BX Data Processing Addendum

This BX Data Processing Addendum applies to all agreements that entail Data Processing.

1. Definitions

The definitions used in this BX Data Processing Addendum have the following meaning:

"Affiliate" means any entity which directly or indirectly controls, is controlled by, or is under common control with a Party. "Control" for purposes of this definition, means direct or indirect ownership of more than fifty percent (50%) of the voting interests in the entity.

“Agreement” means the agreement for a BX Subscription and (optionally) BX Add-On Subscriptions and/or Professional Services, formalized through a BX Order.

“Bottomline” means Bottomline R&D B.V.

“Bottomline Integration” means an integration (software, connected to the BX API, enabling the exchange of data between BX and Third-Party Systems), created by Bottomline, and offered by Bottomline as a BX Add-On.

“BX” means the logistics cloud platform for inventory routing optimization, including mobile apps and BX APIs, as further described in the BX Feature List.

“BX Add-On(s)” means a service or services to which the Customer can subscribe in addition to the BX Subscription.

“BX Add-On Subscription” means a subscription to a BX Add-On.

“BX API” means the standard application programming interface between BX and a Bottomline Integration or Customer Integration, enabling the exchange of data between BX and Third-Party Systems.

“BX Data” means the output data, generated in BX as a result of the use of BX.

“BX DPA” means this BX Data Processing Addendum.

“BX Documentation“ means the online documentation (as updated from time to time) for BX, the BX API and BX Add-Ons, made available in BX, including the BX Knowledge Base and BX Feature List.

“BX Feature List” means the list of applications and features of BX, the BX API and BX Add-Ons, available at bottomline.eu/bx-feature-list.

“BX Knowledge Base” means Frequently Asked Questions (FAQ) and other documentation on the use of BX made available by Bottomline in BX.

“BX Order” means the document containing a Subscriptions Order and/or Professional Services Order, stating the core provisions of the Agreement.

“BX Premium Support” means access to the BX Knowledge Base and to Help Center Support at (compared to BX Standard Support) improved, predefined service levels, during and, if a Critical Feature is no longer performed, outside Working Hours, as set forth in the BX Premium Support Terms, offered by Bottomline as a BX Add-On.

“BX Premium Support Terms” means the terms and conditions applying to BX Premium Support, available at bottomline.eu/bx-premium-support-terms.

“BX Service” means the service offering BX, Help Center Support and Maintenance.

“BX Service Terms and Conditions” means the BX Service Terms and Conditions, available at bottomline.eu/bx-service-terms-and-conditions that apply to each Agreement.

“BX Standard Support” means access to the BX Knowledge Base and to Help Center Support during Working Hours.

“BX Subscription” means a subscription to the BX Service.

“Controller” means the party who determines the purposes and means of the Data Processing.

“Customer” means the legal entity entering into the Agreement with Bottomline, as stated in the BX Order.

“Customer Data” means all electronic data or information entered in or sent to BX by Users, whether manually or in an automated (using the BX API and a Bottomline Integration or Customer Integration) way.

“Customer Integration” means an integration (software, connected to the BX API, enabling the exchange of data between BX and Third-Party Systems) created by Customer.

“Customer Personal Data” means the Customer Data that qualify as Personal Data.

“Data Processing” means any Processing, performed by Bottomline on behalf of a Controller with regard to Customer Personal Data in the performance of an Agreement.

“Data Subjects” the identified or identifiable natural person to which the Customer Personal Data relate.

“Expert User” means a User, appointed, and authorized by Customer to provide First Line Support to other Users and to receive Help Center Support from Bottomline.

“First Line Support” means setting data and parameters in BX and answering Users’ tablet-related questions, and any other questions related to the use of and settings in BX and BX Add-Ons.

“GDPR” means Regulation (EU) 2016/679.

“Help Center Support” means Bottomline’s support team answering questions regarding and resolving issues in BX, either at a standard level (BX Standard Support) or premium level (BX Premium Support).

