Get a Demo
Get a Demo

Data Processing Addendum (DPA)

Archived DPAs

Privacy Policy Subprocessors
Hero Overlay Graphics

This Data Processing Addendum (hereinafter “DPA”) is effective as of the effective date specified in the AppZen Master Services Agreement that incorporates this DPA by reference (“Effective Date”) by and between the Customer as mentioned in the Order Form (the “Controller”), and AppZen, Inc. (“AppZen”) having its offices at 6201 America Center Drive Suite 300 San Jose, CA 95002. The Controller and AppZen are individually referred to as a “Party” and collectively as the “Parties”. This DPA supplements and is governed by the Master Services Agreement in force between the Parties (“Agreement”) under which AppZen provides the Controller software and other services (the “Services”).

The Parties seek to implement this DPA in order to comply with the requirements of the GDPR, the CCPA and the CPRA (defined hereunder) in relation to AppZen’s Processing of Personal Data as part of its obligations under the Agreement. The terms “Process”, “Processing” and “Personal Data” used in this DPA shall have the same meaning as defined in the GDPR. The terms “Business Purpose,” “Consumer,” “Contractor,” “Personal Information,” “Sell,” “Service Provider,” “Share,” and “Third Party” shall have the meanings ascribed to them under the CCPA and CPRA.

This DPA shall apply to AppZen’s processing of Controller’s Personal Data, whether provided by the Controller or its data subject (the Data Subject”) and/or its affiliates, its end users or otherwise, as part of AppZen’s obligations under the Agreement.

1.Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the GDPR, the CCPA, the CPRA or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

1.1 "Data Transfer” means (1) a transfer of the Personal Data from the Data Subject to Controller or to AppZen on behalf of the Controller; or (2) an onward transfer of the Personal Data from the Controller to AppZen, or between two establishments of AppZen, or with a Subprocessor (as defined below) by AppZen.
1.2 “Data Privacy Framework means the EU-U.S. Data Privacy Framework, or where applicable, the UK Extension to the EU-U.S. Data Privacy Framework, or where applicable the Swiss-U.S. Data Privacy Framework self-certification programs, operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.
1.3 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.4 “Standard Contractual Clauses” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection (or any updated version thereof).
1.5 “Subprocessor” means a processor/sub-contractor appointed by AppZen for the provision of all or parts of the Services and who Processes the Personal Data as provided by the Controller and/or AppZen.
1.6 “UK SCC Addendum” means the UK SCC Addendum to the EU Commission Standard Contractual Clauses attached hereto as Schedule 2, issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
1.7 “CCPA” means the California Consumer Protection Act of 2018.
1.8 “CPRA” means the California Privacy Rights Act of 2020.

2.Purpose of this Addendum:

This DPA sets out various obligations of AppZen in relation to the Processing of Personal Data and shall be limited to AppZen’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of the Agreement shall prevail, subject to applicable laws.

3.Categories of Personal Data and Data Subjects. The Controller authorizes AppZen to Process such Personal Data to the extent set forth in the Agreement or as otherwise determined and controlled by the Controller. The current nature of the Personal Data is specified in Annex I to Schedule 1 to this DPA.
4.Purpose of Processing. The objective of Processing of Personal Data by AppZen shall be limited to AppZen’s provision of the Services to the Controller pursuant to the Agreement.
5.Controller’s Processing of Personal Data. The Controller warrants that it has the right and authority to request AppZen to Process the Personal Data and that its instructions for the Processing of Personal Data shall comply with applicable data protection laws and regulations
6.Duration of Processing. AppZen will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Controller.
7.AppZen’s obligations.
a. AppZen will follow written and documented instructions that comply with applicable data protection laws as received, from the Controller, with respect to the Processing of Personal Data (each, an “Instruction”).

b. The Processing described in the Agreement or this DPA and the relating documentation shall be considered as Instruction from the Controller, so long as any additional or alternate instructions are consistent with the purpose and scope of the Agreement and are provided and/or confirmed in writing (email is acceptable) by the Controller.
 
c. At the Controller’s request, AppZen will provide reasonable assistance to the Controller in responding to/ complying with requests / directions by Data Subject in exercising their rights or of the applicable regulatory authorities regarding AppZen’s Processing of Personal Data.
 
d. AppZen may notify Controller if an Instruction, in AppZen’s opinion, infringes the GDPR, the CCPA and the CPRA and further reserves its right not to provide any further assistance on such reported Instruction.
8.Processing purposes, scope, and Controller’s processing instructions.

