- Consumers
- Customers & Developers
- Customer Terms
- Support Policy
- Service Levels
- Data Protection Addendum
- 1. Definitions
- 2. Processing of Personal Data
- 3. Use of Subprocessors
- 4. Security
- 5. Data Subject Rights
- 6. Impact Assessments and Consultations
- 7. Data Return or Deletion
- 8. Audits
- 9. Prohibited Countries, Cross-Border Transfers, and Region-Specific Terms
- 10. Order of Precedence
- 11. Governing Law
- 12. Purchases through Resellers
- Schedule 1 - Details of Processing of Customer Personal Data
- 1. Nature and Purpose of Processing
- 2. Processing Activities
- 3. Duration of Processing
- 4. Categories of Data Subjects
- 5. Categories of Personal Data
- 6. Sensitive Data or Special Categories of Data
- Schedule 2 - Cross Border Transfer Mechanisms
- Schedule 3 - Region-specific Terms
- Subprocessors
- Messaging Policy
- Legal Changelog
- Security
- Suppliers
- Third-Party Logo Disclaimer
Data Protection Addendum
Last Updated: August 9, 2023
This Data Protection Addendum (“DPA”) is part of the Agreement between Argyle and Customer covering Customer’s use of the Services (defined below). If there is a conflict between this DPA and Argyle’s Customer Terms, this DPA controls. Capitalized terms are defined in context, in Section 1 (Definitions), or in the Customer Terms.
1. Definitions
1.1 “Agreement” means the Agreement between Customer and Argyle incorporating this Addendum.
1.2 “Audit” and “Audit Parameters” are defined in Section 8.2.c.
1.3 “Audit Report” is defined in Section 8.2.a below.
1.4 “Applicable Data Protection Law” means all laws and regulations applicable to a party’s Processing of Personal Data under the Agreement including, to the extent applicable under the circumstances, (a) the Gramm-Leach Bliley Act and any binding regulations promulgated thereunder, including the “Privacy of Consumer Financial Information” Regulation (12 CFR Part 30) issued pursuant to Section 504, (b) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and other similar U.S. state laws, (c) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR" or "GDPR"), (d) the Swiss Federal Act on Data Protection ("FADP"), (e) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") and (f) the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time.
1.5 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
1.6 “Customer Account Data” means Personal Data that relates to or results from Customer’s use of the Services, including the names or contact information of End Users or otherwise of individuals authorized by Customer to access Customer’s account. Customer Account Data also includes any Personal Data Argyle may need to collect for the purpose of identity verification for the purpose of enabling End User access to the Platform. Customer Account Data is Customer Data (as defined in the Customer Terms).
1.7 “Customer Instructions” means: (a) Processing to provide the Services and otherwise exercise Argyle’s rights and perform Argyle’s obligations under the Agreement (including this DPA), which includes investigating security incidents and preventing spam, fraudulent activity, and detecting and preventing network exploits or abuse; and (b) as otherwise agreed in writing by the parties.
1.8 “Customer Personal Data” means Personal Data in Customer Data, including Customer Account Data, and Personal Data relating to Consumers uploaded by End Users to the Services.
1.9 “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.10 “Personal Data” means any information relating to an identified or identifiable Data Subject.
1.11 “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, including a "service provider" as defined in the CCPA.
1.12 “Process(ing)” (and “Process(ed)”) means any operation or set of operations performed on data or on sets of data, including Personal Data and sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.13 “Restricted Transfer” means: (a) where EU GDPR applies, a transfer of Customer Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination, (b) where UK GDPR applies, a transfer of Customer Personal Data from the United Kingdom to any other country that is not subject to an adequacy determination or (c) where FADP applies, a transfer of Customer Personal Data from Switzerland to any other country that is not subject to an adequacy determination.
1.14 “Security Incident” means, as to a party and a set of data (e.g., Consumer Data, Customer Data), a breach of that party’s security that leads to a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to that data.
1.15 “Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR (as defined below) or any other applicable law or regulation relating to privacy and data protection.
1.16 “Services” means the products and services provided by Argyle or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under a Service Order or Statement of Work.
1.17 “Subprocessor” means any third party authorized by a party to Process any Personal Data on its behalf when that party is acting as a Controller or Processor under the Agreement.
2. Processing of Personal Data
2.1 Consumer Data.
a. The parties acknowledge and agree:
(i) Argyle, acting as the applicable Consumer’s data transfer agent under the Argyle Terms (and not as Customer’s Processor, Subprocessor, contractor, or otherwise as Customer’s or any other party’s agent), may regularly deliver and transfer Consumer Data (as defined in the Customer Terms) to Customer via the Services (“Transferred Consumer Data”) for the Agreed Purpose (as defined in the Customer Terms); and
(ii) Customer will only Process Transferred Consumer Data for the Agreed Purpose.
b. Each party in relation to Transferred Consumer Data:
(i) is a Controller in connection with its Processing of Transferred Consumer Data, will process that Transferred Consumer Data as a separate and independent Controller, and will comply with all the obligations imposed on a controller under Applicable Data Protection Law with respect to such activities.
