Last Updated: June 1, 2023

This Data Processing Addendum (“DPA”) forms part of the Agreement between SpendHQ, LLC (“SpendHQ,” “we,” “us” or “our”) and you, our customer or client (“Customer”).

SpendHQ has updated this DPA effective June 1, 2023. If you are an existing customer or client, then these updates will apply beginning on July 1, 2023. If you are a new customer or client, then these updates will apply immediately. By entering into an Agreement with us, you agree to the terms and conditions as set forth in this DPA.

1. SUBJECT MATTER AND DURATION

1.1 Subject Matter. This DPA is intended to govern Customer’s provision and SpendHQ’s processing of Customer Personal Information pursuant to the Agreement. If and to the extent language in this DPA (or any of its attachments) conflicts with the Agreement, this DPA shall control.

1.2 Duration; Survival. This DPA will become binding on the effective date of the Agreement and shall survive until expiration or termination of the Agreement, or SpendHQ’s return or deletion of Customer Personal Information, whichever occurs later.

2. DEFINITIONS

For purposes of this DPA, the following terms and definitions will apply. All terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement.

“Agreement” means the contract between Customer and SpendHQ which describes the terms and conditions under which SpendHQ is willing to provide Services to Customer.

“Controller” means the person who, alone or jointly with others, determines the purposes and means of the processing of personal information; for purposes of this DPA, the term “Controller” shall also include “business” as such term is defined under the CCPA.

“Data Privacy Laws” mean all worldwide data protection and privacy laws and regulations applicable to Customer Personal Information, including, where applicable, U.S. Data Privacy Laws and European Data Privacy Laws.

“Data Subject” means an identified or identifiable natural person about whom personal information relates.

“Europe” means the member states of the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland.

“European Data Privacy Laws” mean: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (b) with respect to the UK, the Data Protection Act 2018 and the EU GDPR as saved into UK law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the EU e-Privacy Directive (Directive 2002/58/EC); and (d) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”), in each case as may be amended, superseded or replaced from time to time.

“personal information” includes “personal information,” “personal data,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.

“process” or “processing” means any operation or set of operations which is performed on personal information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the person who, alone or jointly with others, processes personal information on behalf of the Controller; for purposes of this DPA, the term “Processor” shall also include “service provider” as such term is defined under the CCPA.

“Restricted Transfer” means a transfer (directly or via onward transfer) of personal information that is subject to European Data Privacy Laws to a country outside Europe that is not subject to an adequacy decision by the European Commission, or the competent UK or Swiss authorities (as applicable).

“Security Incident” or “Security Incidents” mean(s) any confirmed breach of security that leads to the accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Information processed by the SpendHQ and/or its Sub-processors in connection with the provision of Service. For the avoidance of doubt, Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Services” means SpendHQ’s provision of certain products and services to Customer, as set forth in the Agreement.

“Standard Contractual Clauses” or “EU SCCs” refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj completed as set out in Section 9.2 below.

“Customer Personal Information” means any personal information provided by or on behalf of Customer to SpendHQ in connection with Services.

“Sub-processor” means any processor engaged by SpendHQ to assist in fulfilling its obligations with respect to providing Services pursuant to the Agreement (including this DPA) where such entity processes Customer Personal Information. Sub-processors may include SpendHQ’s affiliates or other third parties.

“U.S. Data Privacy Laws” mean those data protection or privacy laws and regulations within the United States, including the California Consumer Privacy Act (as amended) (“CCPA”), including as modified by the California Privacy Rights Act (“CPRA”), upon the CPRA’s enforcement date of July 1, 2023, as applicable to Customer Personal Information.

3. SCOPE & PURPOSE OF PROCESSING

3.1 Data Processing Relationship. Customer is either the Controller of Customer Personal Information or else processes Customer Personal Information as a Processor on behalf of a third-party Controller (such as an end user or customer to Customer). In either case, the parties acknowledge and agree that SpendHQ has been appointed by the Customer to process the Customer Personal Information as a Processor (or Sub-processor, as applicable) on behalf of Customer. If Customer is a Processor on behalf of a third-party Controller, Customer will ensure that any processing instructions it provides to SpendHQ under this DPA will be consistent with the instructions the Controller has issued to Customer. For purposes of the Agreement, both Customer and SpendHQ will be responsible for complying with their respective obligations under appliable Data Privacy Laws.

3.2 Purpose of Processing. SpendHQ will process Customer Personal Information solely: (a) to fulfill its obligations to Customer under the Agreement, including this DPA; (b) on Customer’s behalf; and (c) in compliance with Data Privacy Laws. SpendHQ shall process Customer Personal Information strictly for the business purpose(s) agreed between the parties and as provided in the Agreement, this DPA and any instructions expressly agreed upon by the parties in writing (together, the “Business Purposes”). Customer will not instruct SpendHQ to process Customer Personal Information in violation of Data Privacy Laws. SpendHQ has no obligation to monitor the compliance of Customer’s use of the Services with Data Privacy Laws, and SpendHQ will have no liability for any harm or damages resulting from SpendHQ’s compliance with unlawful instructions received from Customer.

3.3 Documented Instructions. Without limiting the foregoing, Customer directs SpendHQ, and SpendHQ agrees, to process Customer Personal Information solely in accordance with Customer’s written instructions, as may be provided by Customer to SpendHQ from time to time.

3.4 Service Provider Certification. SpendHQ will not: (a) “sell” Customer Personal Information (as this quoted term is defined in the CCPA); (b) “share” or process Customer Personal Information for purposes of “cross-context behavioral advertising” or “targeted advertising” (as these quoted terms are defined in the CCPA); (c) retain, use or disclose Customer Personal Information for any purpose other than for the Business Purposes, including to retain, use or disclose Customer Personal Information for a commercial purpose other than performing its Services under the Agreement; or (d) retain, use or disclose Customer Personal Information outside of the direct business relationship between Customer and SpendHQ.

4. PERSONAL INFORMATION PROCESSING REQUIREMENTS

4.1 Confidentiality. SpendHQ will ensure that the persons it authorizes to process Customer Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Verifiable Requests by Data Subjects. Taking into account the nature of the processing, SpendHQ shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a verifiable request by a Data Subject (or their lawful representatives) under applicable Data Privacy Laws (such as rights to access or delete personal information). In addition, to the extent Customer, in its use of the Services, does not have the ability to address such verifiable request, SpendHQ shall, upon written request of Customer, use commercially reasonable efforts to assist or cause any applicable Sub-processor to assist, Customer in the fulfilment of Customer’s obligations to respond to such requests, to the extent SpendHQ or the Sub-processor is legally permitted to do so and the response to the verifiable request is required under applicable Data Privacy Laws. To the extent legally permitted, Customer shall be responsible for SpendHQ’s provision of such assistance, including any fees associated with the provision of additional functionality.

4.3 Notification. SpendHQ will promptly notify Customer of: (a) any third party or Data Subject complaints regarding the processing of Customer Personal Information; (b) any Data Subject requests for exercising their rights under Data Privacy Laws; or (c) any government or Data Subject requests for access to or information about SpendHQ’s processing of Customer Personal Information on Customer’s behalf, unless prohibited by Data Privacy Laws.

4.4 Data Protection Impact Assessment. Where and to the extent required by Data Privacy Laws, SpendHQ agrees to provide Customer reasonable assistance to and cooperation for Customer’s performance of a data protection impact assessment of processing or proposed processing of personal information, when required by Data Privacy Laws, and at Customer’s reasonable expense.

5. SUB-PROCESSORS

5.1 Authorization to Use Sub-Processors. Customer hereby authorizes SpendHQ to engage affiliates and other Sub-processors to process Customer Personal Information in accordance with the provisions within this DPA and Data Privacy Laws.

5.2 Sub-Processor List. A current list of SpendHQ’s Sub-processors can be found at https://www.spendhq.com/subprocessors (“Sub-processor List”). Customer should refer to the Sub-processor List regularly. Customer acknowledges and agrees that SpendHQ’s use of such Sub-processors satisfies the requirements of this DPA.

5.3 Liability for Sub-Processors. SpendHQ shall be liable for the acts and omissions of its Sub-processors to the same extent SpendHQ would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

5.4 Notice of and Right to Object to New Sub-Processors.
Should SpendHQ look to engage a new Sub-processor or replace an existing Sub-processor during the Term of the Agreement, SpendHQ will inform Customer with a minimum of 30 days’ notice. This will provide Customer the opportunity to reasonably and in good-faith object to SpendHQ’s engagement of the new Sub-processor for services. To exercise its right to object, Customer, within 30 days from receipt of SpendHQ’s written notice of its intentions to engage a new or replacement Sub-processor, Customer will subject its objection via email to privacy@spendhq.com with subject line “Sub-processor Objection,” together with the Customer’s name and a brief statement of reasonable grounds for the objection. Once SpendHQ receives Customers objection, the parties agree to work together in good faith to resolve the objection. If, after a reasonable time period (not to exceed 30 days), the parties remain unable to resolve the Customer’s objection to SpendHQ’s engagement of the new Sub-processor, then either party may, at its election, seek to terminate the Agreement by providing writing notice 30 days prior to the effective date of termination. Notwithstanding the foregoing, SpendHQ shall have a right to immediately replace a Sub-processor if the need for replacement is considered to SpendHQ to be urgent and necessary in order to continue to provide Services. In this case, SpendHQ shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-processor through the process described above.

