Data Processing Agreement

Last updated: July 17, 2022

This Data Processing Agreement (“Agreement”) is incorporated into and forms an integral part of the Terms of Service (“Terms”) as concluded by and between User (as defined in the Terms) and Clerk, Inc. and is effective upon its incorporation into the Terms, which may be specified in the Terms or a service order. This Agreement on the processing of personal data (as defined below) on behalf of a controller in accordance with Article 28 (3) of the EU General Data Protection Regulation (GDPR) will apply to any and all processing of personal data by Clerk in its capacity as processor of personal data on behalf of User.

To the extent that a User is a “business” subject to California Civil Code § 1798.100 et seq. of the California Consumer Privacy Act of 2018 (“CCPA”), § 8 of this Addendum also details additional obligations under the CCPA (as defined below).

1. Interpretation

(1) in this Addendum:

“CCPA” means the California Consumer Privacy Act of 2018;

“Data” means the personal data processed by Clerk on behalf of the User in connection with the Services as more specifically set out in Exhibit 1;

“Data Protection Acts” means the Data Protection Acts 1988-2018 of Ireland;

“Data Protection Law” means all legislation and regulations relating to the protection of personal data including (without limitation) the Data Protection Acts, the GDPR and all other statutory instruments, statutory industry guidelines or codes of practice or guidance issued by the Data Protection Commission relating to the processing of personal data or privacy;

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679);

“List of Subprocessors” means the list of subprocessors with whom Clerk engages in the context of the provision of the Services, for access to a full list of subcontractors, please reach out to the contact information at the bottom of this document. The List of Subprocessors may be amended, supplemented or substituted by Clerk in its absolute discretion from time to time;

“Permitted Third Party Service Provider” means a third party service provider listed in the List of Subprocessors or otherwise approved by the User from time to time;

“Personnel” means those servants, officers, employees, agents, or contractors of Clerk to whom disclosure of Data is necessary for the provision of the Services and who are appropriately trained in and committed to data security and confidentiality;

“Service” or “Services” means the services to be provided by Clerk to the User as defined in the Terms; and “Terms” means the Clerk Terms at https://clerk.com/terms/ as may be amended from time to time.

(2) Construction: In this Addendum, unless the contrary intention is stated, a reference to:

  • (a) ‘data controller’, ‘data processor’, ‘data subject’, ‘personal data’, ‘‘processing’, and ‘appropriate technical and organisational measures’ will have the meanings given to them in Data Protection Law;
  • (b) the singular will include the plural and vice versa;
  • (c) either gender includes the other and the neuter, and vice versa;
  • (d) a person will be construed as a reference to any individual, firm or User, corporation, governmental entity or agency of a state or any association or partnership (whether or not having separate legal personality) or two or more of the foregoing;
  • (e) a person includes that person’s legal personal representatives, successors, and permitted assigns;
  • (f) time will be construed by reference to whatever time may from time to time be in force in Ireland;
  • (g) any agreement, document, or instrument is to the same as amended, novated, modified, supplemented, or replaced from time to time;
  • (h) ‘this Addendum’ means the Clauses of, and the Exhibits to, this Addendum, all of which will be read as one document;
  • (i) a clause or other provision is a reference to a clause or provision of this Addendum, and any reference to a sub provision is, unless otherwise stated, a reference to a sub provision of the provision in which the reference appears;
  • (j) ‘including’ means comprising, but not by way of limitation to any class, list or category;
  • (k) a law includes any provision of any constitution, statute, statutory instrument, order, by-law, directive, regulation or decision of any governmental entity, and any judicial or administrative interpretation of any of the foregoing, in each case, as amended, revised, modified, or replaced from time to time; and
  • (l) ‘writing’ will include a reference to any electronic mode of representing or reproducing words in visible form.

2. Personal Data Types and Processing Purposes

(1) The User and Clerk agree and acknowledge that for the purpose of Data Protection Law and in relation to the Data:

  • (a) the User is the controller and Clerk is the processor.
  • (b) the User remains responsible for its compliance obligations as controller of the Data under Data Protection Law, including providing any required notices and securing a lawful basis for the processing of the Data, and for the written processing instructions it gives to Clerk.
  • (c) Exhibit 1 describes the subject matter, nature and purpose of the processing, and the categories of Data and data subjects in respect of which Clerk may process the Data for the purposes of providing the Services. (2) The User undertakes not to provide (or cause to be provided) to Clerk any information that falls within the definition of “special categories of data” under Data Protection Law or an equivalent category of personal data in any other applicable law relating to privacy and data protection, and Clerk will not be liable to the User or to a data subject for any losses arising out of or in relation to its processing of special categories of personal data provided to it in breach of this Addendum. (3) Except where this Addendum stipulates obligations beyond the duration of the Services, the term of this Addendum will be the term of the provision of the Services by Clerk to the User plus any period of retention required for backup, disaster recovery, or other purposes as stipulated in Clerk's Data Retention Policy.

3. Scope of application

(1) The User’s written instructions in relation to the processing of the Data will, initially, be as required for the provision of the Services and set out in the Terms. The user may, subsequently, request the modification, amendment, or substitution of such written instructions by issuing a written request to the Clerk Data Protection Officer. For the avoidance of doubt, such written requests will relate strictly to the processing (within the meaning of Data Protection Law) of the Data only and will not include customer or Service support requests or similar.

4. Clerk's Obligations

(1) Clerk undertakes and agrees with the User that:

  • (a) it will only process:
    • Data strictly in accordance with the documented instructions of the User; Data in accordance with the nature and purpose of the processing set out in Exhibit 1; the minimum volume of Data which is strictly necessary for the performance of the Services;
    • (b) any Processing of Data by Clerk will be carried out in full compliance with Data Protection Law;
    • (c) it will inform the User as soon as practicable if, in its opinion, it receives an instruction from the User which infringes Data Protection Law; and
    • (d) it will disclose Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this Addendum and the Terms, and will procure that such persons are made aware of, and agree to observe the obligations of confidentiality in §4(2) and security in §4(4).

(2) Clerk will maintain the confidentiality of the Data and will not disclose the Data to third parties unless the User, this Addendum, or the Terms specifically authorise the disclosure, or as required by Data Protection Law, other applicable law, court, or regulator (including but not limited to the Data Protection Commission of Ireland, Federal Commissioner for Data Protection and Freedom of Information and Berliner Beauftragter für Datenschutz und Informationsfreiheit). If applicable law, court, or regulator (including but not limited to the Data Protection Commission of Ireland, Federal Commissioner for Data Protection and Freedom of Information and Berliner Beauftragter für Datenschutz und Informationsfreiheit) requires Clerk to process or disclose the Data to a third-party, Clerk will, where appropriate, endeavour to inform the User of such legal or regulatory requirement and give the User an opportunity to object or challenge the requirement, unless the applicable law prohibits the giving of such notice.

(3) Clerk will reasonably assist the User, at the User’s expense, with meeting the User’s compliance obligations under the Data Protection Law, taking into account the nature of Clerk's processing and the information available to Clerk, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with the Data Protection Commission of Ireland under Data Protection Law.

(4) Clerk will implement appropriate security measures to prevent accidental or unauthorised loss, destruction, damage, alteration, disclosure, or unlawful or unauthorised access to any Data in the custody of Clerk, and Clerk will ensure that its Personnel are aware of and comply with those measures.

(5) Clerk will promptly after becoming aware of it notify the User of any unauthorised access to, or unauthorised use, alteration, disclosure, accidental loss or destruction of, any Data in the custody of Clerk (each a “data breach”). In the event of any data breach, Clerk will:

  • (a) take prompt action to investigate the cause of the data breach;
  • (b) at the User’s expense, promptly, assist the User in complying with its obligations under Articles 32 to 36 of the GDPR.

(6) Clerk will promptly notify the User of any request from a data subject to exercise any of his or her rights under Data Protection Law or any complaint from any data subject. Clerk will not accede to any such request or deal with any complaint except on the written instructions of the User. Clerk will, upon the User’s request and at the User’s expense, and taking into account the nature of the processing, assist the User by appropriate technical and organisational measures, for the fulfilment of the User’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law.

(7) Clerk will make available to User, upon request and on at least 14 calendar days’ written notice such information as may be reasonably necessary to demonstrate compliance with its obligations hereunder and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The above notice period will apply in all instances, except where the User reasonably believes that a personal data breach occurred or is occurring, in which case a 72 hours’ notice period will apply.

(8) Upon termination of the Services, Clerk will, upon the request of the User, immediately destroy all Data (except for one copy that it may retain and use for backup, disaster recovery, and business continuity purposes) and will certify such destruction in writing to the User on request from time to time.

5. Permitted Third Party Service Providers

(1) Clerk will be permitted to subcontract processing of Data to Permitted Third Party Service Providers provided that Clerk will remain responsible for all acts and omissions of a Permitted Third Party Service Provider and the acts and omissions of those employed or engaged by it as if they were its own. An obligation on Clerk to do, or to refrain from doing, any act or thing will include an obligation on Clerk to procure that its Personnel and the personnel of each Permitted Third Party Service Provider also do, or refrain from doing, such act or thing.

(2) Clerk may authorise additional or substitute third parties (subcontractors) to process the Data as Permitted Third Party Service Providers and amend the List of Subprocessors if the User is provided with an opportunity to object to the appointment of each new Permitted Third Party Service Provider within 14 calendar days after Clerk supplies the User with details regarding such new Permitted Third Party Service Provider. For the avoidance of doubt, User’s only remedy in case of objection to the appointment of a new Permitted Third Party Service Provider is to cancel its subscription with effect from the day before the day on which the additional or substitute Permitted Third Party Service Provider is appointed by notice in writing to Clerk as set out in the Terms.

(3) Where access to the Data by a Permitted Third Party Service Provider constitutes an international data transfer, User authorises Clerk to put in place such transfer mechanisms as may be required for the lawful execution of the transfer of Data in the User’s name and on its behalf, including entering into standard contractual clauses. Clerk will make the executed transfer instrument available to the User on request.

6. User’s Representations and Warranties

(1) The User represents and warrants to Clerk, on a continuing basis for the duration of the Services that:

  • (c) a lawful basis for the processing of the Data, including but not limited to all consents, if required, for the processing of all the Data by Clerk in the manner contemplated by the Services have been validly obtained and are in full force and effect;
  • (d) User has complied with all of its obligations (however arising) in respect of all the Data; and
  • (e) the processing by Clerk of the Data in the manner contemplated by the Services, the Terms, and this Addendum will not infringe the rights of any person under Data Protection Law in any jurisdiction other than Ireland.

7. Liability

(1) The limitation of liability provisions contained in the Terms will apply to any liability on the part of Clerk arising out of or in relation to the processing of Data as set out in this Addendum.

8. California Consumer Privacy Act

(1) Where User is a “business” subject to California Civil Code, § 1798.100 et seq. of the CCPA, the provisions in this § 8 of this Addendum will apply in addition to the provisions in §§ 1 – 7 of this Addendum and the Terms with respect to the processing of Personal Data of any Data Subjects who are “consumers” or “households” under the CCPA.

(2) Any references to “Personal Data” in this Addendum or the Terms will also mean any information describing, capable of being associated with, or reasonably linkable, directly or indirectly, to Data Subjects, including “personal information” as that term is defined in the CCPA; in the context of this Addendum, Personal Data also includes information relating to or describing an identified or identifiable household, when required by Applicable Data Protection Law.

(3) Any references to “Data Processor” in this Addendum will also mean Clerk in its role as “service provider” as that term is defined in the CCPA, with respect to the processing of Personal Data of Data Subjects.

(4) Any references to “Applicable Data Protection Law” in this Addendum will also include California Civil Code § 1798.100 et seq. of the CCPA.

(5) As a service provider, Clerk will not retain, use, or disclose Personal Data for any purpose other than as set out in the Terms or as otherwise permitted by the CCPA.