(ii) is individually and separately responsible for complying with the obligations that apply to it under Applicable Data Protection Law in relation to its Processing (including, as to Argyle, the transfer and other Processing of Transferred Consumer Data as contemplated in the Argyle Terms, and, as to Customer, the receipt and other Processing of Transferred Consumer Data for the Agreed Purpose).
For clarity, the parties Process Transferred Consumer Data as Controllers-in-common, and not jointly as joint Controllers.
c. Without limiting the generality of Section 2.1.b: (i) Argyle will ensure that it has all necessary notices and consents in place to (1) enable lawful transfer of the Consumer Data to Customer and (2) otherwise lawfully Process Consumer Data as contemplated in the Argyle Terms; and (ii) Customer will ensure that it has all necessary notices and consents in place to (1) enable lawful receipt of the Transferred Consumer Data from Argyle and (2) otherwise lawfully Process Transferred Consumer Data for the Agreed Purpose.
2.2 Customer Personal Data.
a. Customer appoints Argyle as Processor to Process Customer Personal Data only (i) in accordance with Customer Instructions or (ii) to comply with Argyle’s obligations under applicable Laws, subject to any notice requirements under Applicable Data Protection Law. a Argyle does not: (a) sell or share (as defined in the CCPA) Customer Personal Data; (b) Process Personal Data outside the direct business relationship between the parties or for any purpose other than to provide the Services in accordance with the Agreement, unless required or permitted by applicable laws; or (c) combine Customer Personal Data with personal data that Argyle collects or receives from another person, other than to provide the Services in accordance with the Agreement or if required by applicable laws.
b. Details regarding the Processing of Customer Personal Data by Argyle are set forth in Schedule 1 (Subject Matter and Details of Processing).
c. Argyle will inform Customer if it becomes aware, or reasonably believes, that the Customer Instructions violate any applicable law or regulation, including Applicable Data Protection Law, but Argyle has no obligation to actively monitor Customer’s compliance with Applicable Data Protection Law.
d. The parties acknowledge and agree that the disclosure of Customer Personal Data by the Customer to Argyle does not form part of any monetary or other valuable consideration exchanged between the parties.
e. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Argyle’s unauthorized use of Customer Personal Data.
2.3 Compliance with Laws.
a. Each party will comply with Applicable Data Protection Law in their respective Processing of Consumer Data and, as to Argyle, Customer Personal Data.
b. Customer will ensure that the Customer Instructions comply with Applicable Data Protection Law and that Argyle’s Processing of Customer Personal Data, when done in accordance with the Customer Instructions, will not cause Argyle to violate any applicable Law, including Applicable Data Protection Law.
3. Use of Subprocessors
3.1 By Argyle.
a. Customer generally authorizes Argyle to engage Subprocessors to Process Consumer Data and Customer Data (including Customer Personal Data). Customer further agrees that Argyle may engage its Affiliates as Subprocessors.
b. Argyle will: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this DPA and (ii) remain liable to Customer for compliance with obligations of this Addendum for any acts or omissions of its Subprocessors that cause Argyle to (1) breach any of its obligations under this Addendum or (2) otherwise violate Applicable Data Protection Law.
c. Argyle maintains an up-to-date list of its Subprocessors, including their functions and locations here (“Subprocessor List”). Argyle may update the Subprocessor List from time to time. At least 30 days before any new Subprocessor Processes any Transferred Consumer Data or Customer Data, Argyle will add that Subprocessor to the Subprocessor List. Customer may subscribe to receive notification of updates to the Subprocessor List via the CMNS (as defined in the Support Policy).
d. If, within 30 days after notice of a new Subprocessor as contemplated in Section 3.1.c, Customer notifies Argyle in writing that Customer objects to Argyle's appointment of such new Subprocessor based on reasonable data protection concerns, the parties will discuss those concerns in good faith. If Customer and Argyle cannot reach a resolution within thirty (30) days from the date of Argyle’s receipt of Customer’s written objection, Customer may, as its sole and exclusive remedy, terminate the Service Order for the affected Services for convenience, and Argyle will refund any prepaid, unused fees for the terminated portion of the Order Term. If Customer does not raise an objection as set forth in this Section 3.1.d, Customer will have been deemed to authorize the new Subprocessor.
