Information Security and Data Protection Addendum

Date: March 2021

Any entity, including any provider of services to Bill.com, LLC (“Bill.com”), who has access to any Bill.com Information as defined below (“Service Provider”), shall comply with the requirements in this Information Security and Data Protection Addendum (the “Addendum”). This Addendum governs the manner in which Bill.com Information shall be handled or processed by Service Provider. This Addendum is made a part of any services agreement or other agreement between Bill.com and Service Provider (the “Agreement”).

1. Definitions

Authorized Employees” means Service Provider’s employees who have a need to know or otherwise access Bill.com Information to enable Service Provider to perform its obligations under the Agreement, including this Addendum. 

Authorized Persons” means (i) Authorized Employees; and (ii) Service Provider’s subcontractors or other agent who have a need to know or otherwise access Bill.com Information to enable Service Provider to perform its obligations under this Addendum, and who are bound in writing by confidentiality and other obligations sufficient to protect Bill.com Information in accordance with the terms and conditions of this Addendum.

Bill.com Information” means any Bill.com information that a Service Provider creates, receives, or distributes, or Bill.com otherwise controls and relates to Bill.com or its business, whether exchanged verbally or recorded in any form. Bill.com Information includes Personal Information.

CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 et seq.), and any related regulations or guidance issued by the California Attorney General. 

Personal Information” means Bill.com Information that relates to - or can be used to identify - an individual person (e.g., name, phone number, mailing address, email address). Sensitive Personal Information is a subset of Personal Information that is subject to stricter limits on its collection, use, and protection. 

Sensitive Personal Information” means information that (i) can be used to steal an individual’s identity or gain unauthorized access to an individual’s assets or accounts (e,g,, government-issued identification number, such as Social Security number or driver’s license number; financial information, such as account number or credit card number; online login credentials, such as online password or answer to a security question; biometric information); or (ii) may be considered particularly intimate, embarrassing, or damaging to an individual (e.g., geolocation information, health information, background check results).

For the purposes of this Addendum, information about an individual in the business context is considered Personal Information. For example, business contact information is considered Personal Information.

All requirements for Personal Information apply to Sensitive Personal Information, except where additional requirements are specified for Sensitive Personal Information. 

See Appendix A for a chart listing examples of data elements falling within Personal Information and Sensitive Information. 

Privacy Notice” means the written declaration about the collection and use of Personal Information on Bill.com’s website at www.bill.com/privacy or on the Bill.com mobile application.

2. Data Handling and Access

a) Compliance. Service Provider will comply with the terms of this Addendum, the applicable Bill.com Privacy Notice(s), any data protection addendums entered into between the parties, and all applicable laws, policies, rules and regulations relating to the collection or use of Personal Information. Service Provider agrees to impose and enforce compliance of this Addendum on all its employees, contractors, and other third party service providers with access to Personal Information.

b) Handling procedures. Service Provider will have documented handling procedures designed to implement technical and organizational measures to protect Bill.com Information consistent with applicable law and this Addendum. Service Provider will train its employees, contractors, and other third-party service providers on and will implement these procedures to keep and maintain Bill.com Information in strict confidence, using a degree of care as is appropriate to avoid unauthorized access, collection, use, sharing, retention/destruction, or disclosure.

c) No sale or sharing. Service Provider will not use, sell, rent, lease, transfer, distribute or otherwise disclose or share Bill.com Information for Service Provider’s own purposes or for the benefit of anyone other than Bill.com, without Bill.com’s prior written consent. 

d) Limited use. Service Provider shall under no circumstances collect, access, use, store, destroy, reproduce, disclose, or otherwise handle or process Bill.com Information other than as specifically authorized by this Addendum or the Agreement. Should Service Provider become legally obligated to handle Bill.com Information other than as permitted by this Addendum or the associated agreement, it shall, unless legally prohibited from doing so, first provide notice to Bill.com.

e) Limited to Authorized Persons. Access to Bill.com Information stored on Service Provider’s systems and with Service Provider’s third-party providers must not be granted to members of Service Provider’s staff, subcontractors, or other agents, unless the following conditions are met: 

(i) The staff member, subcontractor, or other agent is an Authorized Person;

(ii) The Authorized Person requesting the access can be uniquely identified (e.g., by a unique User ID);

(iii) The Authorized Person requesting the access has entered a correct password or other authorizing token to indicate that he/she is an authorized user with permitted access to the Bill.com Information. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Bill.com and Service Provider (e.g., eight characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every ninety (90) days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks;

(iv) In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each Authorized Person to perform their job function. The ability to read, write, modify or delete Bill.com Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions and limited to the specific data elements that are needed to perform their job function;

(v) The date, time, requestor, and nature of the Authorized Person’s access (i.e., read-only or modify) has been recorded in a log file; and

(vi) Procedures are in place to modify or revoke access permissions to Bill.com Information when Authorized Employees leave Service Provider or when their job responsibilities change and when other Authorized Persons should no longer have access to Bill.com Information.

f) Firewalls. Bill.com Information stored on Service Provider’s systems, whether on premises or cloud-based, must be stored behind firewalls with access to such data limited as described in the Authorized Persons section above.

g) Customer access control. Passwords used by Bill.com’s customers are not required to conform to the password standard described above; however, Service Provider must ensure that Bill.com customers do not have access to Bill.com Information other than that which pertains to them.

h) Encryption:

(i) Encryption of Sensitive Personal Information and other specific Bill.com Information. Service Provider must always encrypt Sensitive Personal Information, encryption keys, beneficiary information, and tax return information when it is stored on Service Provider's systems, whether on premises or cloud-based.

(ii) Other encryption. In addition, Service Provider must encrypt all Personal Information stored on laptops or other portable devices.

(iii) Encryption standards. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Bill.com Information in Service Provider's systems from retrieval by persons who are not Authorized Persons. Service Provider shall adopt best practices in its industry where appropriate. Whenever possible, message digest algorithms such as SHA-256 (or such other standards as Bill.com reasonably requests from time to time) shall be used to hash and verify the user's password, and “salt” shall be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.

i) Access to printed material. Printed material that contains Bill.com Information must be stored in secured areas to which access is limited to those Authorized Employees who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of printed Bill.com Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor shall be implemented.

3. Transmission of Bill.com Information

a) Security of transmission. Except as restricted by law, Service Provider must not electronically transmit Bill.com Information over publicly-accessible networks without using industry best practices (e.g., data in transit encryption in line with industry standards) or another mechanism that affords similar or greater security and confidentiality.

b) HTTP Requests. Bill.com Information must never be passed in a URL (e.g., using a GET method) in a manner that potentially exposes the information to third parties and causes such information to appear in log files.

c) In Email. Service Provider shall only send Bill.com Information in an email message over publicly-accessible networks if one of the following conditions is met:

(i) The email message is between representatives of Service Provider and representatives of Bill.com;

(ii) The content of the email has been approved in advance by Bill.com; or

(iii) The email is encrypted using a previously-approved encryption mechanism or is otherwise made secure with an approach that has been mutually agreed upon in advance by Bill.com and Service Provider.

4. Maintaining Secure Environment

a) Backups. To protect the accuracy and integrity of Bill.com Information, all such data must be backed up by Service Provider regularly (no less often than weekly unless otherwise stipulated in this Addendum or the Agreement), and the backups stored in secure, environmentally-controlled, limited-access facilities.

b) Vulnerability scans. Service Provider must run internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades).

c) Security Fixes. Service Provider must promptly install any security-related fixes identified by its hardware or software vendors, if the security threat being addressed by the fix is one that threatens the privacy or integrity of any Bill.com Information covered by this Addendum or the Agreement which this Addendum is incorporated. Such upgrades must be made as soon as they can safely be installed and integrated into Service Provider’s existing architecture and systems.

d) Security threats. Bill.com may, from time to time, advise Service Provider of recent security threats that have come to its attention, and require Service Provider to implement specific modifications to its software, policies, or procedures that may be necessary to counter these threats. Service Provider will implement these modifications within a mutually-agreed time, or must obtain written permission from Bill.com to take some other course of action to ensure that the privacy and integrity of any Bill.com Information is preserved.

e) Monitoring. Notwithstanding the minimum standards set forth in this Addendum, Service Provider should monitor and periodically incorporate reasonable industry-standard security safeguards.

5. Reviews, Audits and Remedies

a) SOC reviews and penetration tests. At least annually, Service Provider agrees to, at its own cost and expense, have a qualified independent third party: (i) conduct a review or assessment and provide a full attestation, review or report under (A)(1)(a) SSAE 18 (Statement on Standards for Attestation Engagements No. 18) SOC (Service Organization Control) 1 Type II and (b) SOC 2 Type II; and (ii) conduct and provide a full report of network and application penetration test. Service Provider agrees to mitigate or correct all exceptions in such attestations, reviews, and reports within a mutually agreed upon time frame; and upon Bill.com's request, promptly provide Bill.com with the status of the remediation efforts.

b) Records and audit. Service Provider will maintain records sufficient to demonstrate its compliance with the terms of this Addendum and shall permit Bill.com, or a third party chosen by Bill.com and reasonably acceptable to Service Provider, to audit Service Provider’s books, records, facilities, computer systems, and practices relating to its obligations under this Addendum upon reasonable notice and during regular business hours, and at Bill.com’s expense, at the locations where such records and data are maintained, for purposes of verifying Service Provider’s compliance. Notwithstanding the foregoing, if Bill.com in good faith believes that a threat to security exists that could affect Bill.com Information, Service Provider must provide Bill.com or its agent access immediately upon request by Bill.com. Such audit shall be limited once every twelve months, unless material discrepancies are discovered during the course of review or there is an occurrence subject to notification in Section 9(a) below that occurs.

c) Third-party studies. In its reasonable discretion, Bill.com may inspect, or employ third parties to conduct annual studies of Service Provider’s operational processes, systems, vulnerability scan results and computer network security relating to the collection, transmission, and storage of Bill.com Information. Bill.com agrees to coordinate the scheduling of any such study with Service Provider to reasonably minimize disruption to Service Provider’s business. Service Provider agrees to cooperate with Bill.com to commence such a study within thirty (30) days from Service Provider’s receipt of written notice of Bill.com’s intent to conduct, or to employ a third party to conduct, such a study. At Service Provider’s request, Bill.com will require any third party it employs to conduct such a study, to sign a non-disclosure agreement and agree not to disclose any Bill.com Information. Bill.com will make the results of any such study available to Service Provider and, depending on the seriousness of any problems found, may require Service Provider to remedy any and all such deficiencies in a timely fashion. Costs of such audits shall be borne by Bill.com, unless Service Provider is in material non-conformity with the Agreement or this Addendum.

d) Correction of security-related problems. Notwithstanding any time-to-cure provision in this Addendum or in the Agreement to the contrary, it shall be completely within Bill.com’s discretion to require correction of any demonstrated security-related problem within a shorter period of time. Bill.com shall provide written notice of the problem to Service Provider, and Service Provider must immediately take appropriate steps to correct the problem. If Service Provider fails to correct any demonstrated security problem within a commercially-reasonable time, considering the work that must be completed to address the problem and resulting in the material disclosure or threatened disclosure of Bill.com Information, Bill.com may instruct Service Provider to take such interim measures as necessary to protect Bill.com Information. If Service Provider fails or refuses to take those interim and/or permanent measures which are necessary to prevent the material disclosure of Bill.com Information within a commercially-reasonable time, Bill.com may terminate the Agreement(s) between Bill.com and Service Provider for cause.

6. Termination Obligations

Within ten (10) days after the expiration or termination of the Agreement, Service Provider shall return to Bill.com or destroy upon Bill.com’s written request all Bill.com Information in a manner that renders such information unrecoverable and certify that it has complied with the foregoing in writing. Notwithstanding the foregoing or anything to the contrary herein, i) Service Provider will not be required to return or destroy electronic information stored in back-up/archival storage in accordance with its policies, and ii) Service Provider may retain information to the extent required to comply with applicable legal and regulatory requirements, in each case subject to its confidentiality obligations herein.

7. Compliance with Applicable Laws and Regulations

a) Compliance with laws. In addition to any compliance requirements provided in the Agreement, Service Provider will at all times be in compliance with and shall not violate any applicable privacy and security related international, national, or state and local statutes, laws, rules or regulations.

b) Tax return information compliance. In addition to the general requirement stated above, Service Provider understands that if Bill.com Information includes tax return information subject to IRS regulations (including sections 6713 and 7216) governing its use and disclosure, the penalties for unauthorized disclosure or use of such tax return information under IRC 6713 and 7216 can result in criminal prosecution, imprisonment and the assessment of monetary fines. Service Provider shall access such Bill.com Information only to provide the services specifically authorized by this Addendum or the Agreement, and shall not disclose such Bill.com Information to any third persons. Additionally, Service Provider shall notify, and hereby represents and warrants that it has notified, in writing any of its employees who may have access to such Bill.com Information of the applicability of sections IRC Sections 6713 and 7216 including a description of the requirements and penalties of those sections.

c) CCPA compliance. Service Provider and Bill.com shall comply with their respective obligations under the CCPA.

(i) As used in this section, “personal information,” “consumer,” “sell,” “business purpose,” “commercial purpose,” and “verifiable consumer request” will have the meaning given to those terms in the CCPA.

(ii) General. The parties acknowledge and agree that: (i) Service Provider does not receive Personal Information, or access to it, as valuable consideration for providing services to Bill.com under the Agreement; and (ii) Service Provider shall collect, receive, access, retain, use, disclose, or otherwise process Personal Information on behalf of Bill.com solely for the business purpose of providing the services to Bill.com and in accordance with the terms and conditions of this Addendum.

(iii) Data processing obligations. Service Provider shall not, directly or indirectly: (i) sell Personal Information; (ii) collect, access, retain, use, disclose, or otherwise process Personal Information: (a) for any purpose other than for the specific business purpose of performing the services specified in the Agreement; (b) for a commercial purpose other than providing Bill.com the services specified in the Agreement; or (c) outside the direct business relationship between Bill.com and Service Provider; or (iii) attempt to or actually re-identify any previously aggregated, deidentified, or anonymized Personal Information and Service Provider shall contractually prohibit permitted downstream data recipients from attempting to or actually re-identifying such data. Service Provider certifies that it understands the foregoing restrictions and will comply with them.

(iv) Subcontractors. To the extent permitted under the Agreement, Service Provider may use subcontractors to provide all or part of the services, provided that, to the extent any such engagement involves the collection, access, retention, use, disclosure, or other processing of Personal Information: (i) Service Provider shall provide Bill.com with a list that includes: (a) the name, address and contact information of each such subcontractor; (b) the type(s) of services provided by each such subcontractor; and (c) the categories of Personal Information disclosed, made available or otherwise processed by each such subcontractor; (ii) Service Provider does not make any disclosures to any subcontractor that would be considered a sale under the CCPA; (iii) Service Provider ensures that the arrangement between each subcontractor and Service Provider is governed by a written contract that includes terms substantially similar, but no less restrictive, as those set forth in this section about CCPA compliance; and (iv) Service Provider remains fully liable to Bill.com for each subcontractor's performance of the obligations set forth in these sections about CCPA compliance.

(v) Assistance with CCPA obligations. Service Provider shall: (i) upon Bill.com’s written request, reasonably assist Bill.com in fulfilling Bill.com’s obligation to respond to a verifiable consumer request under the CCPA; and (ii) if Service Provider receives a verifiable consumer request related to any Personal Information, Service Provider shall immediately notify Bill.com in writing and shall not respond to any such verifiable consumer request, except as may be instructed by Bill.com in writing or as required by applicable law.

8. Changes to Requirements

Bill.com may amend this Addendum as may be required by law or otherwise. If Service Provider is not willing or is unable to meet the updated requirements of any amendment, Bill.com may take responsive action, including but not limited to termination of the Agreement.

9. Notifications

a) Notifications related to Bill.com Information. Immediately upon discovery, Service Provider must notify Bill.com (a) if it knows or suspects that Bill.com Information has been the subject of attack, compromised, disclosed to or accessed by unauthorized persons, or used in an unauthorized manner, (b) if there have been any complaints about Service Provider’s information and collection practices as they relate to Bill.com Information, or (c) if there has been any material deviation from the confidentiality requirements of the Agreement or this Addendum.

b) Right to participate/control. Service Provider agrees that Bill.com shall have the right to participate in the investigation, response and/or correction of any of the above. In addition, unless otherwise required by law, Bill.com shall have the right to control and direct any public communication, including but not limited to communication with Bill.com customers, regarding the same.

c) Other notifications. Additionally, Service Provider must immediately notify the Bill.com Internet Operations Center (infosec@hq.bill.com) of any relevant, urgent security issues identified by Service Provider, including, but not limited to, ongoing denial of service attacks, actively exploited vulnerabilities, and ongoing exposure of Bill.com Information.

10. Contact Information

a) Privacy and Security Coordinator. Service Provider will designate a single point of contact as its Privacy and Security Coordinator. This Privacy and Security Coordinator will (i) be responsible for ensuring Bill.com Information is adequately protected, (ii) oversee Service Provider’s compliance with the requirements of this Addendum, and (iii) serve as a single point of contact for communications with Bill.com pertaining to this Addendum.

b) Bill.com and the Service Provider shall designate a single point of contact for urgent security issues (a “Security SPOC”) and provide contact information for such Security SPOC. Both parties agree that either the Security SPOC or their qualified delegate will be available at all times.

Bill.com Security SPOC: Jennifer Erickson, jerickson@hq.bill.com

11. Miscellaneous

a) General. This Addendum will be governed by the laws of the state specified in the underlying Agreement between Bill.com and Service Provider. Any failure to enforce any provision of this Addendum will not constitute a waiver thereof or of any other provision. This Addendum may not be amended, nor any obligation waived, except by a writing signed by both parties hereto.

b) Order of precedence. If there is a conflict between the Agreement and the Addendum pertaining to the subject matter of this Addendum, the Addendum shall control.

c) Indemnity. Without limiting Bill.com’s indemnity rights under the Agreement, Service Provider shall also indemnify, defend, and hold harmless Bill.com and its respective officers, directors, employees, agents, successors, and assigns (each, a “Bill.com Indemnitee”) from and against any and all losses, damages, claims, actions, judgments, settlements, interest, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees (“Losses”) incurred by a Bill.com Indemnitee resulting from any claim, action, demand, lawsuit, arbitration, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise, to the extent that such Losses arise out of or result from, or are alleged to arise out of or result from, any violation of this Addendum by Service Provider, its subcontractors, and/or their principals, employees, or contractors.

Appendix A: Examples of Personal Information and Sensitive Personal Information

Personal Information Sensitive Personal Information
  • Personal contact information (e.g., real name, alias, postal address, phone number, email address, account name)
  • Business contact information (e.g., postal address, phone number, email address, account name)
  • Employee identification number
  • Job title
  • Partial date of birth
  • Gender
  • Electronic identifier (e.g., IP address, device identification number)
  • Commercial information (e.g., record of property, products or services purchased, obtained, or considered; Other purchasing or consuming histories or tendencies)
  • Internet activity (e.g., browsing history, search history, information regarding interaction with a website, application, or advertisement)
  • Social Security number
  • Driver’s license number or other government-issued identification number (e.g., passport number
  • Full date of birth
  • Financial account number (including account number or credit card number)
  • Plain text passwords or answer to a security question (for online login)
  • Geolocation tracking information
  • Health, medical, or genetic information
  • Biometric information (e.g., fingerprint, face scan)
  • Background check results
  • Salary/compensation
  • Job performance data
  • Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation
  • Characteristics (e.g., risk rating)