AppZen shall only process Personal Information in accordance with Controller’s instructions and to the extent necessary for providing the Services and as set forth in the Agreement, which constitutes a business purpose under the CCPA and the CPRA. To the extent the CCPA and the CPRA applies, the parties acknowledge that Controller’s transfer of any Personal Information to AppZen is not a sale, and AppZen provides no monetary or other valuable consideration to Controller in exchange for Personal Information. Except as otherwise instructed by Controller, AppZen is prohibited from (a) selling the Personal Information or (b) collecting, retaining, using or disclosing the Personal Information for any purpose (including any commercial purpose) other than for the specific purpose of providing the Services and as set forth in the Agreement, or as otherwise permitted by the CCPA and the CPRA. AppZen shall not further collect, sell, or use Personal Information except as necessary to perform Services under the Agreement. For the avoidance of doubt, AppZen shall not use the Personal Information for the purpose of providing services to another person or entity. The Agreement, this DPA and any additional data processing instructions provided by Controller shall constitute “instructions,” so long as any additional or alternate instructions are consistent with the purpose and scope of the Agreement and are provided and/or confirmed in writing by the Controller. AppZen shall immediately notify Controller if an instruction, in AppZen’s opinion, violates the GDPR, the CCPA, the CPRA or any other applicable law. To the extent AppZen de-identifies any Personal Information under this DPA and as set forth in the Agreement, it will maintain and use such material only in de-identified form and will not attempt to re-identify such information except for the purposes of determining whether its de-identification processes meet the requirements of applicable law.

9.Controller responsibilities.

The Controller shall, in its use of the Services, Process Personal Information in accordance with the requirements of the GDPR, the CCPA, the CPRA or any other applicable laws and shall ensure that its instructions for Processing Personal Information are compliant with the GDPR, the CCPA, the CPRA and any other applicable laws. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which the Controller acquired Personal Data. The Controller represents and warrants that it has provided notice to Data Subjects that their Personal Information is being used or shared in compliance with the CCPA and CPRA.

10.Data Subject requests.

AppZen shall provide reasonable assistance to Controller for the fulfilment of Controller’s obligation to respond to and address requests of Data Subjects relating to Data Subject rights as identified under the GDPR, request from data protection authorities and Data Subjects who are consumers under the CCPA and the CPRA relating to rights provided by the CCPA and the CPRA. Controller shall be responsible for any costs arising from AppZen’s provision of such assistance. AppZen shall not be required to delete any of the Personal Information to comply with a request to exercise the CCPA and the CPRA rights directed by Controller if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case AppZen shall promptly inform Controller of the exceptions relied upon under 1798.105(d) and AppZen shall not use the Personal Information retained for any other purpose than provided for by that exception.

11.Confidentiality AppZen will ensure that any personnel whom it authorizes to Process Personal Data on its behalf is subject to confidentiality obligations at least as protective as those in this DPA and the Agreement.
12.Audit Rights
a. Upon Controller’s reasonable request, AppZen will make available to the Controller information that is reasonably necessary to demonstrate AppZen’s compliance with its obligations under the GDPR or other applicable laws in respect of its Processing of the Personal Data. When the Controller wishes to conduct the audit (by itself or through a representative that is bound by reasonably imposed confidentiality obligations), it shall provide at least thirty (30) days’ prior written notice to AppZen; AppZen will provide reasonable cooperation and assistance in relation to audits conducted by the Controller or its representative. Audits shall be conducted no more than once annually, within ordinary working hours and seek to avoid obstruction of AppZen’s ordinary business activities.

b. The Controller shall bear the expense of such an audit.

c. All data sharing rights and obligations set forth herein, including any and all audit rights or other terms requiring disclosure of information or cooperation, will be subject to protection of any applicable privileges, doctrines, protections, or obligations to third parties.

13.Mechanism of Data Transfers. If the Agreement requires a Data Transfer for the purpose of Processing by AppZen from a country in the European Economic Area (the “EEA”) to a country outside the EEA (or, as applicable, from the UK or Switzerland) the Parties agree to do so: (a) in accordance with the Data Privacy Framework, provided AppZen is self-certified under the Data Privacy Framework (which can be checked at wwww.dataprivacyframework.gov/list) and the Data Privacy Framework remains a lawful transfer mechanism; or (b) (if not otherwise covered by (a)): (i) subject to the Standard Contractual Clauses for transfers from a country in the EEA to a country outside of the EEA or (ii) subject to the UK SCC Addendum for transfers from the UK to a country outside of the UK.

14. Where such model clauses have not been executed at the same time as the Agreement or this DPA, they shall be deemed in effect upon execution of the Agreement or this DPA where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement.

15.Subprocessors
a. The Controller acknowledges and agrees that AppZen may engage third-party Subprocessor(s) in connection with the performance of the Services, provided such Subprocessor(s) implement technical and organizational measures to ensure the confidentiality of Personal Data shared with them. In accordance with Article 28(4) of the GDPR, AppZen shall remain liable to Controller for any failure on behalf of a Subprocessor to fulfil its data protection obligations under the DPA in connection with the performance of the Services.

b. If the Controller has a concern that the Subprocessor(s) Processing of Personal Data is reasonably likely to cause the Controller to breach its data protection obligations under the GDPR, the Controller may object to AppZen’s use of such Subprocessor and AppZen and Controller shall confer in good faith to address any such concern.