3.2 By Customer
a. The parties acknowledge and agree that Customer may use Subprocessors to Process Consumer Data (e.g., Third-Party Platforms as contemplated in Section 1.4.b of the Customer Terms) and otherwise engage in onward transfer of Consumer Data to third parties that may not be Customer’s Subprocessors (“Onward Transferees”), in each case only in accordance with Customer’s Product/Service Terms and Applicable Data Protection Law.
b. Customer will: (i) enter into a written Agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this Addendum; and (ii) remain liable to Argyle for compliance with the obligations of this Addendum for any acts and omissions of its Subprocessors and Onward Transferees that cause Customer to breach any of its obligations under the Agreement or otherwise violate Applicable Data Protection Law.
4. Security
4.1 Security Measures.
a. Each party will implement and maintain reasonable and appropriate technical and organizational measures, procedures and practices, as appropriate to the nature of Personal Data Processed by that party under the Agreement and, as to Argyle, Customer Data, that are designed to protect the security, confidentiality, integrity and availability of Consumer Data and, as to Argyle, Customer Data, and protect against Security Incidents (“Security Measures”). Each party will regularly monitor its compliance with its Security Measures.
b. Customer is responsible for reviewing the information made available by Argyle relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws.
4.2 Security Incident Obligations.
a. Argyle will provide notification of a Security Incident affecting Transferred Consumer Data or Customer Data in the following manner:
(i) Argyle will, to the extent permitted by Applicable Data Protection Law, notify Customer without undue delay, but in no event later than seventy-two (72) hours, after Argyle’s discovery of a Security Incident impacting Customer Data or Transferred Consumer Data. As to Security Incidents impacting Consumer Data that is not Transferred Consumer Data, Argyle will, to the extent permitted by Law, provide Customer with the same notification as it generally provides its other customers.
(ii) Argyle will make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Argyle’s reasonable control.
(iii) On Customer’s request and taking into account the nature of the applicable Processing, Argyle will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws.
(iv) Customer acknowledges that Argyle’s notification of a Security Incident is not an acknowledgment by Argyle of its fault or liability.
b. Each party is solely responsible for complying with Security Incident notification laws applicable to that party and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents when that party is Processing Personal Data as a Controller. Without limiting the generality of the foregoing, as to Security Incidents affecting Transferred Consumer Data, Argyle will, to the extent permitted by Applicable Data Protection Law and as is reasonably practicable, communicate and coordinate with Customer in good faith towards minimizing potential adverse impacts on Customer and its clients and customers as may result from Argyle’s compliance with Security Incident notification laws and otherwise fulfilling obligations with respect to government authorities, affected individuals, or others.
c. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Data or Consumer Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
5. Data Subject Rights
5.1 On Customer's request and taking into account the nature of the applicable Processing, Argyle will assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer's obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Services).
5.2 If a party receives a request from a Data Subject in relation to the Data Subject’s Personal Data, that party will use reasonable efforts to determine whether that request is in connection with its Processing as a Controller, or the other party’s Processing as a Controller. If that receiving party determines the request is in connection with the other party’s Processing as a Controller, that receiving party will promptly notify the other party and advise the Data Subject to submit the request to the other party (but not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws, or to the extent the request also relates to that party’s processing as a Controller), and the other party will be responsible for responding to any such request.
6. Impact Assessments and Consultations
Argyle will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense if such reasonable cooperation will require Argyle to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
7. Data Return or Deletion
7.1 During the Order Term, Customer may, through the applicable features of the Services, access, return to itself or delete Customer Personal Data.
7.1 After termination or expiration of the Agreement, Argyle will, in accordance with its obligations under the Agreement, delete Customer Personal Data from Argyle’s systems. Deletion will be in accordance with industry-standard secure deletion practices, and Argyle will issue a certificate of deletion on Customer’s request.
7.3 Notwithstanding the foregoing, Argyle may retain Customer Personal Data: (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Argyle will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Personal Data and (y) not further Process retained Customer Personal Data except for such purpose(s) and duration specified in those Applicable Data Protection Laws.
8. Audits
8.1 Records Generally. Each party will keep records of its Processing in compliance with Applicable Data Protection Law and, on the other party’s request, make available to that other party any records reasonably necessary to demonstrate compliance with that party’s obligations hereunder.
