Vendor Data Processing Addendum
This Vendor Data Processing Addendum including its appendices (the “Addendum”) is entered into between Toast, Inc. on behalf of itself and its affiliates (“Toast”) and Vendor (collectively, the “Parties”) and forms part of the agreement entered into between Toast and Vendor (collectively, the “Agreement”) in relation to Vendor’s Processing of Personal Information on behalf of Toast as part the Services under the Agreement.
1. INTRODUCTION___________________________________________________________________
1.1 Vendor provides Services to Toast under the Agreement that may involve the processing of Personal Information.
1.2 Both Vendor and Toast agree to comply in good faith with the terms set out in this Addendum.
1.3 In the event of a conflict or inconsistency between a term of this Addendum and the Agreement, the term of this Addendum shall control to the extent of the conflict or inconsistency.
2. DEFINITIONS______________________________________________________________________
Unless otherwise set out below, each capitalized term in this Addendum shall have the meaning set out in the Agreement.
2.1 “Alternative Transfer Mechanism” means a mechanism other than the Standard Contractual Clauses that enables the lawful transfer of Personal Information from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to a third country in accordance with Applicable Data Protection Laws, including, but not limited to, programs both approved and operated by the U.S. Department of Commerce and approved by the European Commission or other applicable governmental authority or entity.
2.2 “Applicable Data Protection Laws” means all applicable federal, state, provincial, regional and local laws, directives, regulations, and rules imposed by any government, agency or authority in relation to the processing and security of Personal Information, including, but not limited, to the Australian Privacy Laws, NZ Privacy Laws, European Union’s General Data Protection Regulation (Regulation 2016/679) pertaining to the protection of individuals within the European Economic Area (“EU GDPR”), the EU Directive on Privacy and Electronic Communications 2002/58/EC (“PECR”), the data protection law of the United Kingdom, including but not limited to the EU GDPR as incorporated into the United Kingdom, the Data Protection Act 2018 and any additional legislation (“UK GDPR”), Switzerland’s Federal Data Protection Act of 19 June 1992, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), as well as any applicable provincial legislation, the CCPA, and other US Privacy Laws as any of the foregoing may be amended, replaced or superseded.
2.3 “Australian Privacy Laws” means the Privacy Act 1988 (Cth) and any applicable state legislation governing Personal Information.
2.4 “CCPA” means, as applicable, the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), including as amended by the California Privacy Rights Act of 2020; and any subsequent replacements to the foregoing laws. All implementing regulations forming part of the laws above shall also be included in this definition.
2.5 “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Information. For the purposes of this Agreement, “Controller” includes similarly defined terms under the Applicable Data Protection Laws, including, but not limited to, a “Business” or “Agency”.
2.6 “GDPR” means, as applicable, the EU GDPR and the UK GDPR.
2.7 "Individual” has the same meaning as “individual”, “consumer” or “data subject” under the Applicable Data Protection Laws.
2.8 “Individual Rights Request” means the exercise of an individual’s right over their Personal Information (for example deletion, access or rectification) and shall be understood to have the same meaning as a “data subject rights request”, “a consumer right”, “a personal data rights request”, and similar terms as may be defined under Applicable Data Protection Laws.
2.9 “NZ Privacy Laws” means the Privacy Act 2020 (NZ), any applicable Codes of Practice or Regulations made pursuant to such Act, and any other laws or regulations governing the Processing of Personal Information in New Zealand.
2.10 “Personal Information” means any information relating to an identified or identifiable individual or household. Personal Information may include, but is not limited to, a name, address, contact details, unique identifiers, payment card information, biometric identifiers and information, preferences, history and profile data, IP addresses, and location-based information, but excludes aggregated or anonymized information in respect of which an individual is not identifiable. Personal Information shall include any information that constitutes “Personal Information”, “Sensitive Information” or “Personal Data” under the Applicable Data Protection Laws.
2.11 “Process” or “Processing” means any operation or set of operations performed on Personal Information or sets of Personal Information, whether or not by automated means, including, but not limited to, the collection, access, use, alteration, disclosure, or deletion of Personal Information.
2.12 “Processor" means the entity which processes Personal Information on behalf of a Controller.
2.13 “Sale” or “Sell” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time.
2.14 “Security Incident” means any accidental or unlawful destruction, loss, alteration, theft, unauthorized disclosure of, or access to, Personal Information.
2.15 “Services” means services provided as part of the Agreement between Toast and the Vendor.
2.16 “Share” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time.
2.17 “Standard Contractual Clauses” or “SCCs” means (i) in respect of EU Personal Information, the Standard Contractual Clauses implemented by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the EU GDPR, as updated or replaced from time to time (“EU Standard Contractual Clauses”) and (ii) in respect of UK Personal Information, means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office (ICO) in accordance with the UK GDPR and the Data Protection Act 2018, as amended or replaced (“UK Addendum”).
2.18 “Sub-processor” means any additional authorized Processor engaged by the original Processor that agrees to receive any Personal Information from the Controller as part of the Services.
2.19 “Third Party” means any Controller, Processor or Sub-processor engaged by a Party that agrees to receive Personal Information as part of the Services.
2.20 “US Privacy Laws” refers to state-specific privacy laws in the United States, including the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act and other state-specific privacy laws as amended; and any subsequent replacements to the foregoing laws. All implementing regulations forming part of the laws above shall also be included in this definition.
2.21 “Vendor” shall mean the third-party provider offering Services to Toast under the Agreement.
3. PROCESSING OF PERSONAL INFORMATION__________________________________________
3.1 Roles: The Parties agree that Toast shall act as a Controller and Vendor shall act as a Processor for the purposes of any Processing of Personal Information as part of providing the Services under the Agreement.
3.2 Processing: Vendor shall only Process the Personal Information on the documented instructions of Toast and in order to provide the Services or where required by applicable law, in which case Vendor will inform Toast of the legal requirement unless Vendor is prohibited from doing so by law. Vendor shall not Process Personal Information for any secondary purposes unless pursuant to the instructions of Toast.
3.3 Compliance with law: Vendor shall comply with the Applicable Data Protection Laws at all times in its Processing of Personal Information under the Agreement.
3.4 Confidentiality: Anyone authorized to process Personal Information on behalf of Vendor shall either have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.5 Sub-processors: To the extent required to carry out the Services and fulfill its contractual obligations, Vendor shall be permitted to engage Sub-processors. Any Sub-processor relationship must be governed by a written agreement that imposes the specific or substantially similar obligations imposed on Vendor in relation to the Processing of Personal Information found under this Addendum. In all cases, Vendor shall remain responsible to Toast for the failure of any Sub-processors to perform their obligations under this Addendum as part of the Services. A list of Vendor’s current Sub-processors can be found in Annex 3. Where and to the extent required under the Applicable Data Protection Law, Vendor shall implement a process to provide notification to Toast (via privacy@toasttab.com) thirty (30) days prior to the implementation of any additional Sub-processors, and make good faith efforts to accommodate any reasonable objections Toast may have to such additional Sub-processors.
3.6 Personal Information subject to the GDPR and UK requirements: In addition to the other requirements set out in this Addendum, to the extent Vendor Processes Personal Information subject to the GDPR or the relevant United Kingdom legislation, Vendor shall comply with all requirements under Article 28 of the GDPR in relation to Vendor’s role as a Processor (or the relevant equivalent requirements for the United Kingdom).
3.7 CCPA Service Provider obligations, Sales and Sharing: For the purposes of the CCPA, the Parties acknowledge and agree that Vendor shall act as a “Service Provider,” as such term is defined in the CCPA. In addition to the obligations set forth in this DPA and to the extent the CCPA applies: Vendor shall not (a) combine Personal Information it receives in in connection with the Services with Personal Information it may receive from other sources (b) Sell or Share Personal Information as such terms are defined in the CCPA (c) retain, use, or disclose Personal Information for any purpose other than to provide the Services, and as otherwise permitted by applicable law (including but not limited to the Applicable Data Protection Laws), (d) retain, use or disclose Personal Information outside of the direct business relationship between the Parties outside the provision of the Services and (e) engage any additional party to participate in the processing of Personal Information without notification to Toast. The Parties acknowledge that the transfer of Personal Information is in furtherance of a business purpose as described in the Agreement. Vendor shall delete and permanently destroy Personal Information (i) upon written request by Toast within 10 days of receipt of such request, and (ii) within 30 days of the end of the term of the Agreement.
3.8 Personal Information subject to Australian Privacy Law: In addition to the other requirements set out in this Addendum, to the extent Vendor Processes Personal Information subject to the Australian Privacy Law, Vendor shall (a) comply with all requirements Australian Privacy Laws as if the Vendor was subject to such Australian Privacy Laws (and all references in this Addendum to compliance with Applicable Data Product Laws will be interpreted accordingly); (2) regardless of any other provision of this Addendum, solely Process the Personal Information for the purposes of provision of the Services to Toast; and (3) delete and permanently destroy Personal Information (i) upon written request by Toast within 10 days of receipt of such request, and (ii) within 30 days of the end of the term of the Agreement; (4) promptly notify Toast of any complaints the Vendor receives in relation to its Processing of Personal Information and comply with Toast’s reasonable directions in relation to the same.
3.9 Personal Information subject to NZ Privacy Law: In addition to the other requirements set out in this Addendum, to the extent Vendor Processes Personal Information subject to NZ Privacy Laws, Vendor shall (1) comply with all requirements under the NZ Privacy Laws as if the Vendor was subject to such NZ Privacy Laws (and all references in this Addendum to compliance with Applicable Data Protection Laws will be interpreted accordingly); (2) regardless of any other provision of this Addendum, solely Process the Personal Information as agent for, and on behalf of Toast, for the purposes of provision of the Services; (3) delete and permanently destroy Personal Information (i) upon written request by Toast within 10 days of receipt of such request, and (ii) within 30 days of the end of the term of the Agreement; (4) not transfer the Personal Information outside of New Zealand unless in accordance with clause 6; and (5) promptly notify Toast of any complaints the Vendor receives in relation to its Processing of Personal Information and comply with Toast’s reasonable directions in relation to the same.
4. SECURITY MEASURES_____________________________________________________________
4.1 Security measures: Taking into account the state of the art, costs of implementation, the nature, scope, context and purpose of the Processing, Vendor shall maintain a written information security program embodying all appropriate technical, organizational and administrative security measures required to protect the privacy and security of any Personal Information Processed as part of the Services (including against loss, access, use, modification or disclosure that is not authorised, and other misuse). In all cases, Vendor shall be required to implement any and all security measures imposed under the Applicable Data Protection Laws.
4.2 Access to Toast systems or networks: To the extent Vendor accesses any of Toast’s systems or networks as part of providing the Services, Vendor shall comply with all instructions, policies and requirements of Toast in relation to such access (as may be communicated from time to time).
5. SECURITY INCIDENTS _____________________________________________________________
5.1 Written Security Incident response program: Vendor shall maintain a written incident response program for the management of Security Incidents.
5.2 Notification of a Security Incident: In the event Vendor discovers, is notified of, or reasonably suspects a Security Incident, Vendor will immediately notify Toast. In all cases, the timing of such notification shall not exceed forty-eight (48) hours or such other shorter time limit imposed under the Applicable Data Protection Laws. Vendor’s notice to Toast of a Security Incident must contain the following: (i) facts of the Security Incident, including date of discovery, date range of unauthorized activity, and remediation and mitigation activities; (ii) a description of the categories and approximate number of individuals, as well as the categories and approximate number of records containing Personal Information affected by the Security Incident; (iii) the name and contact details of any information security or privacy lead appointed by Vendor, and if Vendor has not appointed any such individual, the name and contact details of the individual(s) in charge of Vendor’s response to the Security Incident; and (iv) Vendor’s assessment, developed through reasonable diligence, of the likely consequences of the Security Incident with respect to the affected Personal Information and affected individuals.
5.3 Costs and remediation obligations: To the extent any Security Incident is attributable to the actions of Vendor or its Sub-processors, Vendor shall be responsible for all costs associated with the Security Incident, including but limited to: (i) the cost of providing notice to affected individuals; (ii) the cost of providing notice to government agencies, credit bureaus, and/or other required entities; (iii) the cost of providing affected individuals with credit monitoring services for a specific period not to exceed twelve (12) months or the minimum time period provided by the Applicable Data Protection Laws, whichever is longer; (iv) call center support for such affected individuals; (v) the cost of any other measures required under the Applicable Data Protection Laws; and (vi) other losses, liabilities, or expenses for which Vendor would be liable. In all cases, as to the Personal Information Processed under this Agreement that is impacted by a Security Incident, Vendor shall cooperate and work with Toast as part of the remediation efforts and absent a legal obligation to do so, shall not issue any statements or disclose any information in relation to the Security Incident without Toast’s written consent.
6. DATA TRANSFERS ________________________________________________________________
6.1 Transfers generally: Vendor shall be permitted to transfer Personal Information under this Agreement provided that such transfers comply with the Applicable Data Protection Laws and this Addendum, including Section 3.5.
6.2 EEA, Switzerland and United Kingdom transfers: In the event Vendor Processes the Personal Information of individuals residing in the EEA, Switzerland or the United Kingdom as part of the Services, Vendor shall only be permitted to transfer such Personal Information outside those jurisdictions if such transfers are compliant with the Applicable Data Protection Laws.
6.3 Use of Standard Contractual Clauses: As applicable and to the extent any transfer under Section 6.2 is made to a country not deemed adequate by the European Commission or other governmental bodies, or is not transferred pursuant to an Alternative Transfer Mechanism, the Parties agree that the relevant set of Standard Contractual Clauses shall be applicable, with the transferring Party acting as the “data exporter” and the receiving Party acting as the “data importer.” In such instances, and where completed by the Parties (as applicable), the Parties agree that the transfers are governed by the Standard Contractual Clauses (including the UK Addendum) which are hereby incorporated by reference with the following selections:
For the purposes of the EEA and Switzerland:
Section Reference | Concept | Selection by the Parties |
Module | In operation | Module Two. |
Section I, Clause 7 | Docking | The option under clause 7 shall not apply. |
Section II, Clause 9 | Sub-processors | Option 2 (General Written Authorisation) under clause 9 shall apply. See clause 3.5 of this Addendum. |
Section IV, Clause 17 | Governing law | Transfers under the EU SCCs will be governed by the laws of Ireland. The Swiss Federal Act on Data Protection (FADP) insofar as the transfers are governed by the FADP. |
Section IV, Clause 18(b) | Choice of forum and jurisdiction | The Courts of Ireland shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the EU SCCs. |
Annex 1.A | List of Parties | See Annex 1 Section A of this Addendum. |
Annex I.B | Description of Transfer | See Annex 1 Section B of this Addendum. |
Annex I.C | Competent Supervisory Authority | Irish Data Protection Commissioner. Federal Data Protection and Information Commissioner insofar as the transfers are governed by the FADP. |
Annex II | Technical and Organisational Measures | See Annex 2 of this Addendum. |
Annex III | Sub-processors | See Annex 3 of this Addendum |
Additional adaptations insofar as the FADP governs the transfers | The term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of residence (Switzerland) in accordance with Clause 18(c) of the SCCs. References to “GDPR” are to be understood as references to FADP. The SCCs shall apply to data pertaining to legal entities until the entry into force of the revised FADP. |
For the purposes of the UK, the parties agree that the EU Standard Contractual Clauses will apply but will be modified and interpreted in accordance with the UK Addendum and agree as follows:
Table or Section Reference | Concept | Selection by the Parties |
Table 1 | Parties | See Annex 1 Section A of this Addendum |
Table 2 | Selected SCCs, Modules and Selected Clauses | Modules One and Two of the EU Standard Contractual Clauses entered into on the date of the Agreement. |
Table 3 | Appendix Information | Annex 1.A shall be populated with the information in Annex 1A of this Addendum Annex 1.B shall be populated with the information in Annex 1B of this Addendum Annex II shall be populated with Annex 2 of this Addendum Annex III shall be populated with Annex 3 of this Addendum (only for Module Two) |
Table 4 | End of UK Addendum when the Approved Addendum changes | Neither party may end this UK Addendum per Section 19 of the UK Addendum, except as set forth in this Addendum. |
Section I, Clause 7 | Docking | The option under clause 7 shall not apply. |
Section II, Clause 9 | Sub-processors | Option 2 (General Written Authorisation) under clause 9 shall apply. See clause 3.2(iii) of this Addendum. |
Section II, Clause 11 | Redress | The option under clause 11 shall not apply. |
Section IV, Clause 17 | Governing law | The laws of England and Wales insofar as the transfers are governed by UK Data Protection Law. |
Section IV, Clause 18(b) | Choice of forum and jurisdiction | The Courts of England and Wales shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the UK Addendum. |
Part 2 | Mandatory Clauses | Mandatory clauses of the UK Addendum as issued by the Information Commissioner’s Office and laid before the United Kingdom Parliament in accordance with section 119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under section 18 of those Mandatory Clauses. |
Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
6.4 In the event of any changes to the UK Addendum after signature of this Addendum, the Parties agree to cooperate in good faith and repopulate any replacement UK Addendum.
6.5 If the SCCs are implemented, adopted or recognized as a legitimate data transfer mechanism in countries other than the EEA countries, then the Parties shall apply the SCCs Modules One and Two to the transfer of Personal Information originating from such country(-ies).
6.6 Alternative Transfer Mechanisms: If Vendor is relying on an Alternative Transfer Mechanism as a legal ground for the transfer of Personal Information under the Agreement, Vendor shall be responsible for ensuring that the Alternative Transfer Mechanism provides the same level of protection for Personal Information imposed on Vendor under this Addendum.
6.7 New Zealand Transfers: To the extent Vendor Processes Personal Information relating to individuals in New Zealand, Vendor may transfer such Personal Information outside New Zealand only where Vendor ensures that such transfers are subject to appropriate technical, organisational and contractual safeguards that provide a level of protection for the Personal Information that is comparable to that required under NZ Privacy Laws.
7. PAYMENT CARD INFORMATION____________________________________________________
7.1 To the extent Vendor Processes any Personal Information that qualifies as “Cardholder Data” or any other regulated payment card information pursuant to the Payment Card Industry Data Security Standards (“PCI DSS”), Vendor will comply with all applicable laws (including any Applicable Data Protection Laws) and the relevant PCI DSS standards and requirements as part of the Processing under this Addendum. This may include maintaining appropriate certifications and a PCI DSS Attestation of Compliance.
8. AUDITS, INVESTIGATIONS AND ASSISTANCE_________________________________________
8.1 Audits: In order to verify compliance with this Addendum or as otherwise required under the Applicable Data Protection Laws, Toast may (by itself or through an independent third-party) conduct an audit of Vendor’s facilities, policies, process and records relating to Vendor’s Processing of Personal Information under this Addendum. Such audits shall be limited to once per year unless (i) the Applicable Data Protection Laws allow for or require otherwise; (ii) such audit is carried out at the direction of a government, supervisory authority or other regulatory authority that impacts the Vendor; or (iii) Toast has actual knowledge or a reasonable suspicion that Vendor is not in compliance with its obligations under this Addendum.
8.2 Demonstrable compliance: Notwithstanding the audit right above, Vendor shall make available to Toast all information necessary to demonstrate compliance with the obligations under the Applicable Data Protection Laws and its obligations under this Addendum.
8.3 Investigations: Vendor will promptly notify Toast if Vendor becomes the subject of, or reasonably believes it may become the subject of, any claim, investigation, audit, lawsuit or enforcement proceeding arising from or relating to Vendor’s Processing of Personal Information under this Agreement. In the event a court, supervisory authority or other regulatory authority seeks to compel the disclosure of information relating to Vendor’s Processing of Personal Information under this Agreement, unless required under the applicable law to disclose such information, Vendor shall notify Toast before disclosing such information and where appropriate, seek to challenge the request for disclosure.
8.4 Assistance: Vendor will provide reasonable assistance and cooperation (including within specific timeframes) to Toast in furtherance of Toast’s compliance with the Applicable Data Protection Laws and its obligations under this Addendum. This includes but shall not be limited to support and cooperation associated with (i) privacy impact assessments; (ii) Individual Rights Requests and fulfillment; (iii) claims or investigations pursuant to Section 8.3 above; (iv) data transfer compliance; and (v) other circumstances necessitated by changes to the Applicable Data Protection Laws or the circumstances of the Parties.
9. TERMINATION___________________________________________________________________
9.1 Termination: In addition to any termination rights under the Agreement, Toast shall be permitted to terminate the Agreement in the event that Toast determines or has a reasonable basis to believe that Vendor is not in compliance with its obligations under this Addendum.
9.2 Retention and deletion: Following the termination of the Agreement, Vendor will, at Toast’s option, delete or return all Personal Information being Processed as part of the Services, except where Vendor is required to retain it pursuant to the applicable law (including the Applicable Data Protection Laws). In all cases, any Personal Information retained shall only be Processed as necessary to comply with the Applicable Data Protection Laws and for no other purposes.
10. MISCELLANEOUS________________________________________________________________
10.1 Survival: Vendor’s obligations under this Addendum will survive the termination of the Agreement to the extent Vendor continues to Process Personal Information covered by the Agreement.
10.2 Severability: If any court or competent authority decides that any term of this Addendum is held to be invalid, unlawful, or unenforceable to any extent, such term shall, to that extent only, be severed from the remaining terms, which shall continue to be valid to the fullest extent permitted by law.
10.3 Waiver: Toast’s failure to enforce any provision of this Addendum shall not constitute a waiver of that or any other provision and will not relieve the Vendor from the obligation to comply with such provision.
10.4 Assignment: Vendor is not permitted to assign, transfer, charge, sub-contract, or deal in any other manner with all or any of the rights or obligations under this Addendum without the prior express written consent of Toast.
IN WITNESS WHEREOF, this Addendum has been executed by duly authorized signatories of Vendor and Toast and becomes a binding part of the Agreement with effect from the Effective Date below.
Vendor:
Vendor Name __________________________________
Authorized Signature ____________________________
Print Name ____________________________________
Title __________________________________________
Date __________________________________________
Toast, Inc.
Authorized Signature _____________________________
Print Name _____________________________________
Title __________________________________________
Effective Date ___________________________________
ANNEX 1
A. LIST OF PARTIES
1. Toast / Data Exporter
Name | Toast, Inc. |
Address | 333 Summer Street, Boston, MA 02210 |
Contact person | Assistant General Counsel, Privacy; privacy@toasttab.com |
Activities related to data transfer under the Clauses: | As set forth in this Addendum and the Agreement. |
Role (controller/processor) | Standard Contractual Clauses Module Two: Toast is the data controller. |
2. Vendor // Data Importer
Name | As set forth in the Agreement. |
Address | As set forth in the Agreement. |
Contact person | As set forth in the Agreement. |
Activities related to data transfer under the Clauses: | As set forth in this Addendum and the Agreement. |
Role (controller/processor) | Standard Contractual Clauses Module One: Vendor is the data processor. |
B. DESCRIPTION OF TRANSFER & PROCESSING
[VENDOR TO COMPLETE]
Module Two - Toast is the controller; Vendor is the processor |
Categories of Data Subjects |
Categories of Personal Information |
Sensitive data processed |
Transfer frequency |
Nature of processing |
Purpose of processing |
Retention period |