Data Processing Addendum (DPA) Instructions 

 

 

Enter Organization Information & Sign if applicable:  

Pg 5 

Pg 9 

Pg 15 

Pg 16 

Pg 17 

Pg 18 

 

Email Signed document to support@abacus.com  

 

 

Data Processing Addendum (DPA) 

Introduction to this Addendum 

As part of this effort, we process personal data in accordance with the EU’s General Data Protection Regulation (“GDPR”). 

To better protect individuals’ personal data, we are providing these terms to govern Abacus’ and your handling of personal data (the “Data Processing Addendum” or “DPA”). This DPA amends and supplements the customer agreement, Abacus Terms of Service (“ToS”) available at https://www.abacus.com/terms or other written or electronic agreement, including any written or electronic order forms or other purchase forms, and requires no further action on your part. 

 

Definitions It is important that all parties understand what data and whose data is protected under this DPA. Each party has respective obligations to protect personal data; therefore, the following definitions explain the scope of this DPA and the mutual commitments to protect personal data. 

“Abacus”, “we”, “us”, or “our” refers to the provider of the Abacus website and services, (collectively referred to as the “Abacus Service.”). 

“You” or “Customer” refers to the company or organization that signs up to use the Abacus Service to manage the expense and corporate card process among your users. 

“Party” refers to Abacus and/or the customer depending on the context. 

“Personnel” refers to those individuals who are employed by or are under contract to perform a service on behalf of one of the parties. Personnel may have rights in their personal data (including business contact information) if they reside in the EU. It is important to be clear about how personnel’s rights are protected. 

“Data Subjects” refers to those individuals residing in the EU who are consumers or users (also “consumers”), as well as any personnel who reside in the EU. 

“Personal Data” is given the same meaning as in the GDPR which we summarize here as: any data relating directly or indirectly to an identifiable data subject. Personal data does not include any data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific individual, directly or indirectly. 

“Processing” is given the same meaning as in the GDPR, which we summarize as including: collecting, recording, using, storing, amending, adapting, disclosing, transferring or transmitting, structuring, using, combining, deleting or destroying, personal data (“Process” and “Processed” shall have similar meanings). 

“Controller” is given the same meaning as in the GDPR, which we summarize as the party that determines the purposes and means of the processing of personal data – the customer is the controller with respect to consumer personal data.  

“Processor” is the party that processes personal data on behalf of the controller – Abacus is the processor of the personal data. 

“Sub-processor” is a Third-party, independent contractors, vendors and suppliers who provide specific services and products related to the Abacus website and our services (“third-party” or “outside contractor” shall have similar meanings). 

“Incident” means: (a) a complaint or a request with respect to the exercise of an individual’s rights under the GDPR; 

1

(b) an investigation into or seizure of the personal data by government officials, or a specific indication that such an investigation or seizure is imminent; or (c) any breach of the security and/or confidentiality as set out in this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data, or any indication of such breach having taken place or being about to take place. 

“Security Measures” means the administrative, technical and physical safeguards adopted by Abacus applicable to                           the Services subscribed by Customer as described and made available at https://www.abacus.com/security or as                           otherwise made available by Abacus. The Security Measures as of May 25, 2018 is attached to this DPA as                                     Attachment 2. 

“Standard Contractual Clauses” means the agreement executed by and between Customer and Abacus Labs, Inc.                             attached hereto as Attachment 3, pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010                               on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which                                 do not ensure an adequate level of data protection. 

The terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses, in each                                   case irrespective of whether other Data Protection Laws apply. 

For the sake of readability, we do not use initial capitalization of defined terms in this DPA. Defined terms are defined terms, irrespective of their format. 

 

1. Undertakings regarding personal data A. Each party agrees that personal data shall be treated as confidential information under this DPA. In 

addition, each party shall at all times comply with applicable laws relating to data protection in the relevant jurisdiction with respect to each other’s personal data. Attachment 1 of this DPA sets out the nature and purpose of the processing, the types of Personal Data Abacus processes and the categories of data subjects whose Personal Data is processed. 

B. Personal Data shall remain the property of the disclosing party. Abacus acknowledges that customer is the controller and maintains control over data subject’s personal data. Abacus is the processor of the Customer Personal Data and Abacus may engage Sub-processors who meet the adequate level of privacy and security standards.   