8.2 Audit Program.
a. Argyle uses external auditors to verify the adequacy of its Security Measures with respect to its Processing of Consumer Data and Customer Data. Those audits are performed at least once annually at Argyle’s expense by independent third-party security professionals at Argyle’s selection and result in the generation of confidential audit report(s) (each an “Audit Report”).
b. On Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Argyle will make available to Customer summary copies of its most recent Audit Report(s). Customer may share a copy of those Audit Reports with relevant government authorities as required upon their request, provided that Customer will use reasonable efforts seek confidential treatment of those reports by those government authorities. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports and the procedures of Section 8.2.c (below).
c. To the extent that Argyle’s provision of an Audit Report or other information does not provide sufficient information to enable (i) Customer to verify Argyle’s compliance with this DPA, (ii) Customer’s compliance with Applicable Data Protection Law, or (iii) Customer to respond to governmental authority audit or information request to which Customer is subject to under applicable Law, Customer may, at Customer’s expense, conduct an audit of reasonable scope and duration pursuant to a mutually agreed on audit plan (each an “Audit”) with Argyle that is consistent with the Audit Parameters. Each Audit must conform with the following parameters (“Audit Parameters”): (i) is conducted by an independent third party that enters into a confidentiality agreement with Argyle, (ii) is limited in scope to matters reasonably required for Customer to assess Argyle’s compliance with this DPA and the parties’ compliance with Applicable Data Protection Laws, (iii) occur at a mutually agreed date and time and only during Argyle’s regular business hours, (iv) occur no more than once annually (unless required under Applicable Data Protection Laws or in connection with a Security Incident), (v) cover only facilities controlled by Argyle, (vi) restricts findings to Transferred Consumer Data and Customer Data only and (vii) treat any results as confidential information to the fullest extent permitted by Applicable Data Protection Law.
9. Prohibited Countries, Cross-Border Transfers, and Region-Specific Terms
9.1 Prohibited Countries. Each party shall ensure that it does not (and it’s Subprocessors do not) Process Consumer Data or the other party’s Confidential Information (including, as to Argyle, Customer Data) from Prohibited Countries. “Prohibited Countries” means: a) any country with a “know your country” score less than 50 according to knowyourcountry.com/ratings-table; b) any country in which doing business would violate U.S. sanctions, such as Office of Foreign Assets Control (OFAC) sanctions; or c) Russia, Pakistan, North Korea, China, or Iran. For clarity, this Section 9.1 is in addition to, and not in lieu of, any additional geographical restrictions as may be set forth in the applicable Service Order or, as to Reseller Order, otherwise agreed to by Argyle.
9.2 Cross-Border Data Transfers.
a. Subject to Section 9.1. Argyle (and its Affiliates) may Process and transfer Consumer Data and Customer Data globally as necessary to provide the Services.
b. If Argyle engages in a Restricted Transfer, it will comply with Schedule 2 (Cross-Border Transfer Mechanisms).
9.3 Region Specific Terms. To the extent that Argyle Processes Consumer Data or Customer Personal Data protected by Data Protection Laws in one of the regions listed in Schedule 3 (Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
10. Order of Precedence
In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any Standard Contractual Clauses or other measures to which the parties have agreed in Schedule 2 (Cross-Border Transfer Mechanisms) or Schedule 3 (Region-Specific Terms), (2) this DPA and (3) the Agreement. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA (including its Schedules) will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Agreement.
11. Governing Law
This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.
12. Purchases through Resellers
Where Customer receives the Services through a Reseller, Argyle will not be deemed in breach of its obligations under this DPA related to notification and communication to the extent Argyle’s failure to comply with those obligations results from Argyle’s lack of appropriate contact information for Customer and Argyle made a good-faith effort to obtain that information from the Reseller.
Schedule 1 - Details of Processing of Customer Personal Data
1. Nature and Purpose of Processing
Argyle will process Customer Personal Data as necessary to provide the Services under the Agreement. Argyle does not sell Customer Personal Data and does not share Customer Personal Data with third parties for compensation or for those third parties’ own business interests.
2. Processing Activities
Customer Personal Data will be subject to the following basic processing activities: the provision of the Services, including (a) the Platform, which provides payroll connectivity and data portability services to Consumers, and enables Customer to take delivery of that data, as contemplated in the Agreement, (b) Support, and (c) Professional Services.
3. Duration of Processing
Argyle will process Customer Personal Data as long as required (a) to provide the Services to Customer; (b) for Argyle’s legitimate business needs; or (c) by applicable law or regulation.
4. Categories of Data Subjects
Customer Personal Data may include Personal Data from the following categories of Data Subjects: (a) End Users; (b) Consumers; and (c) other individuals whose Personal Data Customer's End Users upload into the Services.
5. Categories of Personal Data
Argyle Processes Personal Data contained in Customer Personal Data.
6. Sensitive Data or Special Categories of Data
Sensitive Data may, from time to time, be processed via the Services where Customer or its End Users choose to include Sensitive Data within the communications that are transmitted using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s End Users to transmit or otherwise Process, such Sensitive Data via the Services.
Schedule 2 - Cross Border Transfer Mechanisms
N/A
Schedule 3 - Region-specific Terms
N/A