DATA PROCESSING ADDENDUM
Last Updated December 17th, 2021
This Data Processing Addendum (“DPA”) supplements the Gorilla Expense Terms of Use and other written or electronic agreement(s) between you and Gorilla Expense (also referred to as “we” or “our” in this DPA) for the provision of the Services (the “Agreement”). This DPA applies to both you and your Authorized Affiliates. All capitalized terms not defined herein will have the meaning set forth in the Agreement.
This DPA reflects the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Laws. This DPA does not apply to User Data of which Gorilla Expense is the controller and which Gorilla Expense may use in accordance with the terms of the Agreement.
Upon your acceptance of the Agreement, this DPA will become legally binding. The terms of this DPA will take effect on the Effective Date and will continue in effect until the Agreement is terminated or expires in accordance with its terms.
DATA PROCESSING TERMS
1. DEFINITIONS
1.1 In this DPA, these capitalized terms have the following meaning:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Authorized Affiliate” means any of your Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to your Agreement with Gorilla Expense but has not signed its own Order Form with Gorilla Expense and is not a “client” or “customer” as defined under the Agreement.
“Customer Personal Data” means any Personal Data that Gorilla Expense processes on behalf of you, the customer, pursuant to the Agreement.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union and including GDPR, the European Economic Area, Switzerland, and the United Kingdom, applicable to the processing of Customer Personal Data under the Agreement.
“Effective Date” means the date on which you accept this DPA.
“European Union (EU) Standard Contractual Clauses” means the standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Gorilla Expense Group” means Gorilla Expense and its Affiliates engaged in the processing of Customer Personal Data.
“Sub-processor” means any processor (but excluding any employee of Gorilla Expense or of a member of the Gorilla Expense Group) engaged by Gorilla Expense or a member of the Gorilla Expense Group.
“United Kingdom (UK) Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission by way of Commission Decision C(2010)593, as amended by the UK Information Commissioner’s Office for use in a UK context, available on the date of this DPA at https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx, and as may be amended or replaced by the Information Commissioner’s Office or/and Secretary of State from time to time.
“User Data” means any data relating to you or your Users, employees, officers or contractors provided to or obtained by Gorilla Expense in the provision of the Services where Gorilla Expense acts as a data controller with respect to such data.
“Users” means individuals authorized by you to access the Services through your Gorilla Expense account.
1.2 The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in this DPA have the meanings given to them under applicable Data Protection Law.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that, regarding the processing of Customer Personal Data, you are the controller, Gorilla Expense is the processor and that Gorilla Expense or members of the Gorilla Expense Group will engage Sub-processors pursuant to the requirements set forth in Section 5 (Sub-processors) below. The parties acknowledge and agree that, as the controller, you will determine the scope, purposes, and manner by which Customer Personal Data may be accessed or processed by Gorilla Expense.
2.2 Your Processing of Customer Personal Data. You agree that, in your use of the Services, you will process Customer Personal Data in accordance with the requirements of Data Protection Laws. You agree that your instructions for the processing of Customer Personal Data will comply with Data Protection Laws. You represent and warrant that you have all necessary rights to provide Customer Personal Data to Gorilla Expense for processing to be performed in connection with the Services, and that one or more lawful bases set forth in the Data Protection Laws support the lawfulness of the processing. To the extent required by Data Protection Laws, you are responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in the Data Protection Laws supports the lawfulness of the processing, that any necessary data subject consents to the processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, you are responsible for communicating the fact of this revocation to Gorilla Expense, and Gorilla Expense remains responsible for implementing your instruction with respect to the processing of that Customer Personal Data. As between the parties, you acknowledge and agree that you are solely responsible for the accuracy and quality of Customer Personal Data.
2.3 Gorilla Expense’s Processing of Customer Personal Data. Gorilla Expense agrees that it will process Customer Personal Data only on your behalf and only in accordance with your documented instructions for the following purposes: (a) processing in accordance with the Agreement; (b) processing initiated by Users in their use of the Services; and (c) processing to comply with other documented reasonable instructions provided by you (e.g., via email) where such instructions are consistent with the terms of the Agreement. Should Gorilla Expense reasonably believe that a specific processing activity beyond the scope of your instructions (or otherwise inconsistent with the terms of the Agreement) is required to comply with a legal obligation to which Gorilla Expense is subject, Gorilla Expense will inform you of that legal obligation in writing before undertaking such processing. Unless required to comply with such a legal obligation, Gorilla Expense will not process Customer Personal Data in a manner inconsistent with your documented instructions. Gorilla Expense will promptly notify you if, in its opinion, any such instruction violates any Data Protection Law. Such notification will not constitute a general obligation on the part of Gorilla Expense to monitor or interpret the laws applicable to you, and such notification will not constitute legal advice to you.
2.4 Details of the Processing. The subject matter of processing of Customer Personal Data by Gorilla Expense is the performance of the Services pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Customer Personal Data and categories of data subjects processed under this DPA are further specified in Exhibit 1. These instructions also describe the duration, object, scope and purpose of the processing. Gorilla Expense will be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue the purpose of the processing specified in Exhibit 1, provided that all such discretion is compatible with the requirements of the Agreement, as amended by this DPA, and in particular your written instructions, and any applicable Data Protection Laws.
3. RIGHTS OF DATA SUBJECTS
Gorilla Expense will, to the extent legally permitted, promptly notify you if Gorilla Expense receives a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the processing, Gorilla Expense will assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent you, in your use of the Services, do not have the ability to address a Data Subject Request, Gorilla Expense will upon your request use commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent Gorilla Expense is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.
4. GORILLA EXPENSE EMPLOYEES
4.1 Confidentiality. Gorilla Expense will treat all Customer Personal Data as confidential and will cause its employees engaged in the processing of Customer Personal Data to be informed of the confidential nature of the Customer Personal Data, to have received appropriate training on their responsibilities and to have executed written confidentiality agreements or otherwise to be bound by obligations of confidentiality. Gorilla Expense will ensure that such confidentiality obligations survive the termination of the employee’s engagement.
4.2 Reliability. Gorilla Expense will take commercially reasonable steps to ensure the reliability of any Gorilla Expense employees engaged in the processing of Customer Personal Data.
4.3 Limitation of Access. Gorilla Expense will ensure that Gorilla Expense’s access to Customer Personal Data is limited to those employees performing Services in accordance with the Agreement.
5. SUB-PROCESSORS
5.1 Appointment of Sub-processors. You acknowledge and agree that (a) Gorilla Expense’s Affiliates may be retained as Sub-processors; and (b) Gorilla Expense and Gorilla Expense’s Affiliates respectively, may engage third-party Sub-processors in connection with the provision of the Services. Gorilla Expense or a Gorilla Expense Affiliate will ensure that each Sub-processor is bound by obligations compatible with those of Gorilla Expense under this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor and will reasonably monitor compliance therewith.
5.2 List of Current Sub-processors and Notification of New Sub-processors. You hereby agree that Gorilla Expense may use the Sub-processors set forth at Exhibit 3 to assist in providing the Services. When a Sub-processor is proposed to be changed or Gorilla Expense proposes to use a new Sub-processor, Gorilla Expense will provide prior notice by email or other permissible notice under the Agreement to you before implementing such change, thereby giving you an opportunity to object to the same, provided such objection is submitted to Gorilla Expense in accordance with Section 5.3 of this DPA (Objection Right for New Sub-Processors).
5.3 Objection Right for New Sub-processors. You may object to Gorilla Expense’s use of a new Sub-processor by setting forth a reasonable basis for its objection and notifying Gorilla Expense promptly in writing within ten (10) business days after receipt of Gorilla Expense’s notice in accordance with the mechanism set out in Section 5.2 above. If you object to a new Sub-processor, as permitted in the preceding sentence, the parties will make a good-faith effort to resolve your objection. In the absence of a resolution, Gorilla Expense will use reasonable efforts to make available to you a change in the Services or recommend a commercially reasonable change to your configuration or use of the Services to avoid processing of Customer Personal Data by the objected-to new Sub-processor without unreasonably burdening you. If Gorilla Expense is unable to make available such change within a reasonable period, which will not exceed thirty (30) days, you may terminate the Agreement with respect only to those Services which cannot be provided by Gorilla Expense without the use of the objected-to new Sub-processor by providing written notice to Gorilla Expense. Gorilla Expense will refund you any prepaid fees covering the remainder of the term of such Agreement following the effective date of termination with respect to such terminated Services, without imposing on you a penalty for the termination.
6. SECURITY
6.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Gorilla Expense will implement appropriate technical and organizational measures to ensure a level of security of the processing of Customer Personal Data appropriate to the risk. These measures will include, at a minimum, the security measures set forth in Exhibit 2 of this DPA.
6.2 Security Policies. Gorilla Expense agrees to maintain written security policies that are fully implemented and applicable to the processing of Customer Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management; devoting reasonably adequate personnel resources to information security; where permitted by applicable law, carrying out appropriate verification checks on permanent staff who will have access to Customer Personal Data; and conducting training to make employees with access to Customer Personal Data aware of information security risks presented by the processing.
6.3 Third-Party Certifications and Audits. Gorilla Expense has obtained certain third-party certifications and audits. Upon your written request at reasonable intervals (but no more than annually), and subject to the confidentiality obligations set forth in the Agreement, Gorilla Expense will make available to you (as long as you are not a competitor of Gorilla Expense) or to your independent, third-party auditor (as long as the auditor is not a competitor of Gorilla Expense) a copy of Gorilla Expense’s then most recent third-party audits or certifications, as applicable. You may contact Gorilla Expense at compliance@gorillaexpense.com to request an on-site audit of the procedures relevant to the protection of Customer Personal Data. You agree to reimburse Gorilla Expense for any time expended for any such on-site audit at Gorilla Expense’s then-current professional services rates, which we will make available to you upon request. Before the commencement of any such on-site audit, you and Gorilla Expense will mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which you will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by Gorilla Expense. You agree to promptly notify Gorilla Expense with information regarding any non-compliance discovered during an audit. Gorilla Expense’s adherence to either a code of conduct or to a certification mechanism approved by the applicable supervisory authority and recognized under Data Protection Laws may be used, at Gorilla Expense’s discretion, as an element by which Gorilla Expense may demonstrate compliance with the requirements set forth in this Section 6, provided that the requirements contained in Exhibit 2 of this DPA are also addressed by such code of conduct or certification mechanism.
6.4 Improvements to Security.
6.4.1 The parties acknowledge that security requirements are constantly evolving and that effective security requires frequent evaluation and regular improvements of outdated security measures. Gorilla Expense will therefore evaluate the measures as implemented in accordance with this Section 6 on an on-going basis to maintain compliance with the requirements set out in this Section 6. The parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Data Protection Laws.
6.4.2 Where an amendment to the Agreement is required to execute your instruction to Gorilla Expense to improve security measures as may be required by changes in Data Protection Laws from time to time, the parties agree to negotiate an amendment to the Agreement in good faith.
7. DATA INCIDENTS
Gorilla Expense will notify you (by email or other reasonable means) without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, transmitted, stored, or otherwise processed by Gorilla Expense or its Sub-processors of which Gorilla Expense becomes aware (each, a “Data Incident”). Gorilla Expense will make reasonable efforts to identify the cause of the Data Incident and take those steps as Gorilla Expense deems necessary and reasonable to remediate the cause of the Data Incident to the extent the remediation is within Gorilla Expense’s reasonable control. The obligations herein will not apply to incidents that are caused by you or your Users.
8. IMPACT ASSESSMENT AND PRIOR CONSULTATION.
Upon your request, Gorilla Expense will provide you with reasonable cooperation and assistance needed to fulfil your obligation under the GDPR to carry out a data protection impact assessment related to your use of the Services, to the extent you do not otherwise have access to the relevant information, taking into account the nature of the processing and to the extent, such information is available to Gorilla Expense. Gorilla Expense will provide reasonable assistance to you in cooperation or prior consultation with the applicable supervisory authority, to the extent required under the GDPR.
9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
No later than thirty (30) days following the date that Gorilla Expense ceases to process Customer Personal Data, or sooner upon your written request, Gorilla Expense will return Customer Personal Data to you and, to the extent allowed by applicable law, delete or destroy Customer Personal Data, in each case as required by the Data Protection Laws and to the extent within Gorilla Expense’s custody and control.
10. DATA TRANSFERS
10.1 EU Standard Contractual Clauses. You acknowledge that Gorilla Expense is located in the United States and, in order to provide the Services, Gorilla Expense shall transfer and retain Customer Personal Data in the United States. To the extent such Customer Personal Data originates in the European Economic Area (EEA), the parties undertake to apply the provisions of the EU Standard Contractual Clauses to the transfer and Processing of such Customer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 10.1 of this DPA, their provisions will be deemed incorporated by reference into this DPA. To the extent required by the applicable data protection regulations, the parties shall enter into and execute the EU Standard Contractual Clauses as a separate document. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to this Section 10.1 of this DPA, then the following shall apply:
10.1.1 Module Two. The EU Standard Contractual Clauses shall be governed by the Module Two clauses (Transfer controller to processor) in all applicable instances, and you shall be the data exporter and Gorilla Expense shall be the data importer.
