Data Protection Addendum
Revised May 7, 2020
The provisions of this Data Protection Addendum (“Addendum”) are incorporated into the Brex Platform Agreement (“Agreement”) between Brex Inc. (“Brex”) and Company. The Addendum applies to all Processing of Personal Information in connection with the performance of the Agreement. Company and Brex may be referred to herein as a “Party” and together as the “Parties.” This Addendum supersedes any conflicting provision of the Agreement related to the Processing of Personal Information.
For the purposes of this Addendum, the following capitalized terms have the meanings provided below. Unless otherwise defined in this Addendum or elsewhere in the Agreement, all terms in this Addendum shall have the definitions given to them in applicable Data Protection Laws.
“Business,” “business purpose,” “consumer,” “sale,” (including the terms “sell,” “selling,” “sold,” and other variations thereof), “Service Provider”, and “Third Party” have the meanings given to those terms under the CCPA.
“CCPA” means the California Consumer Privacy Act of 2018 (Cal Civil Code §§ 1798.100 et seq.), effective as of January 1, 2020, and any data protection laws or regulations amending, replacing, and superseding the CCPA.
“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Information and Confidential Data, or as otherwise defined in Data Protection Law. Controller includes “Business”. “Company Personal Information” means the subset of Personal Information described as such in the definition of “Personal Information”.
“Data Protection Law(s)” means (a) any privacy or data security law, statute, ordinance, regulation, implementing regulation, or governmental rule of any jurisdiction applicable to the Processing of Personal Information under the Agreement, including (as applicable) but not limited to the Gramm-Leach-Bliley Act, the CCPA, the UK Data Protection Act 2018, and the GDPR; and (b) any code of practice or guidance pertaining to the Processing of Personal Information published by an industry association or supervisory authority of either of the Parties.
“Deidentified Format” means information (i) that is anonymous, namely information which does not relate to an identified or identifiable natural person and is not reasonably capable of being linked to an individual or a household, or to Personal Information rendered anonymous in such a manner that the data subject is not or no longer identifiable; or (ii) that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and any data protection laws amending, replacing, and superseding the GDPR. “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, data subject, or household and is defined as “personally identifiable information,” “personal information,” “personal data,” or similar term under Data Protection Laws. Where Personal Information relates to individual employees, contractors, or agents of Company, it is referred to herein as “Company Personal Information.”
“Process” or “Processed” or “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure or otherwise making available, dissemination, alignment, duplication, transmission, combination, blocking, restriction, redaction, erasure or destruction.
“Subprocessor” means an individual or entity, including an affiliate of Company or Brex, that Processes Personal Information as a subcontractor to Company or Brex.
“Transfer” means to disclose or otherwise make Personal Information available to another individual or entity (including to any affiliate or subcontractor of a Party), either by physical movement of the Personal Information to such Party or by enabling remote access to the Personal Information by other means.
Each Party shall comply at all times with applicable Data Protection Laws. Each Party shall promptly notify the other Party of any circumstance of which it is or becomes aware that may prevent either Party from complying with its obligations under the Agreement and applicable Data Protection Laws, or that may otherwise adversely impact the Processing of Personal Information hereunder. Each Party shall reasonably cooperate with the other in responding to inquiries, incidents, claims, and complaints regarding the Processing of the Personal Information or as otherwise needed for either Party to demonstrate compliance with applicable Data Protection Laws.
3. Ownership of Company Personal Information
The Parties agree that, unless otherwise agreed upon between the Parties, both Company and Brex will be considered Controllers and Businesses of Company Personal Information and all other Personal Information.
4. Obligations of Parties as Controllers and Businesses
Each Controller/Business is responsible for Processing Personal Information in accordance with applicable Data Protection Laws.
Notwithstanding anything to the contrary herein, in no event will Company and Brex be deemed to be jointly processing Company Personal Information.
Notification of Requests
Each Party shall designate and identify to the other Party an individual within its organization authorized to respond from time to time to inquiries regarding Company Personal Information. The subject of such inquiries may include, but is not limited to, data subject and consumer requests for deletion and disclosure. The Parties shall deal with such inquiries promptly, without prejudice to the specific deadlines imposed by applicable Data Protection Laws.
Processing of Personal Information
Each Party shall only use or otherwise Process Personal Information in accordance with the permitted purposes set forth in the Agreement, this Addendum, and in accordance with all applicable Data Protection Laws. Each Party shall be individually and separately responsible for complying with the obligations under applicable Data Protection Laws that apply as a Controller or Business, as applicable, in respect of certain types of Personal Information processed under the Agreement. Neither Party shall share, Transfer, disclose or otherwise provide or permit access to the Personal Information to any person or entity without the other Party’s prior written consent, except in accordance with the Agreement, or on the basis of a court order, subpoena, or other governmental requirement or authority, or in case such Party is otherwise required to disclose such information by law or regulation, provided that such disclosure is permitted by applicable Data Protection Laws (a “Compulsory Request”). In such case, the disclosing Party shall inform the other Party of that legal requirement to disclose information before processing the Compulsory Request, unless applicable law prohibits such disclosure.
Data Protection Impact Assessments
To the extent that a Party is required to do so under applicable Data Protection Laws, such Party will assist the other Party to conduct a data protection impact assessment and, where legally required, consult and cooperate with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to data subjects and in the performance of its tasks relating to the data protection impact assessment.
Each Party agrees to notify the other Party within a reasonable period of time when such Party becomes aware that Personal Information of the other Party has been lost, damaged or subject to unauthorized internal or external access or any other unlawful Processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. To the extent a Party, as Controller/Business with respect to Personal Information subject to a Security Incident, seeks the assistance of the other Party, the other Party agrees to reasonably cooperate with such Party to: (a) determine the scope and severity of any such Security Incident; (b) provide timely information and cooperation as such Party may require to fulfill such Party’s data breach reporting obligations under applicable laws and contract; and (c) give notice to individuals whose Personal Information is the subject of such Security Incident.