Data Processing Addendum

Last Modified: 04 April 2025

This Data Processing Addendum (“DPA”) is between Tipalti and its Customer, each a “Party” and collectively the “Parties”, and is incorporated into the Tipalti Services Agreement or other agreement between the Parties under which Tipalti has agreed to provide services to Customer (“Agreement”). By agreeing to the underlying Agreement, Customer accepts this DPA governing the Processing of Personal Data subject to Data Protection Laws (as such terms are defined below). This DPA takes precedence over the Agreement between the Parties to the extent of any conflict.

Customer and Tipalti agree as follows:

1. Definitions. Capitalized terms not defined herein are defined in the Agreement. For purposes of this DPA:

1.1 Data Protection Laws” means applicable laws, regulations, and other legally binding requirements relating to privacy, data security, or the Processing of Personal Data, including, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”), as each may be amended from time to time. Unless specified otherwise, references to “Data Protection Laws” herein mean Data Protection Laws that are applicable in a given situation.

1.2 Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also refer to “consumer” as defined in Data Protection Laws.

1.3 EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.

1.4 Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by applicable Data Protection Laws, that Customer submits to the Services and that Tipalti Processes on behalf of Customer under the Agreement to provide the Services to Customer.

1.5 Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.6 Security Breach” means any unauthorized or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to, Personal Data.

1.7 Services” means the services that Tipalti provides to Customer pursuant to the Agreement.

1.8 Subprocessor” means any third party that Tipalti engages to Process Personal Data.

1.9 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and completed as set forth herein.

1.10 The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”

2. Roles of the Parties; Scope and Purposes of Processing.

2.1. This DPA applies to Personal Data that Tipalti Processes on behalf of Customer under the Agreement. Customer shall obtain and maintain any and all required legal bases to collect, Process and transfer the Personal Data to Processor and to authorize the Processing of the Personal Data by Processor in accordance with this DPA. 

2.2. To the extent that Customer is the Controller of Personal Data, Tipalti is its Processor. To the extent that Customer is a Processor of Personal Data, Tipalti is its subprocessor.

2.3. Tipalti will Process Personal Data: (1) on Customer’s behalf; (2) to fulfill its obligations to Customer under the Agreement, including this DPA; and (3) in compliance with Data Protection Laws. Tipalti will Process Personal Data to provide the Services to Customer under the Agreement for the following business purposes: (a) maintaining and servicing Customer’s account; (b) conducting accounts payable operations, including enabling payments to payees; (c) managing invoices, including processing and approvals; (d) managing vendor procurement and onboarding; (e) providing analytics or auditing; (f) debugging and ensuring the security and integrity of the Services; (g) improving and enhancing the Services; and (h) as otherwise set forth in the Agreement.

2.4. Customer may take reasonable and appropriate steps to (1) ensure that Tipalti Processes Personal Data in a manner consistent with Data Protection Laws, and (2) upon written notice, stop and remediate unauthorized Processing of Personal Data that is not permitted by this DPA.

3. Personal Data Processing Requirements.

3.1. Tipalti will, except as expressly authorized under Data Protection Laws:
(1) Not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Tipalti, or for any purpose (including any commercial purpose) not set forth in this DPA.
(2) Not “sell” or “share” any Personal Data, or use Personal Data for purposes of “cross-context behavioral advertising,” as such terms are defined in Data Protection Laws in the United States.
(3) Comply with applicable restrictions under Data Protection Laws on combining Personal Data with personal data that Tipalti receives from, or on behalf of, another person or persons, or that Tipalti collects from any interaction between it and any individual.
(4) Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(5) To the extent required by Data Protection Laws, provide Customer with reasonable assistance and cooperation for the fulfillment of Customer’s obligations under Data Protection Laws, including Customer’s obligation to (A) respond to requests by Data Subjects (or their lawful representatives) to exercise their rights under Data Protection Laws with regard to their Personal Data; (B) perform any required data protection impact assessment for Processing of Personal Data; and (C) consult with regulatory authorities in relation to the Processing of Personal Data. Except where prohibited by applicable law, Tipalti will notify Customer of any Data Subject or government requests regarding Tipalti’s Processing of Personal Data on Customer’s behalf, and except as prohibited by applicable law will await written instructions from Customer on how, if at all, to assist in responding. Customer will pay Tipalti’s costs in providing assistance and carrying out any request under this Section.
(6) Notify Customer if Tipalti determines that (A) it can no longer meet its obligations under this DPA or Data Protection Laws; or (B) in Tipalti’s opinion, an instruction from Customer infringes Data Protection Laws.

4. Data Security. Tipalti will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit B. Tipalti will provide the same level of protection for Personal Data as is required under applicable Data Protection Laws.