“Maintenance” means maintenance to (any components of) BX or a BX Add-On and/or to their underlying infrastructure, including the release of Updates and/or New Versions.

“New Version” means a successive version of BX, containing features and/or functionality that significantly change(s) or improve(s) the features and/or functionality of the then-current version.

“Party/Parties” means Bottomline and/or the Customer.

“Personal Data” means the information relating to a Data Subject.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Customer Personal Data.

“Processes, Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

”Processor” means a natural or legal person, public authority, agency or other body which Processes personal data on behalf of the Controller.

“Professional Services” means certain professional services, related to the BX Service, e.g. consultancy, onboarding support, training, or software development.

“Professional Services Fee” means the fee for the delivery of Professional Services.

“Professional Services Order” means the part of the BX Order pertaining to Professional Services.

“Services” means the BX Service and/or offering of BX Add-Ons and/or Professional Services, as agreed between the Parties.

“Subscriptions Order” means the part of the BX Order pertaining to BX Subscriptions and/or BX Add-On Subscriptions.

“SCC’s” means the Standard Contractual Clauses, issued by the European Commission on 4 June 2021 (Processor to Controller). 

“Sub Processor” means a processor engaged by Bottomline to carry out specific processing activities in relation to the Data Processing.

"Third-Party Systems" means Customer’s or a third party’s IT systems, managed by Customer or a third party, from which Customer Data are retrieved to be processed in BX or to which BX Data are transferred from BX.

“Truck” means the leading vehicle (identified by its license plate number) of any transport combination which trips are planned using BX.

“Update” means a limited change to BX or a BX Add-On to prevent or remedy malfunctions or vulnerabilities or to improve functionality.

“User Account” means the account created for and used by a User to access to BX.

"User" means Customer’s, Affiliate’s or their business relations’ employee, representative, consultant, contractor, or agent, authorized by Customer to use BX.

“Working Days” means Mondays up to and including Fridays with the exception of official public holidays in the Netherlands.

“Working Hours” means the hours between 9 AM and 5 PM CE(S)T on Working Days.

“Writing, Written” means sent, made up or confirmed in writing or electronically.

2. Scope and purpose

2.1 Scope and (joint) controller(s)

This BX DPA applies to the Data Processing. With regard to the Data Processing, Bottomline qualifies as the Processor. The Customer enters into this BX DPA on behalf of itself as the Controller and on behalf of any other (joint) Controller(s). The Customer is liable for the performance of any obligations regarding the Data Processing that are (according to this the GDPR and/or any or any other applicable data protection laws), obligations of the Controller and guarantees that it has full authority to accept liability on behalf of any other (joint) Controller.

3. Term

3.1 Term and termination

This BX DPA shall commence on the start date of the BX Subscription entailing Data Processing and shall be in force for the duration of the BX Subscription entailing the Data Processing. This BX DPA cannot be terminated early.

3.2 Amendments

Bottomline has the right to amend this BX DPA unilaterally if such amendment is, to the sole discretion of Bottomline, necessary to comply with the GDPR or any other applicable data protection laws. If such amendment is made, Bottomline will notify the Customer in Writing no later than thirty (30) calendar days before the effective date of the amendment.

4. Data Processing

4.1 Details of the Data Processing

The nature and purpose of the Data Processing, the type of Customer Personal Data, the categories of Data Subjects, the Sub Processors, and the location of storage of the Customer Personal Data are as set out in Annex 1, which may be updated from time to time and made available in BX.

4.2 Instructions

Data Processing will be carried out in accordance with the specifications in this BX DPA and Annex 1 to this BX DPA, and, where applicable (e.g. when performing Help Center Support or Professional Services) the instructions of the Customer, which will be documented by the Customer in Writing. Customer confirms that any Expert User is authorized to give instructions, on its behalf, with regard to the Data Processing to Bottomline. Customer will refrain from giving any instructions that do not comply with the GDPR or any other applicable data protection laws. Bottomline may rely on the instructions, given by the Customer and will not be liable for following any non-complying instructions.