16.Personal Data Breach Notification.
a. AppZen shall maintain defined procedures in case of a Personal Data Breach (as defined under the GDPR) and shall without undue delay notify Controller if it becomes aware of any Personal Data Breach unless such Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons.

b. AppZen shall provide the Controller with all reasonable assistance to comply with the notification of Personal Data Breach to Supervisory Authority and/or the Data Subject, to identify the cause of such Data Breach and take such commercially reasonable steps as reasonably required to mitigate and remedy such Data Breach.

c. Processor’s notification of or response to a Personal Data Breach under this DPA will not be construed as an acknowledgement by AppZen of any fault or liability with respect to the data incident.

17.Deletion of Personal Data. Within ninety (90) days of the expiration or termination of the Agreement, AppZen will delete or otherwise destroy all the Personal Data of Controller still in AppZen’s possession.

18.Technical and Organizational Measures. Having regard to the state of technological development and the cost of implementing any measures, AppZen will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected including the measures stated in Annex II of Schedule 1.

 

 

 

Schedule 1

STANDARD CONTRACTUAL CLAUSES

The Standard Contractual Clauses (Module 2 - Controller to Processor) are deemed incorporated herein by reference, subject to the following:

 

For the purposes of EU SCC Module 2:

  1. in Clause 7, the optional docking clause will apply.
  2. in Clause 9, Option 2 (General Authorisation) will apply, and the time period for prior notice of subprocessor changes shall be 15 days.
  3. in Clause 11, the optional language will not apply.
  4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by laws of Ireland.
  5. in Clause 18(b), disputes shall be resolved before the courts of Ireland.

 

 

 

 

 

ANNEX I

  1. LIST OF PARTIES

 

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

 

1.Name: As set forth in the order form

Address: As set forth in the order form

Contact person’s name, position and contact details: As set forth in the order form

Activities relevant to the data transferred under these Clauses: Invoice and/or expense report processing functions

Signature and date: As set forth in the order form

Role (controller/processor): Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

   Name: AppZen, Inc.

  Address: 6201 America Center Drive Suite 300 San Jose, CA 95002
Contact person’s name, position and contact details: CISO, ciso@appzen.com
Activities relevant to the data transferred under these Clauses: AppZen, Inc. through its AI Platform provides finance teams of its customers with back office automation in order to audit expense reports and invoices, identify contract gaps, track and follow up on compliances. The platform primarily scans documents and extracts information from them, audits the information and flags items of concern as per the rules set/ modified by the customers of AppZen, Inc.
Signature and date:
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
 Categories of data subjects whose personal data is transferred
Personal data of third parties and the employees of data exporter.
      Categories of personal data transferred:
  1. Contact information (such as name, customer’s name, customer’s organization, employee's or contractors of customer’s and email address)
  2. Employee identification number
  3. Expense report details (such as merchant information)
  4. Information individuals submit in connection with expense reports, (such as copies of receipts, last 4 digits of credit card, names, and affiliations of attendees at activities incurring expenses, and explanations of business purposes/justifications)
  5. Data Importer may also import the following information: travel itineraries, per diem, travel allowances, corporate card transactions.
  6. Supplier contact name (such as name of supplier)
  7. Supplier contact address (Contact address of the supplier)
  8. Supplier contact email

 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
NA
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous
 
Nature of the processing:
Processing activity shall apply based on the Services procured by the data exporter:
Expense Audit: Integrate with data exporter’s expense management system to audit every expense in real time to spot errors, waste, and fraud.
Autonomous AP: Automate Entry of Invoices, classify, match, and approve invoices without manual work or oversight – for all invoices spend.
Mastermind: Automate AP and expense processes and custom policies
Mastermind Analytics: Transform data exporter’s spend process with on-demand spend insights and benchmarks.
 
Purpose(s) of the data transfer and further processing
 
Purpose of data transfer would be to provide the services as noted above in the nature of processing
 
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
 
Term of the Agreement and/or any attendant wind-down period agreed between the parties.
 
 
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
 
For the Sub-Processors of data importers, the duration of processing shall be until expiry of the service agreements between data importer and such Sub-Processor(s). The subject matter and nature of processing shall be as per the details mentioned above in this Annex under Categories of personal data transferred and Nature of the processing, based on the nature of services provided by each Sub-Processor as detailed out in Annex III below
 
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The supervisory authority of the member state where the data exporter is established or the supervisory authority of the member state in which the representative of the data exporter is established.

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL

MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

 

SOC1/SOC 2 Type 2
ISO27001:2022
Adherence to the Information Security policy of data importer

 

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Subprocessors need to have SOC 2 Type 2 and ISO 27001 compliance. All the controls of ISO 27001 needs are adopted and implemented.

 

 

ANNEX III

LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor MODULE

The Controller has authorized the use of the following sub-processors:

https://www.appzen.com/privacy-policy/subprocess/

 

 

Schedule 2

 

 

UK SCC Addendum

 

 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

 

The UKK SCC Addendum is deemed incorporated herein by reference, subject to the following:

  1. The Modules set forth in EU/EEA Standard Contractual Clauses above shall apply.
  2. The Annexures as set forth for EU/EEA Standard Contractual Clauses herein shall apply.
  3. For the purposes of Table 4 of the UK Addendum, ‘Importer’ and ‘Exporter’ options shall be selected.


    Archived Versions: