Data Protection and Privacy Agreement and Addendum

This DATA PROTECTION AND PRIVACY AGREEMENT AND ADDENDUM (“DPA”) forms part of the Vertex Customer Agreement (“Agreement”) between the Customer, as defined in the Agreement on its behalf and on behalf of its subsidiaries and affiliates (each subsidiary a “data exporter”), and Vertex Software, LLC (“Vertex”) ,under which Customer obtains services from Vertex for itself and its subsidiaries and affiliates (“Services”).

WHEREAS, pursuant to GDPR, Customer (as Controller) is required to impose Processing terms on Vertex, as Processor;

WHEREAS, to the extent that GDPR applies to the Services, the parties hereby agree that the terms and conditions set out below shall be added as a further agreement and addendum to the Agreement and references in this DPA to the Agreement are to the Agreement as amended by, and including, this DPA.

NOW THEREFORE, in consideration of the mutual promises and obligations set forth herein, the parties have agreed as follows:

  1. 1.0 Definitions. For the purpose of this DPA, any terms not defined herein shall have the meaning as defined in the Agreement, and these terms below shall mean the following:
    1. Applicable Laws” shall mean (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, (ii) to the extent not included in sub-clause (i), the Data Protection Act 2018 (“DPA 2018”) of the United Kingdom, as amended from time to time, and including any substantially similar legislation that replaces the DPA 2018, and (iii) the national legislation of the Swiss Confederation on the protection of Data Subjects with regard to the processing of Personal Data and on the free movement of such data, as amended from time to time, and other data protection or privacy legislation in force from time to time in the Swiss Confederation.
    2. "Authorized Personnel" means (a) Vertex employees who have a need to know or otherwise access Customer Personal Data for the purposes of performing applicable services; and (b) Vertex’s contractors, agents, and auditors who have a need to know or otherwise access Customer Personal Data to enable Vertex to perform its obligations under this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Customer Personal Data in accordance with the terms and conditions of this DPA. 
    3. Customer” shall have the meaning indicated above and shall include Customer’s subsidiaries and affiliated companies.  
    4. Customer Personal Data” means any Personal Data Processed by Vertex on behalf of Customer or otherwise Processed by Vertex pursuant to or in connection with instructions given by Customer; “Personal Data” shall be considered “Confidential Information” under this DPA.
    5. Privacy Shield” collectively means the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework designed by the U.S. Department of Commerce and the European Commission and the Swiss FDPIC, respectively, and administered by the United States International Trade Administration.
    6. Process” or “Processing” means any operation or set of operations which is performed upon Customer Personal Data, whether or not by automatic means, including but not limited to, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
    7. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processor” have the same meanings as described in the Data Protection Laws and cognate terms shall be construed accordingly.
  2. 2.0 Processing Personal Data.
    1. Customer hereby instructs Vertex to process Customer Personal Data for providing the Services described in Schedule 1 in accordance with Customer’s written instructions (unless expressly waived in a written requirement) provided during the term of the Agreement.  Customer instructs Vertex to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement or any applicable Orders; or (ii) Processing to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the terms of the Agreement.  Vertex is not entitled to use Customer Personal Data for its own purposes. In the event Vertex reasonably believes there is a conflict with any Applicable Law and Customer’s instructions, or it cannot comply with any instruction or any requirements under this DPA, Vertex will inform Customer immediately and the Parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
    2. To the extent that Vertex will process any Customer Personal Data that is subject to Applicable Laws, Vertex shall process such Customer Personal Data (a) in the EEA or in a country considered by Applicable Laws as providing adequate data privacy protection, or (b) outside the EEA, pursuant to Privacy Shield as more adequately described in Section 3.3 below.  When and as requested by Customer and agreed to by Vertex in writing, Vertex shall promptly execute 2010 Standard Contractual Clauses if required to process Customer Personal Data in accordance with Applicable Laws. 
    3. Vertex has self-certified to Privacy Shield regarding the collection, use and retention of Personal Data transferred from the European Economic Area (“EEA”) to the United States.  Vertex shall Process Customer Personal Data through the performance of the Services on behalf of Customer in accordance with the requirements and principles of Privacy Shield (excepting the principles of Notice & Choice, which are not applicable) for all services whereby Personal Data is transferred from the EEA and/or Switzerland to outside the EEA and/or Switzerland, either directly or via onward transfer, to any country or recipient: (a) not recognized by GDPR or DPA 2018 as providing an adequate level of protection for Personal Data or the Swiss FDPIC, or (b) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including but not limited to Binding Corporate Rules for Processors or EU/Swiss Standard Contractual Clauses, as may be applicable from time to time (the “Privacy Shield Services”).  In addition, Vertex agrees as follows: (i) To provide at least the same level of privacy protection for EEA Personal Data as is required by the Privacy Shield Principles (available at https://www.privacyshield.gov/EU-US-Framework); (ii) To notify Customer if it makes a determination that it can no longer meet its obligations under subclause (i) above; (iii) To provide at least sixty (60) days’ prior written notice if it plans to not renew its certification under Privacy Shield; and (iv) Upon making the determination specified in subclause (ii) above, or upon notice from Customer, to take reasonable and appropriate steps to stop and remediate unauthorized processing. 
    4. Vertex shall maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer’s data and confidential and proprietary information, including Customer Personal Data, as further set forth in the Agreement. Vertex will regularly monitor compliance with these safeguards. Vertex will not decrease the overall security of the Services during the term of the Agreement.  Vertex will delete, de-identify, or otherwise remove any access to any Customer Personal Data after it is no longer needed for the identified processing purpose, or upon termination or expiration of the Agreement.
    5. Vertex shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.  During the term of each Authorized Personnel’s employment or engagement by Vertex, Vertex shall at all times cause such Authorized Personnel to abide by Vertex's obligations under this DPA. In addition, Customer generally authorizes Vertex to engage the subprocessors listed in Schedule 1, and to make change to those subprocessorss, provided that Vertex:
      1. provides prior notice to Customer and give Customer an opportunity to object to changes concerning the addition or replacement of subprocessors (provided that Customer will not object except with reasonable cause); 
      2. executes a written contract with each subprocessor with the same or more protective obligations and data protection obligations contained in this DPA; and
      3. shall remain liable for any acts or omissions of subprocessors.
    6. Processor will, with respect to Customer Personal Data that is subject to GDPR or DPA 2018: 
      1. process the Customer Personal Data as described in Section 2.1 above, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by law to which the Vertex is subject; in such a case, Vertex will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
      2. take all measures required pursuant to Article 32 of the GDPR;
      3. taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights under GDPR or DPA 2018 laws;
      4. assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Vertex;
      5. make available to Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and allow or and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by Customer.
    7. Vertex will without undue delay after becoming aware of a Personal Data Breach (a) notify Customer of the Personal Data Breach; (b) investigate the Personal Data Breach; (c) provide Customer with details about the Personal Data Breach; and (d) make best efforts to prevent a recurrence of the Personal Data Breach.  Vertex agrees to cooperate in Customer’s handling of the matter by: (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Personal Data Breach’s effects on Customer, as required to satisfy any legal obligations and comply with Applicable Law (including obligations to notify data protection authorities or data subjects) of Customer in relation to such Personal Data Breach, subject at all times to any statutory or contractual confidentiality obligations binding on Vertex.
    8. Vertex employees who have access to Customer Personal Data have been subjected to and have passed appropriate background check procedures prior to the provision of such access. If, in the Customer’s reasonable and good faith opinion, one or more of Vertex’s employees poses a risk to the security of Customer Personal Data, Vertex will immediately terminate access by such employee(s) and assign different and qualified employees to access Customer Personal Data.
    9. This DPA will remain effective as long as Vertex provides services for Customer or processes Customer Personal Data. Upon termination of the Agreement (in whole or in part) for the Services described in Schedule 1 or earlier upon Customer’s request, and at Customer’s choice, Vertex will, unless any applicable law, competent court, or supervisory or regulatory body prevents Vertex from returning or destroying the Customer Personal Data transferred:
      1. destroy all Customer Personal Data processed and any copies thereof and certify to Customer on request that Vertex has done so; or
      2. in accordance with Customer’s instructions, return all Customer Personal Data and the copies thereof to Controller or other recipient identified by Customer.
    10. Vertex will notify Customer without undue delay:
      1. about any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
  3. 3.0 Audits and Certifications. 
    1. Vertex will monitor and self-audit its own compliance with its obligations under GDPR and this DPA and will provide Customer with periodic reports upon request.  Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement (unless such information is reasonably required to be disclosed as a response to a data subject’s inquiries under the Privacy Shield, or GDPR or DPIA 2018), Vertex shall make available to Customer (or a mutually agreed upon third-party auditor) information regarding Vertex’s compliance with the obligations set forth in this DPA, including reasonable documentation. Upon Customer’s reasonable written request, Vertex will promptly, and in no event more than thirty (30) days from the date of the written request, provide reasonable assistance to Customer to explain these certifications and audits. Customer agrees that Vertex’ compliance with this section 3.1 shall fulfill Vertex’ obligations under Section 2.6(e) hereabove.
  4. 4.0 Miscellaneous.
    1. In the event of any conflict or inconsistency between this DPA, on the one hand, and Privacy Shield or 2010 Standard Contractual Clauses, on the other hand, the latter shall prevail.  In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail.
    2. This DPA shall not restrict Applicable Laws. In the event any provision of this DPA, in whole or in part, is invalid, unenforceable or in conflict with the applicable laws or regulations of any jurisdiction, such provision will be replaced, to the extent possible, with a provision which accomplishes the original business purposes of the provision in a valid and enforceable manner, and the remainder of this DPA will remain unaffected and in full force.
    3. All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Vertex.
    4. Vertex guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by Vertex, and Vertex agrees that it shall be responsible for all costs associated with its compliance of such obligations.