10.1.2 Docking Clause. Each party acknowledges and agrees that Clause 7 (Optional – Docking Clause) of the EU Standard Contractual Clauses shall apply.
10.1.3 Subprocessing Clause. For purposes of Clause 9(a) (Use of sub-processors) of the EU Standard Contractual Clauses, the parties agree that Option 2 (General Authorization) shall apply to the parties, and shall be enforced in accordance with Section 5 and Exhibit 3 of this DPA.
10.1.4 Redress Clause. For purposes of Clause 11 (Redress) of the EU Standard Contractual Clauses, the parties agree that the optional wording shall not be incorporated therein and therefore shall not be applicable to the parties.
10.1.5 Liability Clause. For purposes of Clause 12 (Liability) of the EU Standard Contractual Clauses, any claims brought under the EU Standard Contractual Clauses shall be subject to the terms and conditions of the Agreement, provided however, in no event shall either party limit its liability with respect to any data subject rights under the EU Standard Contractual Clauses.
10.1.6 Governing Law. For purposes of Clause 17 (Government Law) of the EU Standard Contractual Clauses, Option 1 will apply and will be governed by Irish law.
10.1.7 Forum and Jurisdiction Clause. For purposes of Clause 18 (Choice of Forum and Jurisdiction) of the EU Standard Contractual Clauses, disputes arising the EU Standard Contractual Clauses shall be resolved before the Courts of Dublin, Ireland.
10.1.8 Transfer Details (Annex I). Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit 1 to this DPA.
10.1.9 Security Controls (Annex II). Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit 2 to this DPA.
10.1.10 Subprocessing List (Annex III). Annex III of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit 3 to this DPA and replacement Sub-processors shall be agreed upon in accordance with Section 5 of this DPA. Gorilla Expense shall not transfer Customer Personal Data received under the EU Standard Contractual Clauses (nor permit such Customer Personal Data to be transferred) to a Sub-processor outside the EEA, unless (i) the Sub-processor is established in a country which the European Commission has granted an adequacy status, or (ii) Gorilla Expense takes such measures as necessary to ensure the transfer is in compliance with Data Protection Law, and such measures may include (without limitation) the Sub-processor obtaining Binding Corporate Rules authorization in accordance with Data Protection Law, or the execution by a Sub-processor and Gorilla Expense of the EU Standard Contractual Clauses, Module 3 (Processor to Processor).
10.2 UK Standard Contractual Clauses. You acknowledge that Gorilla Expense is located in the United States and, in order to provide the Services, Gorilla Expense shall transfer and retain Customer Personal Data in the United States. To the extent Customer Personal Data originates in the UK, the parties undertake to apply the provisions of the UK Standard Contractual Clauses to the transfer and Processing of such Customer Personal Data and hereby incorporate the UK Standard Contractual Clauses (Controller to Processor) by reference into this DPA. In case the parties can no longer rely on the UK Standard Contractual Clauses as an appropriate data transfer mechanism, the parties will conclude an alternative data transfer mechanism to replace the UK Standard Contractual Clauses, at the choice of You, without undue delay. If the parties apply and incorporate the UK Standard Contractual Clauses pursuant to this Section 10.2 of this DPA, then the following shall apply:
10.2.1 Governing Law. In Clause 9 of the UK Standard Contractual Clauses, the parties agree that the UK Standard Contractual Clauses shall be governed by the law of the country of the UK in which the data exporter is established, namely, England and Wales.
10.2.2 Commercial Clauses. For purposes of the “Additional commercial clauses” of the UK Standard Contractual Clauses, the optional “Indemnification” clause is deemed incorporated therein and shall apply to the parties.
10.2.3 Transfer Details. Annexes 1 and 2 of the UK Standard Contractual Clauses shall be deemed completed with the information set out in Section 10.1 of this DPA and Exhibits 1 through 3.
10.2.4 Public Access Provisions. Each party hereby acknowledges and agrees that Section III (Local Laws and Obligations in case of access by public authorities) of the EU Standard Contractual Clauses is hereby incorporated by reference into these UK Standard Contractual Clauses.
10.2.5 Onward Transfers. Gorilla Expense shall not transfer Customer Personal Data received under the UK Standard Contractual Clauses (nor permit such Customer Personal Data to be transferred) to a Sub-processor outside the UK, unless (i) the Sub-processor is established in a country which the UK authorities have granted an adequacy status, or (ii) Gorilla Expense takes such measures as necessary to ensure the transfer is in compliance with Data Protection Law and such measures may include (without limitation) the Sub-processor obtaining Binding Corporate Rules authorization in accordance with Data Protection Law, or the execution by a Sub-processor and Gorilla Expense of the Standard Contractual Clauses adopted or approved by the UK Secretary of State or the UK Information Commissioner (and approved by the UK Parliament).
10.3 Switzerland Transfers. You acknowledge that Gorilla Expense is located in the United States and, in order to provide the Services, Gorilla Expense shall transfer and retain Customer Personal Data in the United States. To the extent such Customer Personal Data originates in Switzerland and Gorilla Expense is not established in a country which Switzerland or, as applicable, the European Commission has granted an adequacy status, and Gorilla Expense has not obtained Binding Corporate Rules authorization in accordance with Data Protection Law, the parties undertake to apply the provisions of the EU Standard Contractual Clauses, as set forth in Section 10.1 of this DPA, to the transfer and Processing of such Customer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 10.3, their provisions will be deemed incorporated by reference into this DPA. If the parties apply and incorporate the EU Standard Contractual Clauses (as set forth in Section 10.1 of this DPA) pursuant to this Section 10.3, then the following shall apply, where required by the Swiss Federal Act on Data Protection (FADP):
10.3.1 References to the GDPR in the EU Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not the GDPR.
10.3.2 The term “member state” in the EU Standard Contractual Clauses shall not be interpreted in such a manner as to exclude Data Subjects in Switzerland from enforcing their rights in Switzerland in accordance with Clause 18(c) of the EU Standard Contractual Clauses, provided Switzerland is their habitual residence.
10.3.3 For purposes of Annex I(C) of the EU Standard Contractual Clauses, (i) where the data transfers is subject exclusively to the Swiss FADP (and not the GDPR), the supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (ii) where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority set forth in Exhibit 1 of this DPA insofar as the transfer is governed by the GDPR.
10.4 Other Transfers. You acknowledge that Gorilla Expense is located in the United States and, in order to provide the Services, Gorilla Expense shall transfer and retain Customer Personal Data in the United States. To the extent such Customer Personal Data originates outside of the EEA, Switzerland, or the UK, and the parties seek to transfer and Process such Customer Personal Data across national borders, the parties shall also undertake to apply, as appropriate, the provisions of the EU Standard Contractual Clauses or UK Standard Contractual Clauses to such transfer and Processing, provided that the EU Standard Contractual Clauses or UK Standard Contractual Clauses are legally required and sufficient to meet the requirements of the applicable Data Protection Law for the transfer and Processing of Personal Data across national borders.
10.5 Surveillance Disclaimers. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to Sections 10.1 or 10.3 of this DPA or the UK Standard Contractual Clauses pursuant to Section 10.2 of this DPA, then Gorilla Expense hereby represents and warrants the following to be true, accurate, and complete: (i) for the purposes of 50 United States Code (U.S.C.) § 1881(4), or any other similar provision in the jurisdictions where Gorilla Expense is located, Gorilla Expense is classified as a “electronic communication service provider” and is directly subject to 50 U.S.C. § 1881a (“FISA § 702”) or provision with a similar effect in your country of residence, (ii) Gorilla Expense has never been the subject of a FISA § 702 warrant, or any other similar provision in the jurisdictions where Gorilla Expense is located, with regard to a request for disclosure of any Customer Personal Data that it Processes, (iii) Gorilla Expense has never cooperated with public authorities conducting surveillance of communications pursuant to Executive Order (EO) 12333, as amended, or any other similar provision in the jurisdictions where Gorilla Expense is located, with regard to Customer Personal Data in Gorilla Expense’s custody or control, and (iv) Gorilla Expense has established internal procedures and processes for responding to FISA § 702 warrants, for cooperating with national security agencies under EO 12333, and for complying with any provision similar to either of the foregoing in the jurisdictions where Gorilla Expense is located
10.6 Changes to the Law. If and to the extent this DPA or the EU Standard Contractual Clauses or the EU Standard Contractual Clauses are no longer recognized by the European Commission or other local privacy authorities as an adequate mechanism for the transfer of Customer Personal Data from the EEA, Switzerland, the United Kingdom or other country, as applicable, to the United States, then the parties shall abide by another adequate transfer mechanism, provided however that if, after commercially reasonable efforts, Gorilla Expense is unable to comply with another adequate transfer mechanism, You or Gorilla Expense may, upon prior advance written notice to the other party, terminate the Agreement and obtain a refund from Gorilla Expense of pre-paid fees prorated for the remainder of the unused Services as Your exclusive remedy.