5. Security Breach. Tipalti will notify Customer of any known Security Breach after becoming aware of such Security Breach and to the extent required by Data Protection Laws. Tipalti will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will reasonably assist Customer in its compliance with its Security Breach-related obligations, including by providing Customer with such information about the Security Breach as Tipalti is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Tipalti, and any confidentiality or other restrictions on disclosing information. Tipalti’s report or response to a Security Breach pursuant to this Section is deemed Tipalti’s Confidential Information, and will not be construed as an acknowledgement by Tipalti of any fault or liability of Tipalti with respect to the Security Breach. Tipalti’s obligations under this Section do not apply to incidents that are caused by Customer, any activity in the Customer’s accounts, or third-party services that Customer elects to use.

6. Subprocessors.

6.1. Tipalti may use Subprocessors to Process Personal Data in accordance with this DPA and Data Protection Laws. Tipalti will enter into a written agreement with Subprocessors who Process Personal Data on Tipalti’s behalf, requiring them to comply with similar obligations to those imposed on Tipalti under this DPA, to the extent applicable based on the nature of the Services provided by the Subprocessor.

6.2. Tipalti will provide a list of its Subprocessors upon request,  and Customer consents to Tipalti’s use of the Subprocessors on this list. Customer may subscribe to notifications of new Subprocessors by providing written notice to Tipalti at privacy@tipalti.com. If Customer subscribes to such notifications, Tipalti will provide details of any change in Subprocessors as soon as reasonably practicable. Tipalti will endeavor to give written notice 30 days prior to any change, but will give written notice no less than ten days prior to any such change unless otherwise required by Data Protection Laws. If Customer reasonably objects to a new Subprocessor within seven days of receiving notice of such changes, the Parties will cooperate in good faith to resolve such objection.

7. Data Transfers.

7.1. Customer authorizes Tipalti and its Subprocessors to make international transfers of Personal Data in accordance with this DPA so long as the Data Protection Laws applicable to such transfers are respected.

7.2. To the extent legally required, by entering into this DPA, Customer and Tipalti are deemed to have signed the EU SCCs, which form part of this DPA and will apply to any transfers from the European Economic Area (EEA) to countries outside the EEA that are not covered by other legal mechanisms for the transfer of Personal Data such as Tipalti’s certification to the EU-U.S. Data Privacy Framework. Except as described in Sections 7.2(3) and (4) below, such EU SCCs are deemed completed as follows:
(1) Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Tipalti (as a Processor), and Module 3 of the EU SCCs applies to transfers of Personal Data from Customer (as a Processor) to Tipalti (as a subprocessor);
(2) Clause 7 (the optional docking clause) is not included;
(3) Clause 9 (Use of sub-processors): The Parties select Option 2 (General written authorization). The initial list of Subprocessors is set forth in Section 6.2 of this DPA, and Tipalti will propose updates to that list in accordance with that Section;
(4) Clause 11 (Redress): The optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body is not included;
(5) Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and select the law of the Netherlands;
(6) Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of the Netherlands;
(7) Annexes I (List of Parties) and II (Technical and organizational measures) are completed as set forth in Exhibits A and B of this DPA, respectively; and
(8) Annex III (List of subprocessors) is not applicable because the Parties have chosen General Authorization under Clause 9 of the EU SCC’s.

7.3. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK Addendum, which forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The Tables within the UK Addendum are deemed completed as follows:
(1) Table 1: The details of the parties refer to the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact is the contact set forth in Exhibit A below.
(2) Table 2: The “Approved EU SCCs” refer to the EU SCCs as executed by the Parties and completed in Section 7.2 of this DPA.
(3) Table 3: Annexes I and II are set forth in Exhibits A and B of this DPA, respectively. Annex III is inapplicable.
(4) Table 4: Customer may end this DPA as set out in Section 19 of the UK Addendum.

7.4. For transfers of Personal Data subject to Switzerland’s Federal Act on Data Protection (“FADP”), the EU SCCs form part of this DPA as set forth in Section 7.2 of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR are interpreted as references to the FADP; (2) the term “member state” does not preclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in Switzerland; and (3) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

8. Audits. To the extent permitted by Data Protection Laws, Customer must exercise any rights to conduct an audit to verify the adequacy of Tipalti’s security measures by instructing Tipalti to carry out such audit using its own external or internal auditors. Customer may be required to agree to a non-disclosure agreement before Tipalti shares any report from such audit with Customer, and Tipalti may redact any such report as it considers appropriate. Where Customer is legally required by Data Protection Laws to demonstrate compliance through means other than such a report, the Parties will cooperate in good faith to agree on a plan for complying with the applicable requirements. The Parties will use the least intrusive means for Tipalti to address Customer’s request, taking into account legal requirements, the sensitivity of the Personal Data involved, information otherwise available to Customer, and the need for Tipalti to maintain its business operations, confidentiality, and security of its facilities. Any audit or inspection which is required under Data Protection Laws to be conducted by Customer or auditor other than Tipalti’s own auditor under this Section must occur (1) remotely, (2) not more than once every 12 calendar months, (3) upon 30 days’ prior written notice, and (4) during Tipalti’s normal business hours. Customer will pay Tipalti’s costs in carrying out any audit or addressing any request under this Section.

9. Return or Destruction of Personal Data. Except to the extent required by Data Protection Laws, or to the extent Tipalti is authorized or required to retain Personal Data in accordance with applicable law, Tipalti will return to Customer and/or destroy all Personal Data upon written request of Customer. Except to the extent prohibited by Data Protection Laws, Tipalti will inform Customer if it is not able to return or delete Personal Data.

10. Termination. This DPA automatically terminates upon the earlier of the termination or expiration of the Agreement under which the Services are provided, or the date when Tipalti stops Processing Personal Data.

11. Updates. Tipalti may update this DPA in the same manner as is permissible under the terms of the Agreement.

Exhibit A

ANNEX I TO THE EU SCCS

  1. LIST OF PARTIES

Data exporter(s):

  • Name: Customer, as identified in the Agreement.
  • Address: As provided in the Agreement.
  • Contact person’s name, position, and contact details: As provided in the Agreement.
  • Activities relevant to the data transferred under these Clauses: The data exporter receives the data importer’s Services pursuant to their underlying Agreement.
  • Signature and date: The Parties agree that execution of the Agreement constitutes execution of these EU SCCs by both parties.
  • Role: Controller

Data importer(s):

  • Name: Tipalti, as identified in the Agreement
  • Address: As provided in the Agreement.
  • Contact person’s name, position, and contact details: As provided in the Agreement.
  • Activities relevant to the data transferred under these Clauses: The data importer provides Services to the data exporter pursuant to their underlying Agreement.
  • Signature and date: The Parties agree that execution of the Agreement constitutes execution of these EU SCCs by both parties.
  • Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: The Personal Data transferred concerns natural persons who are Customer’s:

  • Authorized users who use the Services
  • Payees (or their personnel) to whom Customer sends payments
  • Personnel, including contractors
  • Prospects, customers, partners, and vendors, and their respective personnel and contacts

Categories of personal data transferred: The Personal Data transferred concerns the following categories of data, to the extent that they constitute or contain Personal Data:

  • Name, address, phone number, email address, bank details, department role and grade, and URL/website
  • Payment information processed through the Services
  • Any other information submitted to Tipalti by Customer or its Payees, or any of their users.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the duration of the Agreement.

Nature of the processing: Tipalti’s Processing activities are limited to those discussed in the Agreement and the DPA.

Purpose(s) of the data transfer and further processing: The purpose of the transfer to and further Processing of Personal Data by Tipalti is for Tipalti to provide the Services to Customer as set forth in the Agreement and the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the period of time necessary for Tipalti to provide the Services to Customer under the Agreement and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the Services.

C. COMPETENT SUPERVISORY AUTHORITY

To the extent legally permitted, the competent supervisory authority is the Dutch Data Protection Commission.

Exhibit B

TIPALTI DATA SECURITY MEASURES

Tipalti implements and maintains the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Network Security

Personal Data is encrypted in transit and encrypted at rest. Logins and sensitive data transfers are performed over encrypted protocols such as TLS. Servers in Tipalti’s environment are protected by active anti-malware software where supported, an XDR extended detection and response system, an intrusion detection system, and a SASE system.

Risk Management

Tipalti maintains an information security program, which includes: (a) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Personal Data; (b) conducting periodic risk assessments of systems and networks that process Personal Data on at least an annual basis; (c) monitoring for security incidents and maintaining a tiered remediation plan designed to ensure timely fixes to any discovered vulnerabilities; (d) penetration testing performed by a qualified third party on an annual basis; and (e) having resources responsible for information security efforts.

Business Continuity

Tipalti takes daily snapshots of its databases and securely copies them to a separate data center for restoration purposes in the event of a regional cloud failure. Backups are encrypted and have the same protection in place as production. 

Security Testing

On an annual basis, Tipalti and third parties engaged by it perform a variety of testing designed to protect against unauthorized access to Personal Data and to assess the security, reliability, and integrity of the Services. To the extent Tipalti determines, in its sole discretion, that remediation is required based on the results of such testing, it will perform remediation within a period of time that takes into account the nature and severity of the identified issue. Tipalti undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls. Tipalti makes its SOC 2 Report available to Customers upon request, subject to reasonable confidentiality restrictions. 

Access Management and Control

Access to manage Tipalti’s AWS environment requires multi-factor authentication. Access to the Services is logged, and access to Personal Data is restricted to a limited set of approved Tipalti employees. Tipalti employees are trained on documented information security and privacy procedures. Every Tipalti employee signs a data access policy that binds them to the terms of Tipalti’s data confidentiality policies. Access to Tipalti systems is promptly revoked upon termination of employment.

Physical Safeguards

Tipalti uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in the United States. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.

Data Minimization and Retention

Tipalti makes efforts to collect only that Personal Data that is necessary to provide the Services outlined in the Agreement. Tipalti employees are directed to access the minimum amount of information necessary to perform the task at hand. Tipalti will retain Personal Data for the period necessary to perform the Services, unless otherwise required or permitted by the Agreement or applicable law. Customer may request deletion of Personal Data at any time, and Personal Data is deleted or anonymized after termination of the Agreement.