SCHEDULE 1

Processor:

Vertex Software, LLC

Controller:

The legal entity specified as “Customer” in the Agreement.

Subject matter and duration of the Processing of the Personal Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the sections of the Agreement addressing scope and services, and the term.

The nature and purpose of the Processing of the Personal Data

The nature and purpose of the Processing of the Customer Personal Data are set out in the description of Services in the Agreement.

Categories of Data Subjects:

Employees, customers, suppliers, service providers, business partners, and consultants of the Controller and its affiliates, and other end users the extent of which is determined by the Controller in is sole discretion. 

Categories of Personal Data:

Controller may submit Personal Data to Vertex to enable Vertex to perform the Services, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: 

  • First and last name and title; 
  • Employer and position; 
  • Contact information (email, username, cell phone/mobile number, physical business address); 
  • Device identification data (Device ID); 
  • Electronic identification data (IP address; MAC address)
  • Technical data (operating system information; software logs; crash reports); 
  • User name and password

Special categories of data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

The obligations and rights of Controller

The obligations and rights of Controller are set out in this DPA and in the Agreement.

Processing Operations (if 2010 Standard Contractual Clauses are applicable)

The Processing activities shall consist of the performance of the Services pursuant to the Agreement. 

Data exporter (if 2010 Standard Contractual Clauses are applicable)

The data exporter is the Customer 

Data importer (if 2010 Standard Contractual Clauses are applicable)

The data importer is Vertex

Authorized Subprocessors:

Available upon request