FinQore's Data Processing Agreement
Customer and SaaSWorks Inc. - DBA FinQore (“FinQore”) hereby agree to the following Data Processing Agreement (the “DPA”) to their Customer Terms of Service (the “Agreement”), dated as of July 1, 2024 (“Effective Date”).
1. Designation of the Parties.
The parties agree that, for all data received from or on behalf of the Customer, or otherwise obtained in connection with the performance of FinQ’ obligations under this DPA or the Agreement that relates to an identified or identifiable individual, including all sensitive financial information about or belonging to individuals, including any information that can be used to identify or contact a specific individual, such as first and last name, email address, telephone number, social security number, financial account information, credit card number, or otherwise relates to or is capable of identifying a natural person (“Personal Data”), the Customer shall be the controller or business and FinQore shall be the processor or service provider, as these terms are defined under applicable privacy law. Each party shall comply with all relevant privacy laws and its relevant obligations under this DPA.
2. Use of Personal Data.
Personal Data will be accessed, used, maintained, collected, modified, merged, shared, disclosed or otherwise processed by FinQore only as is necessary for FinQore to perform its obligations under this DPA and the Agreement, or as otherwise required by the Customer in writing. When processing Personal Data on behalf of the Customer, FinQore shall ensure that any person acting on its behalf or under its authority processes the Personal Data only in accordance with the Customer’s written instructions, including as set out in the applicable Agreement and/or statement of work (“Processing Instructions”). The Customer shall not provide any Processing Instructions that may infringe any applicable law.
3. Privacy and Security Policy.
FinQore shall implement and maintain, at its cost and expense, commercially reasonable technical, organizational, and physical measures in relation to the processing of Personal Data by FinQore. FinQore shall ensure that its agents and representatives processing Personal Data on behalf of the Customer keep Personal Data confidential.
4. Agents and Subcontractors.
The Customer authorizes FinQore to engage another processor to perform specific processing activities involving Personal Data on behalf of the Customer. In doing so, FinQore shall enter into a binding written contract with the sub-processor (“Processor Contract”) which imposes substantially the same material data protection obligations contained in this DPA on the sub-processor.
5. Cooperation.
FinQore shall provide reasonable assistance, information, and cooperation to the Customer to ensure compliance with the Customer’s obligations under relevant laws with
respect to: (i) data security; (ii) data breach notification; (iii) responding to requests relating to Personal Data and/or the Customer’s data privacy or security practices from regulators or individuals; and (iv) conducting privacy impact assessments. FinQore shall reasonably cooperate with the Customer in the Customer's efforts to monitor FinQore’s compliance with this DPA.
6. Cross Border Data Transfers.
The Customer understands and acknowledges that FinQore may process Personal Data in the United States. It is the obligation of the Customer to notify FinQore if any Personal Data relates to residents of the European Union, or any other jurisdiction with specific cross-border data transfer restrictions. Where such restrictions exist, the parties shall enter into Standard Contractual Clauses, or a similar mechanism, in order to legitimize such a transfer. Where FinQore otherwise transfers Personal Data outside of its country of origin, FinQore shall ensure that such transfer (and any onward transfer): (i) is pursuant to a written contract including provisions relating to security and confidentiality of any Personal Data; (ii) is made pursuant to a legally enforceable mechanism for such cross-border data transfers of Personal Data under relevant laws; (iii) is made in compliance with this DPA; and (iv) otherwise complies with relevant privacy laws.
7. Breaches.
In the event of any access or acquisition of Personal Data by an unauthorized third party, FinQore shall notify the Customer of the data breach without undue delay. FinQore warrants that if there has been a breach of Personal Data, all responsive steps will be documented and will reasonably cooperate with the Customer in the Customer's handling of the matter, FinQore including without limitation any investigation, reporting or other obligations required by applicable law or regulation, including responding to regulatory inquiries or investigations, and will reasonably work with the Customer to otherwise respond to and mitigate any damages caused by the breach.
8. Information Management.
FinQore shall, at the Customer’s written request, either securely delete or return any Personal Data to the Customer as soon as processing by FinQore of any Personal Data is no longer required for FinQore’s performance of its obligations under the Agreement and this DPA. As soon as reasonably possible upon completion of the Services under the Agreement, FinQore shall securely delete all existing copies of Personal Data, unless storage of any data is required by applicable law, and if so, FinQore shall notify the Customer of this in writing.
9. Indemnification.
The Customer agrees that it shall reimburse, indemnify, and hold FinQore harmless for all costs incurred in responding to and/or mitigating damages relating to a third- party claim brought against FinQore regarding the Customer’s processing of Personal Data where such processing is consistent with this DPA and the Processing Instructions.