinafter referred to as the "data importer")
each a "party"; together "the parties",
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
Obligations of the data exporter
The data exporter agrees and warrants:
Obligations of the data importer
The data importer agrees and warrants:
Mediation and jurisdiction
Cooperation with supervisory authorities
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Obligation after the termination of personal data processing services