vendr legal policies & terms

Data Processing Addendum

Updated: April 1, 2021

Schedules

Schedule 1: Client Personal Data Processing Details

Subject Matter of Processing

The Processing will involve: the performance of theServices pursuant to the Agreement.

Duration of Processing

The Processing will continue as set forth in the Agreement.

Categories of Data Subjects

Client employees, contractors, agents, and/or representatives

Special Categories of Personal Data

None

Nature and Purpose of Processing

Includes the following: The Processing activities performed by Vendr will be as described in the Agreement.

Types of Personal Data

Corporate contact information such as name, job title, email address, physical address and phone number.

Physical Location of Personal Data Processed by Vendr

United States

Vendr List of Data Subprocessors

see https://vendr.com/legal

Schedule 2: Cross Border DataTransfer Mechanisms

1. Definitions

  1. “EC” means the European Commission
  2. “EEA” means the European Economic Area
  3. “Standard Contractual Clauses” means, depending on the circumstances unique to Client, any of the following:
    1. UK Standard Contractual Clauses, and
    2. 2021 Standard Contractual Clauses
  4. “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the EC in decision 2010/87/EU (“UK Controller to Processor SCCs”), and
  5. “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the EC in decision 2021/914

2. Cross Border Data Transfer Mechanisms

  1. Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2(ii) (UK Standard Contractual Clauses) or Section 2(iii) (2021 Standard Contractual Clauses) of this Schedule 2; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
  2. UK Standard Contractual Clauses. The parties agree that the UK Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
    1. The UK Controller to Processor SCCs will apply where Vendr is processing Personal Data. The illustrative indemnification clause will not apply. Appendix 1 (Subject Matter and Details of the Processing) of this DPA serves as Appendix I of the UK Controller to Processor SCCs. Appendix 2 (Security Measures) of this DPA serves as Appendix II of the UK Controller to Processor SCCs.
  3. 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
    1. Module Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Client is a controller of Personal Data and Vendr is processing Personal Data.
    2. Module Three (Processor to Processor) of the 2021 Standard Contractual Clauses will apply where Client is a processor of Personal Data and Vendr is processing Personal Data.
    3. For each Module, where applicable:
      1. in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;
      2. in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 5 (Sub-Processors) of this DPA;
      3. in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;
      4. in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;
      5. in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
      6. in Annex I, Part A of the 2021 Standard Contractual Clauses:
        • Data Exporter: Client.
        • Contact Details: The email address(es) designated by Client in Client’s account via its notification preferences.
        • Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Processing of Personal Data) of this DPA.
        • Signature and Date: By entering into the Master Services Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Master Services Agreement.
        • Data Importer: Vendr, Inc.
        • Contact details: Vendr Privacy Team – privacy@vendr.com
        • Data Importer Role: Data Processor.
        • Signature and Date: By entering into the Services Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Services Agreement.
      7. in Annex I, Part B of the 2021 Standard Contractual Clauses:
        • The categories of data subjects are described in Appendix 1 (Details of Processing) of this DPA.
        • The Sensitive Information transferred is described in Appendix 1 (Details of Processing) of this DPA.
        • The frequency of the transfer is a continuous basis for the duration of the Services Agreement.
        • The nature of the processing is described in Appendix 1 (Subject Matter and Details of the Processing) of this DPA.
        • The purpose of the processing is described in Appendix 1 (Subject Matter and Details of the Processing) of this DPA.
        • The period for which the Personal Data will be retained is described in Appendix 1 (Subject Matter and Details of the Processing) of this DPA.
        • For transfers to subprocessors, the subject matter, nature, and duration of the processing is set forth at https://vendr.com/legal.
      8. in Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
      9. Appendix 2 (Security Measures) of this DPA serves as Annex II of the Standard Contractual Clauses.

Appendix 1 to Schedule 2

This Appendix 1 forms part of the Clauses and must be completed and signed by the Parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix 1.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer): The Data Exporter is the Client of Vendr’s Services as defined in the Agreement.

Data importer

The data importer is (please specify briefly your activities relevant to the transfer): The Data Importer is Vendr which offers services to Client through its online platform with respect to the Services.

Data subjects

The Personal Data transferred concern the following categories of data subjects (please specify): See Schedule 1 of the DPA.

Categories of data

The Personal Data transferred concern the following categories of data subjects (please specify, tick the applicable): See Schedule 1 of the DPA.

Special categories of data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify, tick the applicable): See Schedule 1 of the DPA.

Processing operations

The Personal Data transferred will be subject to the following basic Processing activities (please specify): See Schedule 1 of the DPA.

On behalf of the data exporter (Client):

Name (written out in full):      

Position:      

Address:      

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

On behalf of the data importer (Vendr):

Name (written out in full):        

Position:      

Address: 501 Boylston Street, 10th Floor Boston, MA 02116, United States        

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

Appendix 2 to Schedule 2

This Appendix forms part of the Clauses and must be completed and signed by the Parties.

Description of the Technical and Organizational Security Measures implemented by the Data Importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Vendr will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Client Personal Data, as described in the DPA. Vendr will not materially decrease the overall security of the Services during the term.

Subprocessors will be bound to adhere to similar but not identical organizational security measures which will not fall below the level of data security as agreed herein. Any organizational security measures are subject to change of technical standards and can be adopted. If so requested, Vendr will provide Client with a description of the then current measures.

Vendr shall:

  1. ensure that Client Personal Data can be accessed only by authorized personnel for the purposes set forth in Schedule 1 of this DPA;
  2. take all reasonable measures to prevent unauthorized access to Client Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
  3. build in system and audit trails;
  4. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
  5. account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Client Personal Data;
  6. ensure pseudonymisation and/or encryption of Client Personal Data, where appropriate;
  7. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  8. 10. maintain the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident;
  9. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing of Client Personal Data;
  10. monitor compliance on an ongoing basis;
  11. implement measures to identify vulnerabilities with regard to the processing of Client Personal Data in systems used to provide services to Client;
  12. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.
  13. maintain SOC 2 compliance.

On behalf of the data exporter (Client):

Name (written out in full):      

Position:      

Address:      

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

On behalf of the data importer (Vendr):

Name (written out in full):        

Position:      

Address: 501 Boylston Street, 10th Floor, Boston, MA 02116, United States        

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

Schedule 3: Jurisdiction Specific Terms

1. Australia:

1.1. The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

1.2. The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

1.3. The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

2. Brazil:

2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).

2.2 The definition of “Data Processor” includes “operator” as defined under Applicable Data Protection Law.

3. Canada:

3.1. The definition of “Applicable Data Protection Law” includes The Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

3.2. Vendr’s subprocessors, as described in Schedule 1 of this DPA, are third parties under Applicable Data Protection Law, with whom Vendr has entered into a written contract that includes terms substantially similar to this DPA. Vendr has conducted appropriate due diligence on its subprocessors.

3.3. Vendr will implement technical and organizational measures as set forth in Section 3 (Security) of this DPA.

4. Israel:

4.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).

4.2 The definition of “Data Controller” includes “Database Owner” as defined under Applicable Data Protection Law.

4.3 The definition of “Data Processor” includes “Holder” as defined under Applicable Data Protection Law.

4.4 Vendr will require that any personnel authorized to process Client Personal Data comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Vendr in accordance with Section 3 (Security) of this DPA.

4.5 Vendr must take sufficient steps to ensure the privacy of Data Subjects by implementing and maintaining the security measures as specified in Section 3 (Security) of this DPA and complying with the terms of the Agreement.

4.6 Vendr must ensure that the personal data will not be transferred to a subprocessor unless such subprocessor has executed an agreement with Vendr pursuant to Section 4 (Subprocessing) of this DPA.

5. Japan:

5.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

5.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

5.3 The definition of “Data Controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Vendr is responsible for the handling of Personal Data in its possession.

5.4 The definition of “Data Processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, Vendr will ensure that the use of the entrusted Personal Data is securely controlled.

6. Singapore:

6.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).

6.2 Vendr will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 3 (Security) of this DPA and complying with the terms of the Agreement.

7. United Kingdom:

7.1 References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018)

7.2 The Standard Contractual Clauses will also apply to Client in the United Kingdom as data exporter and to Vendr as data importer for Transfers of Personal Data to countries that are not deemed to have an adequate level of data protection under the United Kingdom's Applicable Data Protection Law.

8. United States - California:

8.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act of 2018 (CCPA).

8.2 The definition of “Data Controller” includes “Business” as defined under Applicable Data Protection Law.

8.3 The definition of “Data Processor” includes “Service Provider” as defined under Applicable Data Protection Law.

8.4 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Client Personal Data.

8.5 The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law. Any Data Subject rights, as described in Section 5 (Data Rights Requests) of this DPA, apply to Consumer rights.

8.6 Vendr will Process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Vendr agrees not to (a) sell (as defined by the CCPA) Client Personal Data or Client end users’ Personal Data; (b) retain, use, or disclose Client Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Client Personal Data outside of the scope of the Agreement.

8.7 Vendr certifies that its subprocessors, as listed in Schedule 1 of this DPA, are Service Providers under Applicable Data Protection Law, with whom Vendr has entered into a written contract that includes terms substantially similar to this DPA. Vendr conducts appropriate due diligence on its subprocessors.

8.8 Vendr will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it Processes as set forth in Section 3 (Security) of this DPA.