Data Processing Addendum
Table of Contents
1. Background
2. Definitions
3. Processor’s obligations
4. Sub-Processors
5. Records of processing
6. Data breaches
7. Data Subject Rights
8. Return and deletion of personal data
9. Audit
10. Transfer of personal data
11. General provisions
12. Governing law and jurisdiction
SCHEDULE 1 – Description of the Processing of Personal Data
SCHEDULE 2 – List of Sub-Processors
SCHEDULE 3 – Technical and Organizational Measures
Applicable to customers signed on or after 23 September 2024. For customers signed before 23 September 2024 the following DPA will apply.
1.1. This Data Processing Addendum (“DPA“) is an integral part and applicable together with the Payhawk Terms and Conditions (https://payhawk.com/terms, hereinafter the “Framework Agreement”).
1.2. By accepting our Framework Agreement, Company agrees to be bound by all terms and conditions, set forth in this DPA.
1.3. The purpose of this DPA is to lay down the rights and obligations of the Company as Controller and the relevant Payhawk Software Services Contracting Party (hereinafter “Payhawk”) as Processor with regards to the processing of Personal Data for the provision of the Payhawk Software Services under the Framework Agreement.
1.4 Both the Controller and the Processor shall be collectively referred to as the Parties, and each individual as the Party.
2.1. Data Protection Laws means all applicable data protection and privacy laws to which the Personal Data under this DPA is subject to, including but not limited to Regulation (EU) 2016/679 (the “GDPR”), the Data Protection Act 2018 (the “UK-GDPR”), as well as any other applicable country-specific or state-specific data protection and privacy law of the countries where Payhawk operates. “Controller”, “Processor”, “Data Subject(s)”, “Personal Data Breach” and “Processing” have the meaning given under the Data Protection Laws.
2.2. Personal Data means any information relating to an identified or identifiable natural person that is Processed in connection with the services under the Framework Agreement by Payhawk as Processor.
2.3 Sub-Processor(s) means any entity (including the third parties or the persons associated with the Processor) appointed by the Processor or the person associated with the Processor for processing of Personal Data on behalf of the Controller for the provision of the Services under the Framework Agreement.
2.4. Technical and Organizational measures means the technical and organizational measures for the security of the Personal Data in scope of the processing, agreed between the parties, taking into account Article 32 of the GDPR and other Data Protection Laws, as applicable.
2.5. Payhawk Software Account means the Payhawk SaaS solution that allows the Company to use the Payhawk services throughout the term of the Framework Agreement.
2.6. Other notions shall be understood as defined in the Data Protection Laws and the Framework Agreement.
The Processor undertakes:
3.1. to ensure that the processing of Personal Data in scope of the present DPA is done in compliance with the Data Protection Laws and the guidance of the relevant supervisory authorities;
3.2. to implement appropriate Technical and Organizational Measures to ensure an appropriate level of security of the Personal Data processed on behalf of the Controller. Such measures must at least ensure the protection of the Personal Data against destruction, alteration and dissemination;
3.3. to process the Personal Data in scope of the present DPA only on the documented instructions (including electronically) from the Controller, including with regard to transfers of Personal Data to a third country or an international organization. The Parties acknowledge and agree that the use of the Payhawk Software Account by the Company’s Users (as defined in our Framework Agreement) constitutes the Company’s documented instructions to Payhawk regarding the processing of the Personal Data;
3.4. to assist the Controller in fulfilling its obligations arising out of the Data Protection Laws, including without limitation to obligations with regards to the execution of the rights of the data subjects in connection with the services under the Framework Agreement, to carry out data protection impact assessments or prior consultations with supervisory authorities with respect to the Processing of Personal Data;
3.5. to ensure confidentiality of the Personal Data as well as other information pertaining to the processing of Personal Data by ensuring, among other things, that the Processor’s employees authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.6. to notify the Controller, unless legally restricted from doing so, without undue delay of any situations where the Processor must disclose the Personal Data processed on behalf of the Controller in breach of the obligations stipulated in the Data Protection Laws. If the Processor is obligated to disclose the Personal Data to comply with its statutory obligations or a regulatory request, the Processor shall adhere to the following rules: (i) disclose as minimum Personal Data as possible, i.e. only the amount of Personal Data and the Personal Data of the nature which is mandatory to disclose when complying with the statutory obligation or regulatory request; (ii) disclose the Personal Data only to those third parties a disclosure to which is mandatory when complying with the statutory duty; and (iii) the Processor shall demand from such third parties (each of them) to keep the Personal Data confidential;
4.1. The Controller hereby grants the Processor a general authorization to engage Sub-Processors for the provision of the services under the Framework Agreement, pursuant to the terms for engaging Sub-Processors as provided and agreed hereunder.
4.2. The Processor undertakes to engage only Sub-Processors, that offer an adequate level of technical and organizational measures so that the Personal Data processing under this DPA complies with the requirements of the Data Protection Laws, and ensures safeguarding of the rights of the data subjects.
4.3. It remains understood between the Parties that the Processor shall remain liable for the actions and omissions of its Sub-Processors and shall contractually ensure that each Sub-Processor complies with the requirements of the Data Protection Laws and the provisions of the present DPA.
4.4. The Processor shall notify the Controller of any intended changes to the List of Sub-Processors in Schedule 2 of this DPA (“List of Sub-Processors”) at least thirty (30) days in advance. In the event that the Controller has not explicitly objected to such changes within the notice period, the changes shall automatically become effective. In the event that the Controller has explicitly objected in good faith to the engagement of a particular Sub-Processor on grounds of non-compliance with Data Protection Laws and, provided that the Processor cannot continue to provide its services without the sub-processing, the Controller shall be entitled to unilaterally terminate the Framework Agreement by way of 30-days in advance notice of termination in writing.
5.1. The Processor undertakes to keep a record of the Processing of Personal Data carried out on behalf of the Controller, including the record of Processing activities required in accordance with article 30 (2) of the GDPR.
6.1. If the Processor (or any Sub-Processor) becomes aware of a Personal Data breach (incident) which affects or may affect the Personal Data, processed on behalf of the Controller, the Processor must notify the Controller thereof without undue delay and provide the Controller with comprehensive information enabling the latter to fulfill its obligations of notifying the supervisory authority and/or data subjects of the Personal Data breach in accordance with the requirements of the Data Protection Laws.
6.2. The Processor shall document all Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects and the remedial actions taken. At the Controller’s request, the Processor shall make such documents available (especially when such documents are requested by the supervisory authority).
6.3. The Processor shall actively cooperate with the Controller and take commercially reasonable steps which would (i) contribute to investigating the actual or potential Personal Data breach, (ii) assist in mitigating and otherwise remedying the consequences caused by such Personal Data breach, and (iii) help to prevent occurrence of Personal Data breaches of identical or similar nature in the future.
7.1. The Processor shall notify the Data Controller promptly, and in any event no later than three (3) business days, of any request from a Data Subject wishing to exercise their rights under the Data Protection Legislation;
7.2. Provide the Data Controller with reasonable cooperation and assistance to enable the Data Controller to respond to requests from Data Subjects who wish to exercise their rights under the Data Protection Legislation (whether such requests are received by the Data Processor or the Data Controller), to the extent that this is legally permitted, and to the extent that the Data Controller does not have access to such Personal Data as part of its use of the Services; and
7.3. Not disclose or communicate any Personal Data in response to a Data Subject or not respond to any other request for disclosure of Personal Data without first consulting and obtaining the written consent of the Data Controller, unless otherwise required under applicable legal acts.
8.1. At the Controller’s written request upon the expiry, termination or cancellation of the present DPA, the Processor undertakes to destroy or return the Personal Data received from the Controller on the basis of the present DPA.
8.2. The Processor shall be entitled to keep some of the Personal Data received from the Controller to the extent the Personal Data is necessary for compliance with the requirements of any applicable legal acts, while ensuring the protection and confidentiality of the Personal Data.
9.1. Subject to the Controller’s written request, made at least thirty (30) days in advance (“Audit Request") and applicable confidentiality undertakings, the Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, provided that the Processor does not have a good faith objection to such a mandated auditor. The Audit Request shall include at least the scope and duration of the audit and shall not be conducted more than once per year, unless otherwise required under Data Protection Laws. The audit must also be conducted during regular business hours, so that it does not undermine the ordinary activities of the Processor.
9.2. Subject to the Controller‘s written request, the Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Laws and the provisions of the present DPA.
9.3. The Processor undertakes to notify the Controller without undue delay of any material changes in the technical or organizational measures which may affect the data processing operations carried out under this DPA.
9.4. All audits, inspections and information requests, under this DPA, shall be limited strictly to the purposes of Payhawk’s compliance with the Data Protection Laws as a Processor and the provisions of this DPA.
10.1. If it is necessary for the performance of the Framework Agreement and/or fulfillment of the requirements of applicable legal acts, the Processor or its Sub-Processor(s) may transfer the Personal Data outside the EEA and/or the UK to a specific data recipient only by duly complying with the provisions of Chapter V of the GDPR/UK-GDPR (in such case the Processor shall remain liable for adequate compliance with the Data Protection Laws when transferring the data outside the EEA and/or UK).
11.1. The present DPA shall come into effect and remain valid for the term of the Framework Agreement and shall be effective for an additional period after the expiry of the Framework Agreement as long as necessary to duly fulfill the obligations relating to the Personal Data processing outstanding after the expiry of the Framework Agreement (or for a longer period if it is provided for in applicable legal acts).
11.2. Clause, Schedule and paragraph headings shall not affect the interpretation of this DPA.
11.3. The Schedules form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules.
11.4. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular, and a reference to one gender shall include a reference to the other genders.
11.5. A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate laws made from time to time under that statute or statutory provision.
11.6. Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
11.7. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Framework Agreement, the provisions of this DPA shall prevail.
11.8. A reference to writing or written includes email and other means of electronic communications, including.
12.1. The present DPA shall be governed by the law applicable to the Framework Agreement.
12.2. In case of any dispute in relation with this DPA, the courts stipulated in the “Jurisdiction” section under the Framework Agreement shall have exclusive jurisdiction. This is without limitation of the right of either Party to seek the mediation of competent mediation services with a view to settling the dispute amicably.
| Subject Matter | Processing of Personal Data on behalf of the Controller for the delivery of the Payhawk Software Services under the Framework Agreement. |
| Categories of Data Subjects | Individuals about whom Personal Data is provided to Payhawk via the Payhawk Software Services by or on behalf of the Controller. This includes, but not limits itself to the Controller’s employees, contractors, agents and representatives. |
| Categories of Personal Data | Data uploaded by the Controller to the Payhawk Software Account, to the extent such data includes Personal Data. This includes, but not limits itself to: Invoices, Receipts, Мileages, Subscriptions, Custom notes, Custom exports, Purchase orders, Logs, Any Personal Data received through software integrations supported by Payhawk. |
| Special Categories of Personal Data | N/A |
| Duration of the Processing | For the duration of the Framework Agreement, unless the Controller has instructed otherwise. |
| Contact details for Payhawk | Mihail Yanev, Data Protection Officer (DPO): dpo@payhawk.com |
| Sub-Processor | Service | Country |
|---|---|---|
| Payhawk EOOD | Payhawk Platform provider | Bulgaria (Google Cloud Platform data centers, located in Belgium and Germany) |
| Optional Sub-Processor* | Service | Country |
|---|---|---|
| Merge API, Inc. | API provider for HR Integrations through Payhawk | USA (Data centers in Stockholm, Sweden) |
*Applicable for Companies (Controllers) that have requested the Basic and Advanced HR integrations functionality through the Payhawk Software Account.
1. Third-party security certifications
At the time of this DPA, Payhawk is certified under the following information security standards:
- PCI-DSS (The Payment Card Industry Data Security Standard)
- SOC 2, type 2
- SOC 1, type 1
- ISO 27001:2017
- UK Cyber Essentials
2. Technical and Organizational measures
The following Schedule sets out the particular Technical and Organizational Measures (TOMs) that Payhawk applies to the Processing of Personal Data under this DPA, which offer sufficient guarantees for the purposes of Data Protection Laws.
| Task | Current Security Measures | Responsibility | Policy |
|---|---|---|---|
| Training & Awareness | Conducting regular training to all employees and new joiners regarding data protection and information security. | Information Security and Data Protection teams | Security Awareness Program/Data Protection Awareness Program |
| Third Party Processors | Conducting data protection compliance due diligence and information security audit before entering into any relationship which includes processing of Personal Data. | Information Security and Data Protection teams | Vendor Management Policy |
| Third-Party Penetration Tests | Third-party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place. | Information Security team | Information Security Policy |
| Data Centers Infrastructure Security | Our cloud service providers employ robust controls to secure the availability and security of our servers. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others. | Information Security team | Information Security Policy |
| Data Centers Onsite Security | Our cloud service providers implement layered physical security controls to ensure on-site security including vetted security guards, fencing, video monitoring, intrusion detection technology, and more. | Information Security team | Information Security Policy |
| Access Control | Access is limited by following the least privilege model required for our staff to carry out their jobs. This is subject to frequent internal audits and technical enforcement and monitoring to ensure compliance. 2FA is required for all production systems. | Information Security team | Access Control Policy |
| Threat Detection | Payhawk leverages threat detection services within AWS to continuously monitor for malicious and unauthorized activity. | Information Security team | Information Security Policy |
| Vulnerability Scanning | We perform regular internal scans for vulnerability scanning of infrastructure and applications. Where issues are identified these are tracked until remediation. | Information Security team | Information Security Policy |
| DoS Mitigation | Payhawk uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize AWS Shield’s sophisticated CDN with built-in DDoS protection as well as native AWS tools and application-specific mitigation techniques. | Information Security team | Information Security Policy |
| Encryption (in transit) | Communication with Payhawk is encrypted with TLS 1.2 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of cipher adoption and TLS configuration. | Information Security team | Information Security Policy |
| Encryption (at rest) | Payhawk data is encrypted at rest with industry-standard AES-256 encryption. By default, we encrypt at the asset or object level. | Information Security team | Information Security Policy |
| Disaster Recovery | In the event of a major region outage, Payhawk has the ability to deploy our application to a new hosting region. Our Disaster Recovery plan ensures the availability of services and ease of recovery in the event of such a disaster. This plan is regularly tested and reviewed for areas of improvement or automation. | Information Security team | Business Recovery Policy and Business Continuity Policy |
| Quality Assurance | Payhawk’s Quality Assurance process reviews and tests the codebase. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training, and security resources are provided to the QA team. | Information Security and Quality Assurance teams | Information Security Policy |
| Environment Segregation | Testing, staging, and production environments are separated from one another. No customer data is used in any non-production environment. | Information Security team | Information Security Policy |
| Security Champions | Payhawk runs a Security Champions program with involvement and contributions from each of the development teams. | Information Security team | Security Champions Program |
| Laptops (Remote Access) | Password protected – complex user ID passwords, authorized user access only, device hard drive encryption; Anti-virus/Anti malware software installed and functional on all workstations, software to prohibit high risk malware sites, security software messages, virus definition files automatically updated daily, virus logs gathered to central location and reviewed regularly by I.T. | IT management team | IT Management Policy |
| Firewalls & Internet Gateways | Well configured software-based firewall is installed and functional, annual Firewall rule validation, no access to untrustworthy sites, warning messages, intrusion detection, authorized user only - access and management security devices such as routers, switches, firewalls, intrusion detection system, intrusion prevention system, content filtering solution, anti-spam devices. | IT management team | IT management Policy |
| Patch Management & Software Update | Regular computer equipment and software maintenance, virus definition files automatically updated daily. | IT management team | IT management Policy |
Moving global spend forward.
Whether you have tens, hundreds, or thousands of employees, we’re making your business spend work for you, giving you control over spending at scale with a single solution. Say goodbye to tedious finance tasks, schedule a demo with us today.
Payhawk Limited 2024, All rights reserved. Payhawk Limited is registered under company registration number 11747263, Chancery House, 53-64 Chancery Lane, London WC2A 1QS. Payhawk Debit and Credit Cards are issued by Payhawk Financial Services UAB and Paynetics AD in the EEA, Payrnet Limited in the UK, and Cross River Bank, Member FDIC in the US.
The Payhawk product is not available for micro-enterprises or small charities based in the UK as defined in the UK Consumer Duty Regulations. See the FCA website for more information.
The Payhawk Visa Debit card and Payhawk Visa Credit cards are issued pursuant to a license from Visa.