(6) User will not instruct Clerk to process or disclose Personal Data for any purpose other than as set out in the Terms, this Addendum (as applicable, and where executed by both parties), or as otherwise agreed in writing between Clerk and User, or as otherwise permitted by the CCPA and other Applicable Data Protection Law.

(7) Clerk will not sell Personal Data provided by User through the use of the Services.

(8) Clerk will not release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data provided in Data provided by User through the use of Clerk's services to any third party. However, Clerk may disclose the Personal Data to its own Subcontractors (which are service providers as defined in the CCPA) where Clerk has (i) carried out due diligence on each service provider and; (ii) included terms in the contract between Clerk and each service provider that are substantially consistent with those set out in this Addendum.

9. General

(1) If the whole or any part of a provision of this Addendum is or becomes illegal, invalid or unenforceable under the law of any jurisdiction, that will not affect the legality, validity, or enforceability under the law of that jurisdiction of the remainder of the provision in question or any other provision of this Addendum and the legality, validity, or enforceability under the law of any other jurisdiction of that or any other provision of this Addendum.

(2) This Addendum and all of its provisions will be binding upon and inure to the benefit of the parties and their respective heirs, executors, administrators, successors, and permitted assigns.

(3) The expiry or termination of this Addendum however caused will not affect any provision of this Addendum which is expressly or by implication to come into effect on or to continue in effect after such termination, each of which will survive any such termination.

(4) Clerk will not be liable in contract, tort or otherwise howsoever for any of the following losses or damage (whether or not such loss or damage was foreseen, foreseeable, known or otherwise): (i) loss of revenue, (ii) loss of actual or anticipated profits, (iii) loss of contracts, (iv) loss of the use of money, (v) loss of anticipated savings, (vi) loss of business, (vii) loss of opportunity, (viii) loss of goodwill, (ix) loss of reputation, (x) loss of, damage to, or corruption of data, or (xi) any indirect or consequential loss howsoever caused (including, for the avoidance of doubt, whether such loss or damage is of a type specified in sub-clauses (i) to (x) above) whether arising out of, or in connection with this Addendum provided that nothing in this Addendum will exclude or limit Clerk's liability under the tort of deceit or for death or personal injury, or any other liability to the extent that, under applicable law, it cannot be excluded or limited.

(5) The express terms of this Addendum and the Terms constitute the sole and entire agreement between the parties in relation to the processing of Data by Clerk as a processor on behalf of the User and supersedes all prior written and oral arrangements, understandings, representations, warranties and agreements between them in that regard (if any). In case of conflict between the terms of this Addendum and the Terms in relation to Clerk's processing of Data, the terms of this Addendum will prevail.

(6) Clerk reserves the right to make any updates or changes to this Addendum at any time in its sole discretion, provided that such updates or changes do not violate applicable Data Protection Law or adversely impact the security of Data or other fundamental rights of the User.

(7) By agreeing to the Terms, the parties are deemed to have duly executed this Addendum as of the Effective Date of the Terms.

Exhibit 1 – Details of Contract Processing

This Exhibit 1 includes certain details of the Data as required by Article 28(3) GDPR.

The types of User Personal Data to be Processed

  • First and last name;
  • Title;
  • Position;
  • Employer;
  • Contact information (company, email, phone, physical business address);
  • Invoice and transaction history;
  • Details of the methods of the data subject uses to make payments (See Note 1);
  • Arbitrary data which the Controller may input into Clerk, and which is associated with a Data Subject – (See Note 2)

Notes

(1) This does not include sensitive payment information such as credit card numbers, expiry dates, CVC codes or bank account details.

(2) Clerk provides the capability for its Users to associate any data they wish with a data subject, utilizing our API. Clerk does not and cannot ascertain what the content or purpose of this data actually is. The User is forbidden from providing special categories of data.

Categories of data subjects

  • Customers;
  • Prospective customers;
  • Employees;
  • Contacts

Nature of the processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

10. Contact Us

If you have any questions or comments about this Data Processing Agreement, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at: support@clerk.dev.

If you are located in the European Union, you may use the following information to contact our European Union-Based Member Representative:

VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland