BX Data Processing Addendum (‘DPA’)

1. Definitions

The definitions used in this BX Data Processing Addendum have the following meaning:

"Affiliate" means any entity which directly or indirectly controls, is controlled by, or is under common control with Customer. "Control" for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of Customer.

“Agreement” means the agreement for the purchase of BX Subscriptions and subscriptions to BX Add-Ons, or the purchase of Professional Services.

“Bottomline” means Bottomline R&D B.V.

“BX” means the inventory routing optimization application, delivered through a logistics cloud platform and the BX API. 

“BX Add-On(s)” means a service or services to which the Customer can subscribe in addition to the BX Subscription, such as the provision of a BX Integration. 

“BX API” the standard application programming interface between BX and an Integration, enabling the exchange of data between BX and Third-Party Systems.

“BX Data” means the output data generated in BX as a result of the use of the BX Service.

“BX DPA” means this BX Data Processing Addendum.

“BX Documentation“ means the online documentation (as updated from time to time) for the BX Service and BX Add-Ons, made available in BX.

BX Integration” means an Integration created by Bottomline.

“BX Premium Support” means Expert Users have access to Help Center Support as set out in the BX Premium Support Agreement (including Help Center Support at improved, predefined service levels and access to Help Center Support outside Working Hours if a Critical Service is no longer performed).

“BX Premium Support Agreement” means the agreement entitling the Customer to BX Premium Support. 

“BX Service” means the service offering BX and the BX API.

“BX Service Terms and Conditions” means the BX Service Terms and Conditions, available at [X], that apply to each Agreement.

“BX Standard Support” means Expert Users have access to Help Center Support during Working Hours and to the BX Knowledge Base.

“BX Subscription” means a subscription to the BX Service.

“Controller” means the party who determines the purposes and means of the Data Processing.

“Customer Data” means all electronic data or information entered in BX by Users, whether manually or in an automated way, using the BX API and an Integration.  

“Customer Personal Data” means the Customer Data that qualify as Personal Data.

“Data Processing” means any Processing, performed by Bottomline with regard to Customer Personal Data on behalf of a Controller in the performance of an Agreement. 

“Data Subjects” means the identified or identifiable natural person to which the Customer Personal Data relate.

“Expert User” means a User, appointed and authorized by Customer to provide First Line Support to other Users and to receive Help Center Support from Bottomline.

“First Line Support” means setting data and parameters in BX and answering Users’ tablet-related questions, and any other questions related to the use of and settings in BX and BX Add-Ons.

“GDPR” means Regulation (EU) 2016/679.

“Help Center Support” means Bottomline’s support team handling notifications of Incidents, answering questions and requests regarding and resolving issues in BX, either at a standard level (BX Standard Support) or premium level (BX Premium Support), excluding First Line Support. 

“Incident” means an interruption to the BX Service due to a malfunction in BX.

“Integration” means software, connected to the BX API, enabling the exchange of data between BX and Third-Party Systems.

“Knowledge Base” means Frequently Asked Questions (FAQ) and other information on the use of the BX Service made available by Bottomline in BX.

“Party/Parties” means Bottomline and/or the Customer.

“Personal Data” means the information relating to a Data Subject.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data. 

“Processes, Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

”Processor” means a natural or legal person, public authority, agency or other body which Processes personal data on behalf of the Controller.

“Professional Services” means certain professional services, e.g. consultancy, onboarding support, training, or software development.

“Professional Services Fee” means the fee for the delivery of Professional Services.

“SCC’s” means the Standard Contractual Clauses, issued by the European Commission on 4 June 2021 (Processor to Controller).

“Sub Processor” means a processor engaged by Bottomline to carry out specific processing activities in relation to the Data Processing. 
"Third-Party Systems" means Customer’s or a third party’s IT systems, managed by Customer or a third party , from which Customer Data are retrieved to be processed in BX or to which BX Data are transferred from BX.
“Truck” means the vehicle combination which trips are planned using the BX Service.

“User Account” means the account created for and used by User to get access to the BX Service.

"User" means Customer’s, Affiliate’s or their business relations’ employee, representative, consultant, contractor or agent who is authorized by Customer to use the BX Service. 

“Working Days” means Mondays up to and including Fridays with the exception of official public holidays in the Netherlands. 

“Working Hours” means the hours between 9 AM and 5 PM CE(S)T on Working Days.

“Writing, Written” means sent, made up or confirmed in writing or electronically.

2. Scope and purpose

2.1 Scope and (joint) controller(s)

This BX DPA applies to the Data Processing. With regard to the Data Processing, Bottomline qualifies as the Processor. The Customer enters into this BX DPA on behalf of itself as the Controller and on behalf of any other (joint) Controller(s) . The Customer is liable for the performance of any obligations regarding the Data Processing that are (according to this the GDPR and/or any or any other applicable data protection laws), obligations of the Controller and guarantees that it has full authority to accept liability on behalf of any other (joint) Controller.