C. Abacus will process customer’s personal data only to the extent strictly necessary for the purpose of providing the services in accordance with the ToS and any further written instructions from the customer that are mutually agreed upon in writing. Abacus agrees that: 

i. it will implement and maintain a reasonable and appropriate security program (Attachment 2) comprising adequate security, technical and organizational measures to protect against unauthorized, unlawful or accidental processing, use, erasure, loss or destruction of, or damage to, customer personal data; 

ii. it will not modify, alter, delete, publish or disclose any customer personal data to any third party, nor allow any third party to process such personal data on Abacus’ behalf unless the third party is bound to similar confidentiality and data handling provisions; 

iii. only its personnel who “need-to-know” will be given access to customer personal data to the extent necessary to perform its obligations under the ToS. It shall provide adequate training to its staff and ensure that they comply with the obligations in this DPA; and 

iv. it will only process customer personal data to the extent necessary to perform its obligations under the ToS, upon written instructions of the customer (only as mutually agreed upon), and in accordance with applicable laws. 

D. Personal Data shall be processed and stored for as long as required by the purpose they have been collected for. 

2

i. Personal Data collected for purposes related to the performance of a contract between the Controller and the Data Subject shall be retained until such contract has been fully performed. 

ii. Personal Data collected for the purposes of the Controller’s legitimate interests shall be retained as long as needed to fulfill such purposes. Data Subjects may find specific information regarding the legitimate interests pursued by the Controller within the relevant sections of this document or by contacting the Controller. 

iii. The Controller may be allowed to retain Personal Data for a longer period whenever the Data Subject has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Controller may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority. 

 

2. Customer responsibilities and Abacus’ assistance A. Customer warrants that it has all necessary rights to provide to Abacus the personal data for processing in 

connection with the provision of the Abacus Services. B. To the extent required by applicable law, customer is responsible for ensuring that any data subject 

consents that may be necessary to this processing are obtained, and for ensuring that a record of such consents is maintained, including any consent to use personal data that is obtained from third parties. Should such consent be revoked by a data subject, customer is responsible for communicating the fact of such revocation to Abacus, and Abacus remains responsible for implementing any customer instruction with respect to the further processing of that personal data, or, as may be in accordance with any of Abacus’ legal obligations. 

C. Customer understands, as a controller, that it is responsible (as between customer and Abacus) for: i. determining the lawfulness of any processing, performing any required data protection impact                       

assessments, and accounting to regulators and individuals, as may be needed; ii. making reasonable efforts to verify parental consent when data is collected on a data subject under 

16 years of age; iii. providing relevant privacy notices to data subjects as may be required in your jurisdiction, 

including notice of their rights and provide the mechanisms for individuals to exercise those rights; 

iv. responding to requests from individuals about their data and the processing of the same, including requests to have personal data altered, corrected, or erased, and providing copies of the actual data processed; 

v. implementing your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this DPA; 

vi. notifying individuals and any relevant regulators or authorities of any incident as may be required by law in your jurisdiction. 

D. Abacus, as a processor, shall assist the customer by implementing appropriate technical and organizational measures, insofar as this is reasonably and commercially possible (in Abacus’ sole determination and discretion), in fulfilling customer’s obligations to respond to individuals’ requests to exercise rights under the GDPR. 

E. The customer consents to Abacus engaging sub-processors to process personal data for the permitted purpose of providing products and services for which we contracted provided that:  

i. Abacus will maintain an up-to-date list of its sub-processors, which it will update with the details of any change in sub-processors at least 10 days prior to any change; and  

ii. Abacus will impose data protection terms on any sub-processor it engages with as required to protect personal data to the standard required by the GDPR. Customer may object to Abacus’ appointment or replacement, provided such objection is based on reasonable grounds related to 

3

data protection. In such event, Abacus will either not appoint or replace the sub-processor or if that is not possible, customer may suspend or terminate the Abacus service. 

F. Abacus will, without undue delay, notify Customer, to the extent legally permitted, if Abacus receives a                               request from a data subject to exercise the data subject's right of access, right to rectification, restriction of                                   processing, erasure, data portability, objection to the processing, or its right not to be subject to an                                 automated individual decision making; and 

i. if Abacus receives any request from a data subject in relation to Personal Data, Abacus will advise                                 the data subject to submit his or her request to Customer and Customer will be responsible for                                 responding to any such request including, where necessary, by using the functionality of the                           Services. 

ii. Taking into account the nature of the processing, Abacus will assist Customer by appropriate                           technical and organizational measures, insofar as it is possible, for the fulfilment of Customer’s                           obligation to respond to a data subject under EU Data Protection Laws. In addition, to the extent                                 Customer, in its use of the Services, does not have the ability to address a data subject request,                                   Abacus shall, upon Customer’s written request, provide Customer with reasonable cooperation                     and assistance to facilitate Customer’s response to such data subject request, to the extent Abacus                             is legally permitted to do so and the response to such data subject request is required under EU                                   Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs                             arising from Abacus’ provision of such assistance. 

 

3. Incident Management A. When either party becomes aware of an incident that impacts the processing of personal data, it shall 

promptly notify the other about the incident and shall reasonably cooperate in order to enable the other party to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 

B. Both parties shall at all times have in place written procedures which enable them to promptly respond to the other about an incident. Where the incident is reasonably likely to require a data breach notification under applicable laws, the party responsible for the incident shall notify the other no later than 24 hours of having become aware of such an incident. 

C. Any notifications made under this section shall be made to privacy@abacus.com (when made to Abacus) and to our point of contact with you (when made to the customer), and shall contain: 

i. a description of the nature of the incident, including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of records concerned;  

ii. the name and contact details of the point of contact where more information can be obtained;  iii. a description of the likely consequences of the incident; and  iv. a description of the measures taken or proposed to be taken to address the incident including, 

where appropriate, measures to mitigate its possible adverse effects. 

 

4. Liability and Indemnity 

Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA. 

 

4

5. Duration and Termination A. This DPA shall come into effect on May 25, 2018 and shall continue until it is changed or terminated  B. Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations 

herein. 

 

The parties hereby agree: 

Abacus Labs, Inc. 

 

________________________________________ Signature 

 

________________________________________ Name 

 

________________________________________ Title 

 

________________________________________ Date 

 

 

________________________________________ Entity 

 

________________________________________ Signature 

 

________________________________________ Name 

 

________________________________________ Title 

 

________________________________________ Date 

 

 

 

 

 

 

5

Steven Reedich

Director of Operations

5/24/2018

 

ATTACHMENT 1 TO THE DPA 

DESCRIPTION OF PROCESSING ACTIVITIES 

Data Subjects 

Data subjects include the individuals about whom personal data is provided to Abacus via services by (or at the direction of) Customer or by Customer’s end users, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data subjects: 

1. Employees or contact persons of Customer’s prospects, customers, business partners and vendors (who are natural persons)  

2. Prospects, customers, business partners and vendors of Customer (who are natural persons)  3. Employees, agents, advisors, freelancers of Customer (who are natural persons)  4. Customer’s users authorized by Customer to use the Services (who are natural persons) 

Categories of data  

Personal data relating to individuals provided to Abacus via the services, by (or at the direction of) Customer or by Customer’s end users, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data: 

Customer Personal Data 

1. First name and Last name 2. Date of birth 3. Phone number 4. Personal and Business Contact Information (company name, profession, email, state, country, ZIP/Postal 

code) 5. Password 6. Geographic position 7. Picture  8. Cookies and Usage Data. 

Company Data 

1. Company name 2. Website 3. Business address  

Financial Data 

1. Personal and Business Bank Account  2. Personal and Business Credit Card 

Processing operations  

Personal Data will be processed in accordance with the Agreement and this DPA. 

 

 

6

 

ATTACHMENT 2 TO THE DPA 

SECURITY MEASURES 

Abacus implements and maintains Security Measures that meet or exceed the security objectives required for SOC 1 Type 2 certification. Abacus may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services. These Security Measures are in effect on the DPA Effective Date.  

 

Information Security Program 

1. Data Centers 

Abacus is a cloud-based SaaS offering that resides in the secure datacenter, Amazon Web Services (AWS).  

2. Data Transmission.  

Abacus utilizes industry standard encryption techniques to protect user authentication information and the corresponding communication session transmitted over the internet or other public networks. Transmission-level SSL security is implemented when information is being transmitted over public networks.   

3. Site Controls 

Abacus controls provide assurance that physical access to computer and other resources is restricted to authorized and appropriate personnel.  

4. Access Control 

Client data is subject to Abacus’ Security policies and procedures which define protection requirements for, access rights and requirements, and access restrictions, as well as encryption requirements. The Information Security policies and procedures also define assessing risks on a periodic basis, preventing unauthorized access, adding new users, modifying access levels of existing users, and removing users who no longer need access.  

5. Personnel Security 

Abacus personnel are required to conduct themselves in a manner consistent with the company’s guidelines. Abacus conducts backgrounds checks to the extent allowed by applicable law and regulations. Personnel are required to execute a confidentiality agreement. All personnel are provided with security training upon employment and then regularly afterwards. Abacus’ personnel will not process Customer Data without authorization.  

6. Sub-processor Security 

Abacus conducts audit of security and privacy practices of Sub-processors prior to onboarding the Sub- processors in order to ensure adequate level of security and privacy to data and scope of services they are engaged to provide. Once the Sub-processor audit is performed and associated risk is evaluated, the Sub- processor enters into appropriate privacy, confidentiality and security contract terms. 

 

Security Certifications and Reports 

1. Service Organization Control (SOC) Reports: Currently, Abacus’ information security control environment applicable to the Services undergoes an independent evaluation in the form of SOC 1 Type 2 (SSAE 18) 

7

audits. To demonstrate compliance with the Security Measures, Abacus will make available for review by Customer Abacus’ most recent SOC Report as described below: 

a. “SSAE 18 Report” means a confidential Service Organization Control (SOC) 1 report on Abacus’ systems examining logical security controls, physical security controls, and system availability, as produced by Abacus’ independent third-party auditor in relation to the Services.  

b. Abacus will either update the SSAE 18 Report at least once every 12 months or pursue comparable audits or certifications to evaluate and help ensure the continued effectiveness of the Security Measures.  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

8

 

ATTACHMENT 3 TO THE DATA PROCESSING ADDENDUM 

STANDARD CONTRACTUAL CLAUSES (PROCESSORS) 

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE 

Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection 

Commission Decision C(2010) 

593 Standard Contractual Clauses (processors) 

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection 

Name of the data exporting organization: _________________________________________________ 

Address: ___________________________________________________________________________ 

Tel.:......................................................;  

e-mail:...................................................... 

Other information needed to identify the organization: 

 

(the data exporter) and 

 

Name of the data importing organization: Abacus Labs, Inc.  

Address: 14 E 38th Flr 9, New York, NY 10016 

 

(the data importer)  

each a “party”; together “the parties”, 

 

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with                               respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data                                     exporter to the data importer of the personal data specified in Appendix 1. 

 

   

9

Clause 1  

Definitions  

For the purposes of the Clauses:  

a. 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;  

b. 'the data exporter' means the controller who transfers the personal data;  c. 'the data importer' means the processor who agrees to receive from the data exporter personal data intended 

for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;  

d. 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;  

e. 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;  

f. 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. 

 

Clause 2  

Details of the transfer  

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses. 

 

Clause 3  

Third-party beneficiary clause  

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.  

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.  

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of 

10

which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.  

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. 

 

Clause 4  

Obligations of the data exporter  

The data exporter agrees and warrants:  

a. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;  

b. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;  

c. that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;  

d. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;  

e. that it will ensure compliance with the security measures;  f. that, if the transfer involves special categories of data, the data subject has been informed or will be 

informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;  

g. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;  

h. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;  

i. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and  

j. that it will ensure compliance with Clause 4(a) to (i). 

 

Clause 5  

Obligations of the data importer  

The data importer agrees and warrants:  

a. to process the personal data only on behalf of the data exporter and in compliance with its instructions and 

11

the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;  

b. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;  

c. that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;  

d. that it will promptly notify the data exporter about: i. any legally binding request for disclosure of the personal data by a law enforcement authority 

unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,  

ii. any accidental or unauthorised access, and  iii. any request received directly from the data subjects without responding to that request, unless it 

has been otherwise authorised to do so;  e. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the 

personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;  

f. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;  

g. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;  

h. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;  

i. that the processing services by the subprocessor will be carried out in accordance with Clause 11;  j. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter. 

 

Clause 6  

Liability  

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.  

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can 

12

enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.  

3. 3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses. 

 

Clause 7  

Mediation and jurisdiction  

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:  

a. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;  

b. to refer the dispute to the courts in the Member State in which the data exporter is established.  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural 

rights to seek remedies in accordance with other provisions of national or international law. 

 

Clause 8  

Cooperation with supervisory authorities  

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.  

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.  

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b). 

 

Clause 9  

Governing Law  

The Clauses shall be governed by the law of the Member State in which the data exporter is established. 

 

 

 

13

Clause 10  

Variation of the contract  

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause. 

 

Clause 11  

Subprocessing  

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.  

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.  

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.  

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority. 

 

Clause 12  

Obligation after the termination of personal data processing services  

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.  

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1. 