4.3 Consequence of termination

Bottomline will not store the Customer Personal Data any longer than necessary for the Data Processing. On termination of the BX Subscription, Customer Personal Data may be retrieved by Customer or deleted by Bottomline in accordance with section 13.5 of the BX Service Terms and Conditions.

5. Confidentiality and security

5.1 Confidentiality

Bottomline shall (i) protect the Customer Personal Data against unauthorized access, using at least the same degree of care that it uses to protect the confidentiality of its own Personal Data; and (ii) limit access to Customer Personal Data to those of its employees, contractors and agents who need such access for purposes consistent with the Agreement and who have signed Written confidentiality agreements.

5.2 Permitted disclosure

Bottomline may disclose Customer Personal Data if it is compelled by law to do so, provided Bottomline gives Customer prior notice of such compelled disclosure (to the extent legally permitted) and shall provide, at Customer’s cost, reasonable assistance if Customer wishes to contest the disclosure. Bottomline may also disclose Customer Personal Data if such disclosure is expressly permitted in Writing by Customer. Notwithstanding any provision to the contrary in this Agreement, Bottomline may access Customer Personal Data to provide the Services or prevent or address service or technical problems.

5.3 Security

Bottomline has taken the organizational, physical, and technical security measures for protection of the availability, confidentiality and integrity of the Customer Personal Data as set forth in the BX Documentation or notified by Bottomline to Customer on its Written request. Bottomline does not warrant that such security measures will always be effective or meet any specific requirements. By using the BX Service, Customer confirms that it has assessed these security measures and acknowledges that these security measures meet its requirements.

6. Information and audit rights

6.1 Information

Bottomline will provide the Customer on its Written request and within commercially reasonable limitations with documentation demonstrating compliance with the obligation stated in section 6.2 and other obligations under this BX DPA.

6.2 Audit

Should the information referred to in section 6.1 prove reasonably insufficient to demonstrate compliance with this BX DPA or demonstrate a breach by Bottomline of this BX DPA or violation of the GDPR or any other applicable personal data protection laws, the Customer has the right to perform, in accordance with this section 6, an audit on the Data Processing (“Audit”), subject to its compliance with section 6.3 and 6.4.

6.3 Requirements

The Audit shall:6.3 Requirements

The Audit shall:

1. take place not more than once per twenty-four (24) calendar months and not earlier than the first anniversary of the Agreement, except where the documents referred to in section 6.2 give rise to reasonably suspect a material breach by Bottomline of this BX DPA, the GDPR or any other applicable data protection laws;
2. be performed by an independent, certified IT auditor only;
3. be conducted with respect for Bottomline’s and its customers’ interests, minimizing the impact on Bottomline’s operations and its services
   to other customers and without access to other customers’ data.

6.4 Prior notification

If the Customer wishes to perform an Audit it will notify Bottomline in Writing at least forty-five (45) calendar days in advance, providing Bottomline with as many details of the Audit as possible, including the suspected breach or violation the Customer wants to investigate, the scope, method, object and duration of the Audit and the Auditor appointed.

6.5 Costs

The Customer will bear the costs of the Audit, except where the Audit indisputably shows that Bottomline has materially breached this BX DPA or violated the GDPR or any other applicable data protection laws, in which case Bottomline will compensate Customer for a reasonable part of such costs.

6.6 Results

Customer will keep the results of the Audit confidential and not share the results with any third party, except to the extent necessary to exercise its rights under this BX DPA.

7. Sub Processors

Customer agrees to the engagement of the Sub Processor(s) listed in Annex 1 to this BX DPA. Bottomline will notify the Customer in advance of any changes to the Sub Processor(s) as stated in section 3. 2. If the Customer does not agree to the change its sole remedy will be the termination of the Agreement.

8. Personal Data transfers

Bottomline will transfer the Customer Personal Data or any part thereof to a third country or to an international organization within the meaning of Article 44 of the GDPR only if necessary for the provision of the Services, on the express Written instruction or approval by Customer, or if Bottomline is required to do so by an order of competent authorities, in which case Bottomline will inform the Customer of such order (to the extent it is permitted to). If Bottomline transfer the Customer Personal Data to a third country or international organization the Parties agree on the applicability of the SCC’s. If the SCC’s apply, this BX DPA explicitly applies in addition to the SCC’s except in case of a conflict between the provisions of this BX DPA and of the SCC’s, in which case the provision(s) of the SCC’s will prevail.

9. Assistance

9.1 Assistance by Bottomline

Bottomline agrees to provide – within commercially reasonable limitations and as Professional Services - assistance to the Customer:

(a)     in responding to requests made by the Data Subjects for exercising their rights laid down in Chapter III of the GDPR;
(b)     in executing a Data Protection Impact Assessment within the meaning of Article 35 of the GDPR;
(c)     in answering any requests in relation to an investigation by a data protection supervisory authority.

9.2 Costs

For the work performed by Bottomline in assisting the Customer as described in section 9.1 Customer will pay to Bottomline the Professional Services Fee.

10. Personal Data Breach

10.1 Personal Data Breach notification

Bottomline shall notify the Customer without undue delay in Writing after becoming aware of a Personal Data Breach, providing the information stated in Article 32 GDPR. Personal Data Breach notifications will be made to the Expert User. If the Customer becomes aware of a Personal Data Breach it shall notify Bottomline using Help Center Support without undue delay.

10.2 Obligations following a Personal Data Breach

If the Personal Data Breach is caused by a breach of Bottomline’s security, Bottomline will, after becoming aware of the Personal Data Breach, take appropriate measures to mitigate any possible adverse effects of the Personal Data Breach to Customer and the Data Subjects and remedy the cause of the Personal Data Breach to prevent future similar Personal Data Breaches from occurring. Customer will notify the Personal Data Breach to the competent authorities and (if applicable) Data Subjects in accordance with the GDPR, provided that Bottomline reserves the right to make a notification to the Data Subjects if such measure is (in the sole opinion of Bottomline) a mitigating measure as referred to in the preceding sentence.

11. Liability

11.1 Limitations

The provisions on the Parties’ (limitation of) liability as stated in the BX Service Terms and Conditions shall apply to any damages arising under this BX DPA.

11.2 Indemnification

The Customer will indemnify Bottomline and hold Bottomline harmless for any and all damages claimed by a third party from Bottomline arising from a breach by Customer of this BX DPA or violation of the GDPR or any other applicable data protection laws.

12. Miscellaneous

12.1 No waiver

No failure or delay by either Party in exercising any right under this BX DPA shall constitute a waiver of that right.

12.2 Entire Agreement

This document “BX Data Processing Addendum” constitutes the entire agreement between the Parties in relation to the Data Processing and supersedes all previous drafts, agreements, arrangements, and understandings between them, whether written or oral, relating to the Data Processing.

12.3 Severability

If any provision of this BX DPA is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this BX DPA shall remain in effect.

12.4 Notices

Notices regarding this BX DPA will be served in accordance with the procedure for serving notices in section 15 of the BX Service Terms and Conditions.

12.5 Governing law

This BX DPA is construed in accordance with and governed by Dutch law, without regard to its conflict of law rules.

12.6 Dispute resolution

Any disputes, actions, claims, or causes of action arising out of or in connection with this BX DPA shall be subject to the exclusive jurisdiction of the competent court in ‘s-Hertogenbosch, the Netherlands.

12.7 Headings

The headings of sections and paragraphs in this BX DPA are included solely for convenience of reference and shall not control the meaning or interpretation of any of the provisions of this BX DPA.

Annex 1   BX DPA: Details of the Data Processing

The nature and purpose of the Data Processing, the type of Customer Personal Data, the categories of Data Subjects, the Sub Processors, and the location of storage of the Customer Personal Data are as set out in the following table, as updated from time to time.