6. SECURITY MEASURES

SpendHQ will implement and maintain commercially reasonable administrative, technical and physical measures designed to protect Customer Personal Information, as further set forth in Appendix II. SpendHQ regularly monitors compliance with these measures. SpendHQ will not materially decrease the overall security of the Services during the term of Customer’s Agreement. SpendHQ maintains and enforces various policies, standards and processes designed to secure Personal Information and other data to which SpendHQ employees are provided access, and will reasonably update such policies, standards and processes from time to time consistent with business necessity, best practices and acceptable standards in the industry.

7. SECURITY INCIDENT MANAGEMENT

7.1 Notification. Upon becoming aware of a Security Incident, SpendHQ agrees to provide written notice to Customer without undue delay (but in no event later than 72 hours after SpendHQ’s discovery and remediation unless otherwise required by applicable Data Privacy Laws). Any such notification is not an acknowledgement of fault or responsibility. Where possible, such notice will include all details known to SpendHQ and required under Data Privacy Laws for Customer to comply with Customer’s own notification obligations to regulatory authorities or individuals affected by the Security Incident, which may include, as applicable and if known: (a) how the Security Incident occurred; (b) the categories and approximate number of Data Subjects concerned; (c) the categories and approximate number of Customer Personal Information records concerned; (d) the likely consequences of the Security Incident; and (e) measures taken or proposed to be taken by SpendHQ to address the Security Incident, including, where appropriate, measures designed to mitigate its possible adverse effects.

7.2 Investigation. SpendHQ shall use commercially reasonable efforts to: (a) investigate and identify the cause of such Security Incident; (b) remedy or mitigate the possible adverse effects of such Security Incidents; and (c) reduce the likelihood that such Security Incident recurs. SpendHQ will not assess the contents of Customer Personal Information in order to identify information subject to any specific legal requirements or assess the applicability of any specific privacy, data protection or cybersecurity requirement pertaining to such information.

7.3 Customer Compliance. Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident; provided that, at Customer’s written request and subject to Customer paying SpendHQ’s reasonable fees (at then current rates) and expenses, SpendHQ will provide Customer with assistance reasonably necessary to enable Customer to notify relevant Security Incidents to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under Data Privacy Laws.

8. DELETION OF CUSTOMER PERSONAL INFORMATION

Upon termination or expiration of the Agreement, SpendHQ shall, upon Customer’s request, and subject to the limitations described in the Agreement, return to Customer (or make available for export in accordance with the Agreement) all Customer Personal Information in SpendHQ’s possession, or securely destroy such Customer Personal Information (excluding any back-up or archival copies which shall be deleted in accordance with SpendHQ’s data retention schedule), except where SpendHQ is required to retain copies under Data Privacy Laws, in which case SpendHQ will limit its processing of such Customer Personal Information except to the extent required by such Data Privacy Laws.

9. CROSS-BORDER TRANSFERS OF CUSTOMER PERSONAL INFORMATION

9.1 Cross-Border Transfers. Customer authorizes SpendHQ and its Sub-processors to transfer Customer Personal Information across international borders, including from Europe to the United States.

9.2 Standard Contractual Clauses. The parties agree that, when the transfer of Customer Personal Information from Customer to SpendHQ is a Restricted Transfer, it shall be subject to the appropriate Standard Contractual Clauses as follows:

(a) EU GDPR. In relation to Customer Personal Information that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

i. Module 2 of the EU SCCs applies to transfers of Customer Personal Information from Customer (as a Controller) to Customer (as a Processor) and Module 3 of the EU SCCs applies to transfers of Customer Personal Information from Customer (as a Processor) to SpendHQ (as a Sub-processor);

ii. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;

iii. Under Clause 9 of Modules 2 and 3 (Use of Sub-processors), the parties select Option 2 (General written authorization). The initial list of Sub-processors is set forth at https://www.spendhq.com/subprocessors and SpendHQ shall propose an update to that list at least 30 days in advance of any intended additions or replacements of Sub-processors in accordance with Section 5.4 of this DPA;

iv. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;

v. Under Clause 17 of Modules 2 and 3 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of France;

vi. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the parties select the courts of France;

vii. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Appendix I of this DPA;

viii. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the French CNIL.

ix. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with Appendix II of this DPA; and

x. Annex III of Modules 2 and 3 (List of Sub-processors) is intentionally not included as the parties have chosen general authorization under Clause 9.

