Data Processing Addendum

Last updated: October 17, 2022, v 2.2


This Data Processing Addendum (“DPA”) is executed as of the later date on the signature page below (the “DPA Effective Date”) between Tesorio, Inc. (“Tesorio”) and the other entity on the signature block (“Customer”). Capitalized terms have the meanings provided in the Agreement (defined below) except as provided here.

WHEREAS, Tesorio and Customer have executed a Master Subscription Agreement (the “Agreement”) regarding Customer’s subscription to Tesorio’s Services; and

WHEREAS, Tesorio and Customer wish to enter this DPA, which will supplement certain provisions of the Agreement regarding the parties’ security and data protection obligations; and

WHEREAS, this DPA is not a standalone agreement and is only effective if Tesorio and Customer have previously executed an Agreement; and

NOW THEREFORE, the parties agree that this DPA shall be incorporated into and form part of the Agreement and be subject to the provisions therein, including limitations of liability. Terms defined in the Agreement shall have the same meanings when used in this DPA, unless defined otherwise herein.

(1) Definitions and interpretation

Breach” means a breach of security by Tesorio that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data processed by the Services;

California Data Protection Law” means the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations and their successors.

Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR and include equivalent terms in California Data Protection Law, in each case as applicable to the Services.

Data Protection Laws” means GDPR, UK GDPR and California Data Protection Law.

GDPR” means the EU General Data Protection Regulation 2016/679, and its implementing legislation enacted into local law by European Union member states.

Personal Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.

Personal Data” means any Customer Data: (a) relating to an identified or identifiable individual, within the meaning of GDPR (regardless of whether GDPR applies), and (b) constituting “personal information” as such term is defined in California Data Protection Law.

SCCs” or “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes A and B of this DPA.

Security Policy” means Tesorio’s security policy available at https://security.tesorio.com/.

Sell”, “Service Provider” and “Third Party” have the meanings provided in California Data Protection Law.

UK GDPR” means the Data Protection Act 2018 and GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018.

(2) Roles and Processing of Personal Data

  • (2.1) General Processing Conditions. Tesorio will only process Customer Data: (a) in order provide the Services to Customer, (b) with Customer’s prior written consent, or (c) as otherwise permitted by Data Protection Laws.
  • (2.2) Confidentiality of Processing. Tesorio will treat Customer Data as Customer’s Confidential Information (as defined in the Agreement). Tesorio will protect the Customer Data in accordance with the confidentiality obligations in the Agreement.

  • (2.3) Processing in Accordance with EU and UK Laws. With respect to Personal Data processed by Tesorio on Customer’s behalf as to which GDPR and/or UK GDPR applies: (a) Customer may be the controller of Personal Data or a processor and Tesorio will act as a processor or sub-processor, as appropriate, (b) each party will comply with the obligations that apply to it under GDPR and/or UK GDPR, and (c) Tesorio will promptly inform Customer if it becomes aware that processing requested by Customer infringes one of the Data Protection Laws identified in the definition above.

  • (2.4) Processing in Accordance with California Law. With respect to Personal Data processed by Tesorio on Customer’s behalf as to which California Data Protection Law applies: (a) Tesorio is a Service Provider and not a Third Party, (b) Tesorio will not Sell such Personal Data; and (c) Tesorio will not retain, use or disclose such Personal Data except as described in Section 2.1.

(3) Special Undertakings of Customer

Customer undertakes to:

  • (3.1) Comply with all applicable requirements of Data Protection Laws.

  • (3.2) Advise Tesorio of any requirements under Data Protection Laws applicable to Customer Data other than those provided in GDPR, UK GDPR or California Data Protection Law.

  • (3.3) Ensure that there is a legal ground for processing the Personal Data as envisioned under the Agreement.

  • (3.4) Not instruct Tesorio to Process Personal Data in violation of Data Protection Laws. Tesorio shall promptly inform Customer if, in its opinion, Customer’s instructions infringe Data Protection Laws.

(4) Special Undertakings of Tesorio

Tesorio undertakes to:

  • (4.1) Access by Personnel. Ensure that: (a) only Tesorio personnel who must have access to the Personal Data in order to meet Tesorio’s obligations under the Agreement have access to the Personal Data, (b) such personnel have received appropriate training and instructions regarding processing of Personal Data, and (c) such personnel are subject to written agreements of confidentiality or are under an appropriate statutory obligation of confidentiality regarding Customer Data and other Customer Confidential Information.

  • (4.2) Technical and Organizational Measures. Ensure that it has in place appropriate technical and organizational measures, without prejudice to Tesorio’s right to make future replacements or updates to the measures that do not lower the level of protection of Personal Data, to protection against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, in each case as described in the Security Policy.

  • (4.3) Data Subject Access Requests. As applicable to the Service, reasonably assist Customer in responding (at Customer’s expense) to any request from a Data Subject (including “verifiable consumer requests”, as such term is defined in California Data Protection Law), relating to the Processing of Personal Data under the Agreement.

  • (4.4) Breach Notice. Upon becoming aware of a Breach, Tesorio shall notify Customer without undue delay and shall provide timely information relating to the Personal Data Incident as it becomes known or as is reasonably requested by Customer.

  • (4.5) Data Protection Impact Assessments. Taking into account the nature of the Processing and the information available to Tesorio, Tesorio will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Tesorio, and with related consultation with supervisory authorities, by providing Customer with any publicly available documentation for the relevant Service or by complying with Section 7 (Audit Rights). Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of Tesorio’s involvement, and any other terms that the parties deem appropriate.

(5) Subprocessors

  • (5.1) Customer hereby consents to Tesorio’s appointment of certain third-party processors of Personal Data under this Agreement (“Subprocessors”). Tesorio’s current Subprocessors are listed at https://www.tesorio.com/subpro.... Tesorio confirms that it:

    • (a) has entered (or, for future appointments, will enter) into a written agreement with each Subprocessor incorporating terms which are at least as protective of Personal Data provided by Customer as those set out in this DPA; and

    • (b) will update the website above with any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. Customer’s sole recourse if it objects to a Subprocessor will be to terminate Customer’s subscription to the Service.

(6) Transfer of Personal Data Outside of the EU/EEA

  • (6.1) Consent. Tesorio may not transfer Personal Data to, or process such data in, a location outside of the European Economic Area or the UK without Customer’s prior written consent, except in compliance with Section 6.2 below (in each case a “Transfer”).

  • (6.2) Compliant Transfer Mechanisms. Without prejudice to the foregoing, Customer consents to Transfers where Tesorio has implemented a Transfer solution compliant with GDPR and UK GDPR, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the SCCs for the transfer of Personal Data to Processors established in third countries; (c) another appropriate safeguard pursuant to Article 46 of GDPR or equivalent safeguard under UK GDPR; or (d) a derogation pursuant to Article 49 of GDPR applies or equivalent derogation under UK GDPR.


(7) Audit Rights

On written request from Customer, Tesorio shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its processing of Personal Data, including responses to information security and audit questionnaires that are strictly necessary to confirm Tesorio’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any rolling 12 month period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Tesorio has experienced a Breach, or other reasonably similar basis.

(8) General Terms

  • (8.1) This DPA is part of the Agreement and is governed by its terms and conditions including limitations of liability.

  • (8.2) This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless required otherwise by GDPR, in which case this DPA will be governed by the laws of the Republic of Ireland.

  • (8.3) In the event of inconsistencies between this DPA and the SCCs, this DPA shall prevail to the extent this DPA offers a stronger privacy protection for data subjects. Otherwise, the SCCs shall apply.





APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS

(1) Incorporation of Standard Contractual Clauses

The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:

  • (1.1) Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Tesorio Processes Personal Data as a Controller, Tesorio and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

  • (1.2) Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Tesorio Processes Personal Data as a Processor, Tesorio and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

  • 1.3) Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Tesorio Processes Personal Data as a Processor, Tesorio and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.


(2) Standard Contractual Clause Optional Provisions

Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

  • (2.1) Clause 7 (Docking Clause) is omitted;

  • (2.2) In Clause 9(a) (Use of sub-processors) – Option 2 shall apply and the parties shall follow the process and timing agreed in the DPA to appoint sub-processors;

  • (2.3) In Clause 11(a) (Redress) – the Optional provision shall NOT apply;

  • (2.4) In Clause 16(b) (Suspension of transfers) if Tesorio is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;

  • (2.5) In Clause 17 (Governing Law) – the laws of the Republic of Ireland shall govern; and

  • (2.6) In Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of Ireland shall have jurisdiction.


(3) Supplementary Terms to Standard Contractual Clauses

  • (3.1) Documentation and compliance. For the purposes of Clauses 8.9(b) and 8.9(e) the review and audit provisions in the Agreement and DPA shall apply.

  • (3.2) Notification and Transparency.

    1. The Parties acknowledge and agree that Tesorio, where required by the Standard Contractual Clauses to notify the competent supervisory authority, shall first provide Customer with details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly. 

    2. For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Tesorio to make the appropriate communications to data subjects and accordingly, Customer shall (following notification from Tesorio) have the option to be the party who communicates with the data subject, and Tesorio shall provide the level of assistance set out in the DPA.

  • (3.3) Liability. For the purposes of Clause 12(a), the liability of the Parties shall be limited in accordance with the limitation of liability provisions in the Agreement. 

  • (3.4) Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Tesorio and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.


(4) Swiss Law Provisions

  • (4.1) Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
    1. references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and

    2. In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.

(5) United Kingdom Law Provisions

  • (5.1) Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.

  • (5.2) In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement, DPA and these SCCs.

  • (5.3) The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.

  • (5.4) References to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to the United Kingdom, UK GDPR and the ICO.

  • (5.5) In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.



ANNEX A: DESCRIPTION OF DATA PROCESSING

The data processing activities carried out by Tesorio under the Agreement may be described as follows:

(1) Subject matter

  • The subject matter of this agreement concerns the provision by Tesorio of the Service as described in the Agreement.

(2) Duration

  • Tesorio shall process Personal Data during the Subscription Term and until deletion of Personal Data by Tesorio or Customer in accordance with the Agreement.

(3) Nature and purpose

  • Tesorio will process Personal Data in order to provide the Service in accordance with the Agreement.

(4) Data categories

  • The categories of Personal Data are: (a) the name, email and telephone contact information for Customer personnel who use the Service, (b) other Personal Data that users may provide to Tesorio, and (c) contact information for users of Customer’s product or service, if Customer stores such information and imports it into the Service.

(5) Data subjects

  • Data subjects are: (a) Customer’s personnel who use the Service by or at the direction of Customer, and (b) users of Customer’s product or service, if imports their Personal Data into the Service.

ANNEX B - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

  1. System Access Controls: Tesorio shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
  2. Data Access Controls: Tesorio shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing.
  3. Further detailed information regarding Tesorio’s security controls may be found in its SOC 1 and SOC 2 reports, PCI-DSS attestation and other reports and attestations available at security.tesorio.com