Chargebee Data Processing Addendum

Effective Date: Jan 20th, 2020

Please read the Data Processing Addendum ("DPA") carefully as they form a contract between You and CHARGEBEE INC. ("Us"). As referenced in Our Terms of Service at https://www.chargebee.com/company/terms/ or in any services agreement between You and Us ("Terms"), this DPA will apply where the Group Companies Process Personal Data on Your behalf. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail. In the event of any conflict between the terms of this DPA and the EU Standard Contractual Clauses, the terms of the EU Standard Contractual Clauses shall prevail. This DPA shall continue to be in full force and effect for the duration of Your Subscription(s) and shall cease automatically thereafter. For queries, please contact Us at [email protected]

1.Definitions

Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including laws and regulations of the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, including, the California Consumer Privacy Act ("CCPA") the GDPR and any applicable national laws made under it where You are established in the European Economic Area; and the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded) where You are established in Switzerland.

"Controller", "Processor", "Data Subject", “Personal Data Breach” "Processing" or similar terms shall have the meanings given under Applicable Data Protection Law.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data” shall have the meaning given under Applicable Data Protection Law and is limited to that Personal Data We Process as part of Service Data.

EU Standard Contractual Clauses” mean the standard contractual clauses (for Processors) in the form set out in the Annex of European Commission Decision 2010/87/EU, as amended or updated from time to time.

Sub-processor” means any Processor engaged by Us.

Technical and Organisational security measures"/“TOMS” means the appropriate technical and organisational measures as set forth in Schedule B (TOMS) of this DPA, aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of Service Data over a network, and against all other unlawful forms of processing.

2.Processing Of Personal Data

2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data, You may be either the Controller or the Processor of the Personal Data. Where You are the Controller, We are the Processor and where You are a Processor, We acknowledge that We will be Your sub-processor. We will further engage Sub-processors pursuant to the requirements set forth in Section 5 (Sub-processors) below.

2.2 Processing of Personal Data by You. You shall, in Your use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Law. Further, Your instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which You acquired Personal Data.

2.3 Processing of Personal Data by Us. We shall Process the Personal Data solely as necessary to perform Our obligations and strictly in accordance with Your documented instructions and in accordance with Applicable Data Protection Law for the following purposes: (i) Processing in accordance with the Terms and this DPA; (ii) Processing initiated by Users and/or End-Customers in their use of the Services; and (iii) Processing to comply with Your other documented reasonable instructions (including via email) where such instructions are consistent with the Terms. We shall immediately inform You in writing if, in Our opinion, an instruction infringes Applicable Data Protection Law in the European Union (“EU”). We shall not be liable for any losses, fines, costs, penalties, damages, etc., arising from or in connection with any processing in accordance with Your instructions following Your receipt of any information provided by Us in accordance with the foregoing sentence. We shall provide reasonable assistance to You to assist You in complying with Articles 32 to 26 of the GDPR. We shall make available to You all information necessary to demonstrate compliance with this DPA and upon prior written notice, allow for and contribute to audits, including to inspections, by You or another auditor mandated by You for this purpose.

2.4 Details of the Processing. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule A (Details of the Processing) of this DPA

3.Rights Of Data Subjects

3.1 We shall, to the extent legally permitted, promptly notify You if We receive a request from a Data Subject to access, correct or delete their Personal Data or if a Data Subject objects to the Processing thereof (“Data Subject Request”). We shall not respond to a Data Subject Request without Your prior written consent except to confirm that such request relates to You to which You hereby agree. To the extent You, in Your use of the Services, do not have the ability to address a Data Subject Request, We shall upon Your request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent We are legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Applicable Data Protection Law. To the extent legally permitted, You shall be responsible for any reasonable costs arising from Our provision of such assistance.


4.Our Personnel

4.1We shall ensure that Our personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements addressing relevant obligations regarding confidentiality, data protection and data security. We shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

5.Sub-processors

5.1You hereby grant a general authorization: (a) to Us to appoint other members of Our Group Companies as Sub-processors, and (b) to Us and other members of Our Group Companies to appoint any other third party as Sub-processors to support the performance of the Services.

5.2We will maintain a list of Sub-processors on the https://www.chargebee.com/privacy/sub-processors/ website and will add the names of Sub-processors to the list. If You have a reasonable objection to any new or replacement Sub-processor, You shall notify Us of such objections in writing within ten (10) days of change in the list and the Parties will seek to resolve the matter in good faith. If You do not provide a timely objection to any new or replacement Sub-processor in accordance with this Section 5.2, You will be deemed to have consented to the Sub-processor and waived Your right to object. Where We use a Sub-processor, We shall ensure that We have in place a written contract with that Sub-Processor applying essentially the same data protection terms as are set out in this DPA.

5.3Except as otherwise set forth in the Terms, We shall be liable for the acts and omissions of the Sub-processors to the same extent We would be liable if We were performing the services of each Sub-processor directly under the terms of this DPA.

6.Security Reports & Audits

6.1Controls for the protection of Service Data. We shall maintain appropriate TOMS for protection of the Service Data from a Personal Data Breach. We regularly monitor compliance with these measures.

6.2Third-Party Certifications and Audits. We have obtained the third-party certifications and audits. Upon Your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Terms, We may share a copy of Our most recent third-party audit reports or certifications, as applicable.

6.3Determination of Security Requirements: You acknowledge that the Services include certain features and functionalities that You may elect to use that impact the security of the data processed by Your use of the Services, such as, but not limited to, encryption of custom fields and availability of multi-factor authentication on Your Account. You are responsible for properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by Your use of the Services. You can subscribe to the new feature notifications at https://www.chargebee.com/help/updates/.

6.4Personal Data Breach Notification: We shall, to the extent permitted by law, notify You of any Personal Data Breach no later than seventy-two (72) hours from the time We become aware of the Personal Data Breach. To the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by Us, We shall make reasonable efforts to identify and remediate the cause of such Personal Data Breach. We shall provide You reasonable assistance in the event You are required under Applicable Data Protection Law to notify a supervisory authority or any Data Subjects of the Personal Data Breach.

7.Deletion Of Personal Data

7.1We shall delete Personal Data forming part of the Service Data after one hundred and twenty (120) days from the date of termination of the Account. You understand that Personal Data, once deleted, cannot be recovered.

8.International Data Transfer Mechanism

8.1 To the extent that We Process any Personal Data originating from the European Economic Area (“EEA”) in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection (within the meaning of European Union Data Protection Legislation) in the following order of precedence (1) by virtue of Our self-certification to the Privacy Shield Framework, in which case, We shall agree to apply the Privacy Shield Principles when transferring any EEA or UK or Swiss Personal Data to the U.S. under this DPA, and where (1) does not apply, (2) the EU Standard Contractual Clauses, which are incorporated by reference and form an integral part of this DPA. Purely for the purposes of descriptions in the EU Standard Contractual Clauses and only as between You and Us, You agree that You are the “data exporter” and We are the “data importer” under the EU Standard Contractual Clauses (notwithstanding that You may be located outside the EEA and may itself be a Processor acting on behalf of third party Controllers). Further, Schedules A and B of this DPA will take the place of Appendixes 1 and 2 of the EU Standard Contractual Clauses respectively.

9.CCPA Obligations

9.1You acknowledge and agree that You are the Business and We are the Service Provider with respect to Personal Information of Consumers (as those terms are understood under the CCPA) disclosed by You to Us forming part of Service Data.

9.2We will not sell, retain, use, or disclose Personal Information of Consumers that We process on Your behalf when providing the Services under the Terms for any purpose other than for the specific purpose of providing the Services in accordance with the Terms and as part of the direct relationship between You and Us.

9.3We certify that We understand the restrictions in Section 9.2 above and will comply with such restrictions.

9.4You acknowledge and agree that You shall be responsible for providing the required notice to Consumers with respect to sharing their Personal Information with Us.

9.5We shall provide reasonable cooperation to assist You to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Information under the Terms and/or this DPA when You are required to respond to such requests under Applicable Data Protection Laws. In the event that any such request is made directly to Us, We shall not respond to such communication directly without Your prior authorization, unless legally compelled to do so.




Schedule B – Technical and Organisational Security Measures

We have implemented and shall maintain a security program in accordance with industry standards. We have implemented and will maintain appropriate TOMS to protect Service Data from a Personal Data Breach. Measures to protect Service Data from a Personal Data Breach are described at https://www.chargebee.com/security/.