11. AUTHORIZED AFFILIATES
11.1 Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, you are entering into this DPA on behalf of yourself and, as applicable, in the name and on behalf of your Authorized Affiliates, thereby establishing a separate DPA between Gorilla Expense and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 11 and Section 12. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement, and any violation of the terms and conditions of the Agreement by an Authorized Affiliate will be deemed a violation by you.
11.2 Communication. The entity that is the contracting party to the Agreement will remain responsible for coordinating all communication with Gorilla Expense under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
11.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Gorilla Expense, it will to the extent required under applicable Data Protection Laws, be entitled to exercise its rights and seek remedies under this DPA, subject to the following:
11.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Gorilla Expense directly by itself, the parties agree that (i) solely the entity that is the contracting party to the Agreement will exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Section 11.3.2 below).
11.3.2 The parties agree that the entity that is the contracting party to the Agreement will, when carrying out an onsite audit of the procedures relevant to the protection of Customer Personal Data, take all reasonable measures to limit any impact on Gorilla Expense and its sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.
12. LIMITATION OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Gorilla Expense, whether in contract, tort, or under any other theory of liability, is subject to the “Limitations of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, Gorilla Expense’s and its Affiliates’ total liability for all claims made by you arising out of or related to the Agreement and each DPA will apply in the aggregate for all claims under both the Agreement and all DPAs established under this DPA, including by you and all Authorized Affiliates, and, in particular, will not be understood to apply individually and severally to the entity that is a contractual party to any such DPA.
13. ORDER OF PRECEDENCE; INTERPRETATION
If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, the terms of this DPA will govern. Subject to the amendments of the Agreement set forth in this DPA, the Agreement remains in full force and effect. Also, for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Exhibits and Annexes.
14. CHANGES TO THIS DPA
14.1 Changes to this DPA. From time to time, Gorilla Expense may change any URL referenced in this DPA and the content at any such URL. Gorilla Expense may change this DPA if the change: (a) is expressly permitted by this DPA; (b) reflects a change in the name or form of a legal entity; (c) is required to comply with applicable law or regulation, or a court order or guidance issued by a governmental regulator or agency; or (d) does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, Gorilla Expense’s processing of Customer Personal Data; or (iii) otherwise have a material adverse impact on your rights under this DPA, as reasonably determined by Gorilla Expense.
14.2 Notification of Changes. If Gorilla Expense intends to change this DPA under Section 14.1(c) or (d), Gorilla Expense will inform you at least 30 days (or such shorter period as may be required to comply with applicable law or regulation, or a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to your notification email address; or (b) alerting you via the user interface for the Services. If you object to any such change, you may terminate the Agreement by giving written notice to Gorilla Expense within 90 days of being informed by Gorilla Expense of the change.
15. GOVERNING LAW AND JURISDICTION
The substantive laws of the State of Georgia govern this DPA as though it was entered into and is to be entirely performed within the State of Georgia, without regard to conflict of law principles. The parties expressly disclaim the applicability of, and waive any rights based upon, the Uniform Computer Information Transactions Act or the United Nations Convention on Contracts for the International Sale of Goods. However, this DPA will not prejudice or limit a party’s right to enforce any award or decree under the laws of any jurisdiction where property or assets of the other party may be located. For all litigation arising out of or related to this DPA, the parties irrevocably and unconditionally submit to the exclusive jurisdiction and venue (and waive any claim of forum non conveniens and any objections as to laying of venue) of (A) the United States District Court for the Northern District of Georgia, or (B) if such court lacks subject matter jurisdiction, the appropriate state court of the State of Georgia, Fulton County. Each party irrevocably waives any right to object that the court does not have jurisdiction over the substance of claims or disputes or a party. You consent to the service of process in connection with any claim or dispute by registered or certified mail, postage prepaid, to you, to the contact details you have provided to the Services in connection with your Gorilla Expense account. To the fullest extent permitted by law, each party hereby expressly waives (on behalf of itself and on behalf of any person or entity claiming through that party) any right to a trial by jury in any action, suit, proceeding, or counterclaim of any kind arising out of or in any manner connected with this DPA.
List of Attachments
Exhibit 1 (Data Processing Activities)
Exhibit 2 (Security Controls)
Exhibit 3 (Approved Sub-processors)
EXHIBIT 1
DATA PROCESSING ACTIVITIES
A. List of parties:
Name (Data Exporter) | You (Identified in the Agreement) |
Address | Identified in the statement of work or order executed between the parties. |
Contact person’s name, position and contact details | Identified in the statement of work or order executed between the parties. |
Activities relevant to the data transferred under this DPA | See Section B (Description of Transfer) |
Signature and date | Upon signature and execution of a statement of work or order between the parties. |
Role (controller / processor) | The Data Controller |
Name (Data Importer) | Gorilla Expense |
Address | 3870 Peachtree Ind. Blvd, S-340 #167, Duluth, GA, 30096, USA |
Contact person’s name, position and contact details | Identified in the statement of work or order executed between the parties. |
Activities relevant to the data transferred under this DPA | See Section B (Description of Transfer) |
Signature and date | Upon signature and execution of a statement of work or order between the parties. |
Role (controller / processor) | The Data Processor |
B. Description of Transfer: Unless otherwise set forth in a statement of work, order form, or similar documentation, the description of the Customer Personal Data transferred is as follows:
(i) Categories of Data Subjects: Your employees and independent contractors.
(ii) Categories of Customer Personal Data: Contact information (e.g., name, phone number, address, e-mail address); business information (e.g., your company name, size and location); employment information (e.g., employee identification number and cost center); other personal profile information (e.g., travel preferences or out-of-office settings); travel- and expense-related information (e.g., copies of receipts and itineraries); corporate card information; mobile device information (e.g., information accessed by the device’s camera or contained in the device’s photo gallery); other information provided by a User (e.g., via free text boxes or a chat functionality).
(iii) Sensitive Categories of Customer Personal Data: N/A.
(iv) The frequency of transfer: Continuous and as often as You use the Services.
(v) Nature of Processing: For Gorilla Expense to provide the Services to You and Users, and to facilitate access and use of the same, including data storage and other processing necessary to provide, maintain and update the Services; to provide customer and technical support to You; and, to make disclosures in accordance with the Agreement, the DPA or as compelled by law.
(vi) Purpose of the data transfer and further processing: For Gorilla Expense to provide You and Users access to, and use of, the Services.
(vii) The period for which Customer Personal Data will be retained: For the duration of the Agreement and for the termination and transition period thereafter, as set forth in the Agreement.
(viii) Sub-processor transfers: The relevant information as set forth in Section 5 and Exhibit 3 of this DPA.
C. Competent Supervisory Authority: For purposes of Annex I.C (Competent Supervisory Authority) of the EU Standard Contractual Clauses, the parties agree where You are the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over You in accordance with Clause 13 of the EU Standard Contractual Clauses.
EXHIBIT 2
SECURITY CONTROLS
Gorilla Expense shall apply, at all times, the following security measures to safeguard Customer Personal Data:
- Measures taken to prevent any unauthorized person from accessing the facilities used for data processing (e.g., secured access, badges);
- Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons (e.g., data kept in locked premises);
- Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data (e.g., restricted access to the IT infrastructure);
- Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities (e.g., firewalls);
- Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence (e.g., specific users accounts);
- Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities (e.g., VPN, encryption of data);
- Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
- Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported (e.g., by encryption or pseudonymization); and,
- Measures taken to safeguard data by creating backup copies (encryption of data back-ups).
EXHIBIT 3
APPROVED SUB-PROCESSORS
Sub-processor | Region of Processing | Categories of Data Processed | Corporate Address |
Microsoft | International | Cloud application and data hosting service | USA |
International | Enterprise email service, maps/location service | USA | |
FreshDesk | USA | Support desk management software service | USA |
Mailchimp | USA | Marketing communications | USA |
Zoho | USA | Customer relationship management (CRM) | USA |
Itemize | International | OCR scanning software service | USA |
Plaid | International | Bank transactions import software service | USA |
Open Exchange Rates | International | Currency exchange rates software service | USA |
Twilio Sendgrid | International | Application notification service | USA |