3. Term

3.1 Term and termination

This BX DPA shall commence on the start date of the BX Subscription entailing Data Processing and shall be in force for the duration of the BX Subscription entailing the Data Processing. This BX DPA cannot be terminated early.

3.2 Amendments

Bottomline has the right to amend this BX DPA unilaterally if such amendment is, to the sole discretion of Bottomline, necessary to comply with the GDPR or any other applicable data protection laws. If such amendment is made, Bottomline will notify the Customer in Writing no later than thirty (30) calendar days before the effective date of the amendment.

4. Data Processing

4.1 Details of the Data Processing

The nature and purpose of the Data Processing, the type of Customer Personal Data, the categories of Data Subjects, the Sub Processors and the location of storage of the Customer Personal Data are as set out in Annex 1, which may be updated from time to time and made available in BX.

4.2 4.2 Instructions

The Data Processing will be carried out in accordance with the specifications in this BX DPA and Annex 1 to this BX DPA, the BX Privacy Statement and, where applicable (e.g. when performing Help Center Support or Professional Services) the instructions of the Customer, which will be documented by the Customer in Writing. Customer confirms that any Expert User is authorized to give instructions with regard to the Data Processing to Bottomline on its behalf. Customer will refrain from giving any instructions that do not comply with the GDPR or any other applicable data protection laws. Bottomline may rely on the instructions, given by the Customer and will not be liable for following any non-complying instructions.

4.3 Consequence of termination

Bottomline will not store the Customer Personal Data any longer than necessary for the Data Processing. On termination of the BX Subscription, Customer Personal Data may be retrieved by Customer or are deleted in accordance with section 13.5 of the BX Service Terms and Conditions.  

5. Confidentiality and security

5.1 Confidentiality

Bottomline shall (i) protect the Customer Personal Data against unauthorized access, using at least the same degree of care that it uses to protect the confidentiality of its own Personal Data; and (ii) limit access to Customer Personal Data to those of its employees, contractors and agents who need such access for purposes consistent with the Agreement and who have signed Written confidentiality agreements.

5.2 Permitted disclosure

Bottomline may disclose Customer Personal Data if it is compelled by law to do so, provided Bottomline gives Customer prior notice of such compelled disclosure (to the extent legally permitted) and shall provide, at Customer’s cost, reasonable assistance if Customer wishes to contest the disclosure. Bottomline may also disclose Customer Personal Data if such disclosure is expressly permitted in Writing by Customer. Notwithstanding any provision to the contrary in this Agreement, Bottomline may access Customer Personal Data to provide the BX Service or prevent or address service or technical problems.

5.3 Security

Bottomline has taken the organizational, physical, and technical security measures for protection of the availability, confidentiality and integrity of the Customer Personal Data as set forth in the BX Documentation or notified by Bottomline to Customer on its Written request. Bottomline does not warrant that such security measures will always be effective or meet any specific requirements. By using the BX Service, Customer confirms that it has assessed these security measures and acknowledges that these security measures meet its requirements. 

6. Information and audit rights

6.1 Information

Bottomline will provide the Customer on its Written request and within commercially reasonable limitations with documentation demonstrating compliance with the obligation stated in section 6.2 and other obligations under this BX DPA.

6.2 Audit

Should the information referred to in section 6.1 prove reasonably insufficient to demonstrate compliance with this BX DPA or demonstrate a breach by Bottomline of this BX DPA or violation of the GDPR or any other applicable personal data protection laws, the Customer has the right to perform, in accordance with this section 6, an audit on the Data Processing (“Audit”), subject to its compliance with section 6.3 and 6.4.

6.3 Requirements

The Audit shall:6.3 Requirements

The Audit shall:

1. take place not more than once per twenty-four (24) calendar months and not earlier than the first anniversary of the Agreement, except 
   where the documents referred to in section 6.2 give rise to reasonably suspect a material breach by Bottomline of this BX DPA, the GDPR or 
   any other applicable data protection laws;
2. be performed by an independent, certified IT auditor only;
3. be conducted with respect for Bottomline’s and its customers’ interests, minimizing the impact on Bottomline’s operations and its services
   to other customers and without access to other customers’ data.

6.4 Prior notification

If the Customer wishes to perform an Audit it will notify Bottomline in Writing at least 45 calendar days in advance, providing Bottomline with as many details of the Audit as possible, including the suspected breach or violation the Customer wants to investigate, the scope, method, object and duration of the Audit and the Auditor appointed.