(b) UK GDPR. In relation to Restricted Transfers of Customer Personal Information protected by UK GDPR, the UK IDTA will apply completed as follows:

i. The IDTA will apply the EU SCCs (completed as set out in Section 9.2(a)) to Restricted Transfers of Customer Personal Information from the UK;

ii. Tables 1-3 of the UK IDTA shall be deemed completed with the relevant information set out in this DPA and the EU SCCs (completed as set out in Section 9.2(a) above);

iii. Table 1 of the UK IDTA shall be deemed signed by Customer and SpendHQ upon the entry into force of this DPA, and the start date specified in Table 1 of the UK DPA shall be deemed completed with the date of entry into force of this DPA;

iv. In Table 4, the option “Importer” shall be deemed selected.

(c) Conflict in Terms. In the event that any provision of this DPA contradicts the SCCs (directly or indirectly), the SCCs shall prevail.

(d) Changes in the Law. If the transfer of Customer Personal Information under the SCCs or other lawful data transfer mechanism, approved by the relevant data protection authority, ceases to be lawful or the additional safeguards are no longer effective, SpendHQ may, at its discretion: (i) cease transfers of Customer Personal Information to, or access to such Customer Personal Information from, the relevant jurisdictions; or (ii) promptly cooperate with Customer to facilitate use of an alternative lawful data transfer mechanism and alternative additional safeguards that will permit Customer to continue to benefit from the Services in compliance with Data Privacy Laws relating to the protection of Customer Personal Information. If Customer and SpendHQ are unable to promptly implement such an alternative data transfer mechanism or alternative additional safeguards, then Customer may, at its option, upon written notice to SpendHQ suspend the transfer or reduce the scope of the Services to exclude the Customer Personal Information.

10. AUDITS

10.1 Third-Party Audit Reports. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement and the entry into specific non-disclosure agreements, as requested, SpendHQ shall make available to Customer (or Customer’s independent, reputable, third-party auditor) information regarding SpendHQ’s compliance with the obligations set forth in this DPA by providing Customer with summaries of the most recent third-party audits reports, as available. All such summaries, to the extent not made generally publicly available by SpendHQ on its website, constitute SpendHQ’s Confidential Information.

10.2 SpendHQ Audit. Where Data Privacy Laws afford Customer an audit right, Customer (or Customer’s independent, reputable, third-party auditor) may contact SpendHQ in accordance with the “Notices” section of the Agreement to request an audit of SpendHQ’s policies, procedures, and records relevant to the processing of Customer Personal Information necessary to confirm SpendHQ’s compliance with this DPA, provided that the foregoing are within SpendHQ’s control and SpendHQ is not precluded from disclosure by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Customer shall reimburse SpendHQ for its costs and expenses, including any time expended in connection with any such audit at SpendHQ’s then-current rates, which shall be made available to Customer upon request. Before the commencement of any such audit, Customer and SpendHQ shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Customer shall be responsible. In no event shall SpendHQ be required, in connection with any of its obligations under this DPA or otherwise, to provide information it is precluded from disclosing by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

10.3 Audit Terms. Any audit must be: (a) conducted during the SpendHQ’s regular business hours; (b) with reasonable advance notice to SpendHQ; (c) carried out in a manner that prevents unnecessary disruption to SpendHQ’s operations; (d) subject to reasonable confidentiality procedures; and (e) performed at reasonable intervals (which shall be limited to once per year) unless an audit is carried out at the direction of a government authority having proper jurisdiction. Customer shall promptly notify SpendHQ of any alleged non-compliance with this DPA discovered during the course of an audit, and SpendHQ shall use commercially reasonable efforts to address any confirmed non-compliance.

 
APPENDIX I

DATA PROCESSING DESCRIPTION

This Appendix I forms part of the DPA and describes the processing that SpendHQ (as the Processor or Sub-processor, as applicable) will perform on behalf of Customer (as the Controller or Processor, as applicable).

A. LIST OF PARTIES
The data exporter is a user of the importer’s services pursuant to their underlying commercial agreement. The data exporter acts as a controller with respect to its own personal data. To the extent permitted by the commercial agreement, the exporter also is permitted to use the contracted services as a processor on behalf of third parties.

The data importer is the provider of services to the exporter pursuant to their underlying commercial agreement. The data importer acts as the exporter’s processor.

Controller(s) / Data Exporter(s): [Identity and contact details of the controller(s) / data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union].

Name:

Address:

Contact person’s name, position and contact details:

Activities relevant to the data transferred under these clauses: Processing to carry out the Services pursuant to the Agreement entered into between Customer and SpendHQ.

Signature and date. This Appendix I shall automatically be deemed executed when Customer accepts and enters into the term and conditions of the Agreement.

Role (controller/processor): Controller or Processor, as applicable.

Processor(s) / Data Importer(s): [Identity and contact details of the processor(s) / data importer(s), including any contact person with responsibility for data protection].

Name: SpendHQ, LLC (Group Headquarter)

Address: 5555 Triangle Pkwy., Ste. 250, Atlanta, GA 30092

Contact details:

DPO
dpo@spendhq.com

Privacy
privacy@spendhq.com

Information Security
security@spendhq.com

Activities relevant to the data transferred under these clauses: Processing to carry out the Services pursuant to the Agreement entered into between Customer and SpendHQ.

Signature and date. This Appendix I shall automatically be deemed executed when Customer accepts and enters into the term and conditions of the Agreement.

Role (controller/processor): Controller or Processor, as applicable.

B. DETAILS OF PROCESSING

1. Subject Matter: The subject matter of the Processing is the Services pursuant to the Agreement.
2. Duration. Customer Personal Information will be Processed for the duration of the Agreement, including any post-termination retention period specified therein, subject to Section 8 of this DPA.
3. Categories of Data Subjects. Data Subjects whose Customer Personal Information may be Processed pursuant to the Agreement may include Customer’s employees, authorized agents and users (including contractors).
4. Nature and Purpose of the Processing. The nature and purpose of the Processing of Customer Personal Information by SpendHQ is the performance of the Services pursuant to the Agreement. Customer acknowledges and agrees that it will not use the Services for any purpose deemed a “High Risk AI System” under the proposed EU Artificial Intelligence Act.
5. Types of Customer Personal Information. Customer represents and warrants to SpendHQ that Customer Personal Information does not and will not contain, and Customer has not and will not otherwise provide or make available to SpendHQ for Processing any sensitive personal data, including health information (e.g., protected health information subject to the Health Insurance Portability and Accountability Act (“HIPAA”) or other information regarding an individual’s medical history, mental, or physical condition, or medical treatment or diagnosis by a health care professional, health insurance information, or genetic information); biometric information; government IDs or other government-issued identifiers (e.g., social security numbers); passwords for online accounts (other than passwords necessary to access the Services); credit reports or consumer reports; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or similar laws, or the regulations promulgated thereunder; information subject to restrictions under applicable law governing personal data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined under European Data Privacy Laws).

C. DESCRIPTION OF TRANSFER

EU SCC Module: Module Two (Transfer controller to processor); Module Three (Transfer processor to processor)

Categories of Data Subjects: The personal information transferred may concern the following categories of Data Subjects: Customer’s employees, authorized agents and users (including contractors).

Purpose(s) of the data transfer and further processing / processing operations:

The purpose of the transfer is the performance of the Services pursuant to the Agreement between Customer and SpendHQ.

Categories of personal information: The personal information transferred concerns any category of personal information submitted by Customer to SpendHQ pursuant to the Agreement, except for any personal information covered by Appendix I, Section B(5).

Sensitive data transferred (if applicable) and applied restrictions or safeguards: As set forth in Appendix I, Section B(5), sensitive data are expressly excluded from the scope of the Services.

Frequency of the transfer: continuous.

Subject matter of the processing: the subject matter of the processing is SpendHQ’s processing of Customer Personal Information to provide the Services pursuant to the Agreement.

Nature and purpose of the processing: the nature and purpose of the transfer is the performance of Services pursuant to the Agreement.

Duration of the processing. The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

Retention period (or, if not possible to determine, the criteria used to determine the period): For the duration of the Agreement. Upon termination or expiration of the Agreement, Customer Personal Information shall be returned or destroyed in accordance with Section 8 of the DPA.

D. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with SCC clause 13:

Where the EU GDPR applies, the French CNIL.

Where the UK GDPR applies, the UK Information Commissioner’s Office.
 
APPENDIX II

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

1. Purpose. This Appendix II describes SpendHQ’s security program, security certifications, and physical, technical, organizational and administrative controls and measures to protect Customer Personal Information from unauthorized access, destruction, use, modification and disclosure (the “Security Measures”). The Security Measures are intended to be in line with commonly accepted standards of similarly situated SaaS providers (“industry standard”).
2. Updates and Modifications. SpendHQ reserves the right to update or modify the Security Measures from time to time, provided that such updates and modifications do not materially degrade or diminish the overall security of the technology platform or Services, as described in this document.
3. Security Measures. SpendHQ’s Security Measures are described in the following table: