Data Processing Addendum

Last updated: May 4, 2022

This Data Processing Addendum (the “Addendum”) amends and forms part of the Bill.com Terms of Service (or a successor site designated by Bill.com) and/or other agreement(s) (collectively, the “Agreement”) between you (“Customer”) and Bill.com, LLC (“Bill.com”) governing your use of Bill.com’s standard offering for bill payment and payment processing, invoicing and other cash flow management services that Bill.com makes generally available at www.bill.com, as such is updated from time to time (the “Bill.com Service”). This DPA shall apply to the extent Your User Data (as defined in the Bill.com Terms of Service) includes any “Personal Data,” as that term is defined below. This DPA shall be effective as of the date set forth above.

1.   Definitions

1.1   “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2   “California Personal Information” means Personal Data that is subject to the protection of the CCPA.

1.3   “CCPA” (also known as the California Consumer Privacy Act of 2018) means California Civil Code Sec. 1798.100 et seq. and its implementing regulations.

1.4   “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.5   “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA; in each case as amended, repealed, consolidated, or replaced from time to time.

1.6   “Data Subject” means the identified or identifiable individual to whom Personal Data relates.

1.7   “End Customer” means any individual or entity that Customer pays or is paid by through the Bill.com Service.

1.8   “End Customer Data” means Personal Data relating to an End Customer. California End Customer Data means California Personal Information consisting of End Customer Data. European End Customer Data means European Data consisting of End Customer Data.

1.9   “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

1.10   “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

1.11   “European Data Protection Laws” means data protection laws applicable in Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU General Data Protection Regulation” or “GDPR”); (ii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; in each case, as may be amended, superseded, or replaced.

1.12   “Personal Data” means information relating to an identified or identifiable individual.

1.13   “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

1.14   “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

1.15   “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.16   “Standard Contractual Clauses” means means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs").

1.17   “Subcontractor” or “Subprocessor” means an entity engaged by a party to provide Processing services to assist in fulfilling the party’s obligations outlined in the Agreement or this DPA where such entity processes Personal Data. Subcontractors or subprocessors may include Bill.com affiliates or third parties.

2.   Compliance with Laws. Within the scope of the Agreement and in the use or provision of the Bill.com Service, the parties agree to comply with all requirements that apply under applicable Data Protection Laws with respect to the Processing of Personal Data.

3.   Confidentiality. Bill.com will ensure that any personnel authorized to Process Personal Data are subject to appropriate (contractual and/or statutory) confidentiality obligations with respect to that data. Bill.com will ensure that such confidentiality obligations survive the termination of the authorized personnel engagement.

4.   Bill.com's Processing of Personal Data.

4.1   Bill.com will collect, use, and share Personal Data as set forth in its Privacy Notice.

4.2   Bill.com will Process End Customer Data only for the purposes of providing the Bill.com Service in accordance with Customer’s written instructions as specified in the Terms of Service, this DPA and in accordance with applicable Data Protection Laws.

5.   Information Security. Bill.com will maintain commercially reasonable technical and organizational security measures and procedures designed to provide an industry-level of safeguards to protect the security, confidentiality, and integrity of Personal Data. Such measures are designed to protect Personal Data from loss, alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction.

6.   Personal Data Breach. In accordance with applicable Data Protection Laws, Bill.com will notify Customer without undue delay after becoming aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, Bill.com will promptly provide such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under applicable Data Protection Laws.

7.   Data Subject Requests. Bill.com agrees to promptly cooperate and provide commercially reasonable assistance to Customer to enable Customer to respond to requests from a Data Subject seeking to exercise their rights under applicable Data Protection Law. Bill.com shall not respond to data subject request itself, except to inform the Data Subjects that they should direct their request to the Customer for appropriate handling.

8.   Subcontractors. Where Bill.com engages any Subcontractors to Process Personal Data on its behalf, it will enter into a written contract with the Subcontractor that contains security terms substantially similar as those set out in this DPA and requires the Subcontractor to maintain the security and confidentiality of any Personal Data it Processes on Bill.com’s behalf.

9.   Verification of Compliance. Upon Customer’s written request, at reasonable intervals and subject to Customer agreeing to confidentiality terms, Bill.com will make available copies of the most recent audit report for Service Organization Controls (SOC) Type 2 (or similar report), so that Customer can verify Bill.com’s compliance with the audit standards against which it has been assessed, and this Data Processing Addendum.

10.   Return or Deletion of Data. On termination of the Agreement for any reason or expiry of its term, Customer will have thirty (30) calendar days to request a download of Customer’s transaction history by contacting Bill.com Customer Support. In the event Customer does not contact Bill.com Customer Support for this purpose within 30 calendar days after the end of the provision of the Bill.com Service, Bill.com will delete or de-identify Personal Data except for (i) back-ups deleted in ordinary course, and (ii) retention as required for legal, regulatory, and compliance purposes. In the event of either (i) or (ii), Bill.com will continue to comply with the relevant provisions of this DPA until such data has been deleted.

11.   Additional Provisions for California Personal Information

11.1   Scope. This Section will apply only with respect to California Personal Information, if applicable to the Bill.com Services.

11.2   Roles of the Parties. With respect to California End Customer Data, Bill.com is a “Service Provider” as that term is defined in the CCPA. With respect to all other California Personal Information, the parties acknowledge and agree that they are each a “Business” as that term is defined in the CCPA.

11.3   Responsibilities. The parties agree that their respective Processing of California Personal Information under the Agreement will be consistent with the requirements of the CCPA. Bill.com will collect, use, and share California Personal Information as set forth in its Privacy Notice.

12.   Additional Provisions for European Data

12.1   Scope. This Section will apply only with respect to European Data, if applicable to the Bill.com Services.

12.2   Definitions. For the purposes of this section 12 these terms are defined as follows:

12.3   “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following:

12.3.1   “EU SCCs” which are Standard Contractual Clauses approved by the European Commission in decision 2021/914.

12.3.2   “UK SCCs” which are the template Addendum issued by the Information Commissioner’s Office (ICO) and laid before Parliament in accordance with S119A(1) of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.

12.4   Roles of the Parties. With respect to European End Customer Data, Bill.com is a Processor for purposes of European Data Protection Law. With respect to all other European Data, the parties acknowledge and agree that they are each a Controller for purposes of European Data Protection Law and that they act as independent Controllers with respect to Personal Data Processed as part of the services.

12.5   Cooperation. The parties agree to provide each other with commercially reasonable assistance with any data protection impact assessments or prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

12.6   Cross Border Transfer Mechanisms. If provision of the Bill.com Service will require transfer of European Data outside of Europe to countries which are not recognized by the European Commission as providing an adequate level of protection of Personal Data, the parties acknowledge and agree that such transfers will be made pursuant to the transfer mechanisms set forth below.

12.6.1   EU SCC-Module One (Controller to Controller) will apply where Bill.com is processing European Data as a Controller.

12.6.2   EU SCC-Module Two (Controller to Processor) will apply where Customer is a Controller of European Customer Data and Bill.com is a Processor of European Data.

12.6.3   EU SCC–Module Three (Processor-to-Processor) will apply where Customer is a processor of European Customer Personal Data and Bill.com is a Sub–Processor of European Data. For each module, where applicable:

12.6.4   in Clause 7, the optional docking clause will not apply;

12.6.5   in Clause 9, Option 2 will apply, and the process for providing notice and the time period for objections of sub-processor changes will be as set forth in Section 12.8 (Subcontractors) of this DPA;

12.6.6   in Clause 11, the optional language will not apply;

12.6.7   in Clause 17, the EU SCCs will be governed by the laws of Ireland.

12.6.8   in Clause 18(b), disputes will be resolved before the courts of Ireland.

12.7   In Annex I, Part A–List of Parties:

Data Exporter: Customer and their authorized Affiliates

Contact Details: Customer’s account owner email address, or the email address(es) for which Customer elects to receive privacy communications.

Data Exporter Role: The Data exporter’s role is outlined in Section 12.4 of this DPA.

Signature & Date: By entering into the DPA, Data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date.

Data Importer: Bill.com

Contact Details: Bill.com Privacy - privacy@hq.bill.com

Data Importer Role: The Data importer’s role is outlined in Section 12.4 of this DPA.

Signature & Date: By entering into the DPA, Data importer is deemed to have signed these SCCs, incorporated herein, including their Annexes, as of the Effective Date.

12.8   In Annex I, Part B–Description of Transfer

12.8.1   Categories of Data Subjects: Categories of data subjects may include exporter’s customers, employees and other business contacts.

12.8.2   Categories of Personal Data: Categories of personal data may include name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, card expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by Bill.com under the Agreement.

Sensitive Data: Collection and processing of Sensitive Data is not required in connection with the provision of the Bill.com Service and Bill.com does not intentionally collect or process Sensitive Data. Customers will not provide or cause to be provided any Sensitive Data to Bill.com for processing under the Agreement, and Bill.com will have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise. As used herein, “Sensitive Data” means Personal Data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, (iii) relating to criminal convictions and offences; or (iv) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law or regulation relating to privacy and data protection.

12.8.3   Frequency of Transfer: Transfers may be continuous for the duration of the Agreement.

12.8.4   Nature of Processing: The nature of processing is as set forth in the Agreement to provide the Bill.com Service.

12.8.5   Purposes of the Data Transfer and Further Processing: The purpose of transfer may include performance of Bill.com Service, fraud detection, compliance with applicable laws, and any other purpose set forth in this DPA.

12.8.6   Subcontractors. Notwithstanding the provisions of section 8, Customer provides Bill.com with general authorization to engage Subcontractors to process European End Customer Data on Customer’s behalf. Upon Customer’s request, Bill.com will provide a list of Subcontractors processing European Data consisting of End Customer Data. If Customer objects to the appointment of a Subcontractor, it must notify Bill.com within thirty (30) days of such notice and work in good faith with Bill.com to find an alternative solution.

12.8.7   Data Retention Period: The data importer will retain the data as described in section 10 of this DPA.

12.9   In Annex I, Part C-Supervisory Authority. In accordance with Clause 13(a) of the EU SCCs , the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority. Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has appointed a representative pursuant to Article 27 of the GDPR, the supervisory authority of the member state where the representative is established shall act as the competent supervisory authority. Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has not appointed a representative pursuant to Article 27 of the GDPR, the Irish Data Protection Commission shall act as the competent supervisory authority. Where the data exporter is established in the UK, the Information Commissioner’s Office shall act as the competent supervisory authority.

12.10   In Annex II, Technical and Organizational Measures to Ensure The Security of Data. Bill.com will maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of Personal Data as set forth in sections 3 and 5 of this DPA.

12.11   With respect to transfers of Personal Data protected by the UK GDPR, the EU SCCs will apply as set forth herein, with the following modifications:

12.11.1   Any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR;

12.11.2   References to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;

12.11.3   Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."

13.   General Provisions

13.1   Amendments. Subject to section 19 of the Terms of Service, Bill.com may, in its sole discretion, modify, change or terminate this DPA, as reasonably determined by Bill.com is necessary to address the requirements of applicable Data Protection Laws.

13.2   Severability. If any individual provision of this Addendum is determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum will not be affected.

13.3   Indemnity. The indemnities arising out of or related to this Addendum are limited to those indemnities stated in the Agreement.

13.4   Limitation of Liability. Bill.com’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Agreement.

13.5   Order of Precedence. With regard to the subject matter of this Addendum, in the event of inconsistencies conflicts between this Addendum and the Agreement, the provisions of this Addendum will control. All other provisions of the Agreement apply to this Addendum.