 

 

 

14

DATA EXPORTER 

Name: _____________________________________________________________ 

By: Name (written out in full): _____________________________________________________________ 

Position: _____________________________________________________________ 

Address: _____________________________________________________________ 

Signature............................................................................................ (stamp of organization) 

Date..................................................................................................... 

 

DATA IMPORTER 

Name: Abacus Labs, Inc. 

By: Name (written out in full): Steven Reedich 

Position: Director of Operations 

Address: 14 E 38th Floor 9, New York, NY 10016 

Signature............................................................................................ (stamp of organization) 

Date..................................................................................................... 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

15

5/24/2018

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. 

Data Exporter  

The data exporter is ________________________________________________________________________, the Customer or Customer in the Abacus subscription documents (herein referred to as the “Customer”). 

Data Importer  

The data importer is Abacus Labs, Inc. (“Abacus”), an expense management service provider.  

Data subjects  

Data subjects include the individuals about whom personal data is provided to Abacus via the Services by (or at the direction of) Customer or by Customer’s end users, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data subjects: 

1. Employees or contact persons of Customer’s prospects, customers, business partners and vendors (who are natural persons)  

2. Prospects, customers, business partners and vendors of Customer (who are natural persons)  3. Employees, agents, advisors, freelancers of Customer (who are natural persons)  4. Customer’s users authorized by Customer to use the Services (who are natural persons) 

Categories of data  

Personal data relating to individuals provided to Abacus via the Services, by (or at the direction of) Customer or by Customer’s end users, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data: 

Customer Personal Data 

1. First name and Last name 2. Date of birth 3. Phone number 4. Personal and Business Contact Information (company name, profession, email, state, country, ZIP/Postal 

code) 5. Password 6. Geographic position 7. Picture  8. Cookies and Usage Data. 

Company Data 

1. Company name 2. Website 3. Business address  

Financial Data 

1. Personal and Business Bank Account  2. Personal and Business Credit Card 

16

Processing operations  

Customer Personal Data will be processed in accordance with the Agreement and this DPA. 

 

DATA EXPORTER 

Name: _____________________________________________________________ 

By: Name (written out in full): _____________________________________________________________ 

Position: _____________________________________________________________ 

Address: _____________________________________________________________ 

Signature............................................................................................ (stamp of organization) 

Date..................................................................................................... 

 

DATA IMPORTER 

Name: Abacus Labs, Inc. 

By: Name (written out in full): Steven Reedich 

Position: Director of Operations 

Address: 14 E 38th Floor 9, New York, NY 10016 

Signature............................................................................................ (stamp of organization) 

Date..................................................................................................... 

 

   

17

5/24/2018

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES Data importer will maintain administrative, technical and physical safeguards designed to protect the security,                           confidentiality and integrity of personal data submitted to the subscribed services as described in the applicable                               Security Measures described at https://www.abacus.com/security or otherwise made reasonably available by data                       importer. The Security Measures as of May 25, 2018 are attached to the DPA as Attachment 2. 

DATA EXPORTER 

Name: _____________________________________________________________ 

By: Name (written out in full): _____________________________________________________________ 

Position: _____________________________________________________________ 

Address: _____________________________________________________________ 

Signature............................................................................................ (stamp of organization) 

Date..................................................................................................... 

 

DATA IMPORTER 

Name: Abacus Labs, Inc. 

By: Name (written out in full): Steven Reedich 

Position: Director of Operations 

Address: 14 E 38th Floor 9, New York, NY 10016 

Signature............................................................................................ (stamp of organization) 

Date..................................................................................................... 

 

   

18

5/24/2018

APPENDIX 3 TO THE STANDARD CONTRACTUAL CLAUSES 

SUB-PROCESSOR LIST 

 

Sub-processor Location Service Performed

Algolia USA Search functionality

Amazon Web Services USA Storage and diagnostics

Blockscore USA Identify verification

Cloud Factory UK Receipt Transcription

Datadog USA Monitoring & Analytics

Delighted USA Customer survey

Finicity USA Financial data aggregation

Forte USA ACH Processing

Google Analytics USA Site analytics

Helpscout USA Customer support platform

Mailgun USA Email Delivery

Marketo USA Marketing automation

Mixpanel USA Platform analytics

Olark USA Livechat

Pingdom EU Site & Server monitoring

Plaid USA Financial data aggregation

Salesforce USA CRM

Sentry USA Error monitoring

Sumologic USA Log management

Traxo USA Receipt Transcription  

 

19