6.5 Costs

The Customer will bear the costs of the Audit, except where the Audit indisputably shows that Bottomline has materially breached this BX DPA or violated the GDPR or any other applicable data protection laws, in which case Bottomline will compensate Customer for a reasonable part of such costs. 

6.6 Results

Customer will keep the results of the Audit confidential and not share the results with any third party, except to the extent necessary to exercise its rights under this BX DPA. 

7. Sub Processors

Customer agrees to the engagement of the Sub Processor(s) listed in Annex 1 to this BX DPA. Bottomline will notify the Customer in advance of any changes to the Sub Processor(s) as stated in section 3.2.. If the Customer does not agree to the change its sole remedy will be the termination of the Agreement.

8. Personal Data transfers

Bottomline will transfer the Customer Personal Data or any part thereof to a third country or to an international organization within the meaning of Article 44 of the GDPR only on the express Written instruction or approval by Customer, or if Bottomline is required to do so by an order of competent authorities, in which case Bottomline will inform the Customer of such order (to the extent it is permitted to). If the Customer instructs Bottomline to transfer the Customer Personal Data to such third country or international organization the Parties agree on the applicability of the SCC’s. If the SCC’s apply, this BX DPA explicitly applies in addition to the SCC’s except in case of a conflict between the provisions of this BX DPA and of the SCC’s, in which case the provision(s) of the SCC’s will prevail.

9. Assistance

9.1 Assistance by Bottomline

Bottomline agrees to provide – within commercially reasonable limitations and as Professional Services - assistance to the Customer:

(a)     in responding to requests made by the Data Subjects for exercising their rights laid down in Chapter III of the GDPR;
(b)     in executing a Data Protection Impact Assessment within the meaning of Article 35 of the GDPR;
(c)     in answering any requests in relation to an investigation by a data protection supervisory authority.

9.2 Costs

For the work performed by Bottomline in assisting the Customer as described in section 9.1 Customer will pay to Bottomline the Professional Services Fee.

10. Personal Data Breach

10.1 Personal Data Breach notification

Bottomline shall notify the Customer without undue delay in Writing after becoming aware of a Personal Data Breach, providing the information stated in Article 32 GDPR. Personal Data Breach notifications will be made to the Expert User. If the Customer becomes aware of a Personal Data Breach it shall notify Bottomline using Help Center Support without undue delay. 

10.2 Obligations following a Personal Data Breach

If the Personal Data Breach is caused by a breach of Bottomline’s security, Bottomline will, after becoming aware of the Personal Data Breach, take appropriate measures to mitigate any possible adverse effects of the Personal Data Breach to Customer and the Data Subjects and remedy the cause of the Personal Data Breach to prevent future similar Personal Data Breaches from occurring. Customer will notify the Personal Data Breach to the competent authorities and (if applicable) Data Subjects in accordance with the GDPR, provided that Bottomline reserves the right to make a notification to the Data Subjects if such measure is (in the sole opinion of Bottomline) a mitigating measure as referred to in the preceding sentence. 

11. Liability

11.1 Limitations

The provisions on the Parties’ (limitation of) liability as stated in the BX Service Terms and Conditions shall apply to any damages arising under this BX DPA.

11.2 Indemnification

The Customer will indemnify Bottomline and hold Bottomline harmless for any and all damages claimed by a third party from Bottomline arising from a breach by Customer of this BX DPA or violation of the GDPR or any other applicable data protection laws.

12. Miscellaneous

12.1 No waiver

No failure or delay by either Party in exercising any right under this BX DPA shall constitute a waiver of that right.

12.2 Entire Agreement

This document “BX Data Processing Addendum” constitutes the entire agreement between the Parties in relation to the Data Processing and supersedes all previous drafts, agreements, arrangements, and understandings between them, whether written or oral, relating to the Data Processing.

12.3 Severability

If any provision of this BX DPA is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this BX DPA shall remain in effect.

12.4 Notices

Notices regarding this BX DPA will be served in accordance with the procedure for serving notices in section 15 of the BX Service Terms and Conditions.

12.5 Governing law

This BX DPA is construed in accordance with and governed by Dutch law, without regard to its conflict of law rules.

12.6 Dispute resolution

The Customer will indemnify Bottomline and hold Bottomline harmless for any and all damages claimed by a third party from Bottomline arising from a breach by Customer of this BX DPA or violation of the GDPR or any other applicable data protection laws.

12.7 Headings

The headings of sections and paragraphs in this BX DPA are included solely for convenience of reference and shall not control the meaning or interpretation of any of the provisions of this BX DPA.

Annex 1   BX DPA: Details of the Data Processing

The nature and purpose of the Data Processing, the type of Customer Personal Data, the categories of Data Subjects, the Sub Processors and the location of storage of the Customer Personal Data are as set out in the following table, as updated from time to time.