Briqpay Data Processing Addendum

DATA PROCESSING ADDENDUM

Customer and Briqpay have entered into an agreement regarding Customer’s provision of the Services (the “Main Agreement”) of which this data processing addendum (“DPA”) shall form an integral part. All capitalized terms herein shall have the same meaning as set forth in the General Terms and Conditions unless otherwise stated herein.

  1. Background and purpose
    1. As part of the Main Agreement Briqpay will be processing personal data on behalf of Customer.
    2. Customer is the data controller and Briqpay is the data processor in relation to the personal data processed under this DPA (the “Included Personal Data”). The Included Personal Data is described in the document in Schedule 1 (the “Instruction”). 
    3. This DPA governs the conditions for Briqpay’s processing of, and access to, personal data on behalf of Customer in accordance with the General Data Protection Regulation (EU) 2016/679 (”GDPR”) and other applicable data protection legislation (”Applicable Legislation”). 
    4. The DPA comprises of this document and the Instruction. In the event of any contradictions between this document and the Instruction or the Main Agreement, this document shall take precedence.
    5. All terms defined in article 4 of GDPR shall have the same meaning in the DPA, unless expressly stated otherwise. 
  2. Briqpay’s obligations
    1. Scope of processing. Briqpay shall only process Included Personal Data in accordance with the DPA, the Main Agreement and its applicable amendments, the GDPR, Applicable Legislation and Customer’s instructions, unless further processing is required under applicable EU or member state law to which Briqpay is subject. In such case Briqpay shall inform Customer of this legal obligation unless such disclosure is prohibited by law.
    2. Security. Briqpay shall implement appropriate technical and organizational measures to secure, in particular, Included Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as required pursuant to Article 32 in the GDPR.
    3. Subprocessors. Customer provides a general authorization for the use of subprocessors to process included Personal Data in connection with fulfilling Briqpay’s obligations under the Main Agreement (“Subprocessors”). Briqpay’s current Subprocessors are listed in Schedule 2. Briqpay shall notify Customer of any intended addition or replacement of its Subprocessors through notice over email. If Customer has not objected within ten (10) days from the notice, Customer is assumed to have approved the engagement. If Briqpay engages Subprocessors, Briqpay shall enter into a subprocessor agreement with the same obligations as in this DPA, with the exception that the Subprocessor may not retain another Subprocessor without Customer’s prior written approval. Briqpay shall maintain an updated list of Subprocessors and shall submit a copy of the list to Customer upon request. In the event the Subprocessor fails to fulfil its obligations under the Subprocessor agreement, Briqpay shall bear full liability to Customer for the performance of the Subprocessors’ work, undertakings, and obligations.
    4. Third country transfers. Briqpay may, by itself or through its Subprocessors, transfer Included Personal Data to third countries, provided that prior to commencing such transfer or provision of access, Briqpay meets the requirements and undertakings which follow from the GDPR, which may include entering into EU Standard Contractual Clauses.
    5. Requests from data subjects. Briqpay shall implement appropriate technical and organisational measures to assist Customer to fulfil its obligation to respond to requests by data subjects to exercise their rights under Chapter III in the GDPR, such as the right of access, deletion, correction, and data portability.
    6. Request of information. If a data subject, a supervisory authority or other third party requests information from Briqpay regarding processing of Included Personal Data, then Briqpay shall immediately notify Customer of the request and the Parties shall jointly agree on suitable actions. Briqpay is not entitled to represent Customer or otherwise act on Customer’s behalf towards a data subject, authority or other third party. 
    7. Assistance and personal data breach. Briqpay shall assist Customer to fulfill its obligations pursuant to Articles 32 to 36 in the GDPR, especially regarding security of processing and personal data breach. Briqpay shall notify Customer without undue delay and within twenty-four (24) hours after Briqpay has learned of a personal data breach.
    8. Return of information. Briqpay shall upon termination of the DPA or upon notice from Customer  delete or anonymize all Included Personal Data processed under the DPA, unless Briqpay is required to retain the Included Personal Data pursuant to national law or EU law.
    9. Audits by Customer. Briqpay shall make available to Customer upon Customer’s request, all information necessary to demonstrate that Briqpay is fulfilling its obligations under the DPA, the GDPR and Applicable Legislation. Briqpay shall also enable and assist in audits, including inspections, which are conducted by Customer or by a third party authorised by Customer, at Customer’s cost.
    10. Inspection by supervisory authority. Briqpay shall enable inspections performed by authorised supervisory authorities to ensure a correct processing of Included Personal Data. Briqpay shall comply with any decisions submitted by a supervisory authority regarding the security measures required to meet the security requirements set out in the GDPR and Applicable Legislation. 
  3. Confidentiality
    1. In addition to any confidentiality obligations provided for in the Main Agreement, Briqpay undertakes not to disclose Included Personal Data or other information on the processing of Included Personal Data to any third party without express instruction from Customer. This clause 3 does not apply, however, to information which is disclosed to Subprocessors for the purpose of enabling these to fulfil their obligations under a Subprocessor agreement, information which is generally known (due to other reasons than a breach of the DPA), information which Briqpay is required to disclose under mandatory legislation or under a decision or ruling of a court of competent jurisdiction or another competent authority. In the latter case, Briqpay shall inform Customer thereof immediately and request confidentiality in conjunction with the disclosure of requested information. 
    2. Briqpay shall ensure that each Subprocessor, employee or third party that is given access to Included Personal Data is subject to at least the same obligation of confidentiality as set forth in this clause 3. 
    3. The obligation of confidentiality pursuant to this clause 3 shall apply without limitation in time.
  4. Term

The DPA shall remain in force for as long as Briqpay processes personal data on behalf of Customer.

  1. Limitation of liability 
    1. Briqpay’s liability for any damages arising from or in connection with the DPA is limited as follows;
  1. Briqpay shall not be liable for consequential or indirect losses, such as lost profits, diminished production, costs of retaining another provider, costs of equipment and similar costs or losses.
  2. In no event shall Briqpay’s total liability for any damages, direct or indirect, arising from or in connection with the DPA exceed the fees paid by Customer for the Services during the previous six (6) month period.
  3. The limitation of liability in subclause (i–ii) above shall not apply for administrational fines imposed by a supervisory authority or for any damage which a data subject or another natural person has suffered if such result from Briqpay’s processing of Included Personal Data in contravention with the Instruction, the DPA, the GDPR or Applicable Legislation. 
  4. Miscellaneous
    1. This DPA shall supersede any prior agreements, arrangements and understandings between the Parties and constitutes the entire agreement between the Parties relating to the subject matter hereof. 
    2. All changes and amendments to the DPA shall be made in writing.
    3. Neither Party shall be entitled to assign its rights and/or obligations under the DPA, in whole or in part, without the prior written consent of the other Party.
    4. Any dispute, controversy or claim arising out of or in connection with the DPA shall be settled in accordance with the dispute resolution clause in the Main Agreement. 

Schedule 1

INSTRUCTION

All processing of Included Personal Data by Briqpay on behalf Customer shall be done in accordance with this Instruction. 

Categories of data subjectsRepresentatives of Customer’s end customers’ companies (“Representatives”)
Categories of personal data Company name, organization number (or personal identification number if end customer is a sole trader), SNI code and company credit scoreContact details such as name, email, phone number, address used in the CheckoutApproximate location of representative using the CheckoutDevice data including user-agent and IP addressOrder information
Nature and purpose of the processingBriqpay will collect, structure and store Included Personal Data for the purpose of providing the Services under the Main Agreement.
Retention period or criteria for data retentionBriqpay may only use the Included Personal Data as long as necessary to fulfil its obligations under the Main Agreement. Briqpay shall delete or anonymize any stored personal data in accordance with clause 2.8 of the DPA within five (5) business days after termination of the Main Agreement.
Security measures Access control: Access to server rooms only with key or chip card, office rooms secured with alarm, physical security of server halls, measures for events loggingIntegrity & confidentiality: User authorizations are restricted to tasks, access control of the production environment and databases, password policiesEncryption: Hard disk encryption or cloud solution with encryptionTransmission control: SSL encryption and authenticated requests for data in transmission, services handling order and services communicating with payment providers are not accessible from the internet.Storage: encryption of data at rest, databases only accessible through tunnelled VPNRecoverability & resilience: backups that are regularly checked for successful recovery

Schedule 2

SUBPROCESSORS

SubprocessorCategories of data and purpose of processingCountry of processingSecurity measures
Google Cloud EMEA LimitedCloud hosting of all Included Personal DataFrankfurt, GermanyEU Model Clauses together with supplementary security measures
MongoDB Inc.Database hosting of all Included Personal DataFrankfurt, GermanyEU Model Clauses together with supplementary security measures
Splunk Inc.System logs and monitoring of all Included Personal DataFrankfurt, GermanyEU Model Clauses together with supplementary security measures