Data Processing Addendum
Revised October 11, 2023
This Data Processing Addendum ("DPA") is subject to and forms part of the Platform Agreement or other written or electronic terms of services or agreement for the provision of the Services (the "Agreement") between Brex and the company that has entered into the Agreement as the Brex Account holder and customer ("you"). This DPA applies to you when you use the Services and governs Brex's Processing of Personal Data.
Due to the nature of the Services provided by Brex, its regulatory obligations and the related Processing activities performed, Brex may Process Personal Data as a Processor and/or Controller in the performance of the Services. Therefore, Brex's responsibilities will depend on whether Brex is acting as a Controller or Processor under Data Protection Laws. The Brex Processing Description in Annex 1 summarizes those roles.
1. Definitions
Capitalized terms that are not defined in this DPA have the definitions provided in the Agreement:
"CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, including its regulations and the implemented amendments made by the California Privacy Rights Act of 2020.
"Controller" means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under Data Protection Laws.
"Data Protection Laws" means all applicable data privacy, data protection laws, and regulations to which the Personal Data is subject to.“Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“EU GDPR”).
"Data Subject" means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
"European Data Protection Laws" means: (i) the General Data Protection Regulation (Regulation 2016/679) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); and (iii) the Swiss Federal Act on Data Protection (“Swiss FADP”).
“Instructions” means this DPA and any further written agreement or documentation under which you instruct us to perform specific Processing of Personal Data on your behalf as a Processor.
"Personal Data" means any information relating to an identified or identifiable natural person that is Processed in connection with the Services, and includes “personal data” and “personal information” as defined under applicable Data Protection Laws.
"Processing" (and its cognates) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity that Processes Personal Data on behalf of the Controller, which may include, as applicable, a “Service Provider” as defined under applicable Data Protection Laws.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss FADP applies, a transfer of Personal Data from Switzerland to any other country which is not based on an adequacy decision recognized under Swiss data protection law.
"Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Brex.
"Standard Contractual Clauses" or "EU SCCs" means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
"Sub-processor" means an entity that is Brex’s authorized vendor or third party service provider and that Brex engages to Process Personal Data in its capacity as a Processor in connection with the Services.
"UK Addendum" means the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the UK Information Commissioner under s.119A(1) of the Data Protection Act 2018.
2. Scope of this DPA
This DPA applies only where and to the extent Brex Processes Personal Data in connection with the Services provided to you pursuant to the Agreement. Each party will separately comply with its obligations under Data Protection Laws when Processing Personal data. Except as otherwise expressly required by Data Protection Law, neither party shall be responsible for the other party's compliance with Data Protection Law. If and to the extent language in this Addendum conflicts with the Agreement, this DPA shall control.
3. Brex's obligations as a Controller
3.1 As a Controller, we will:
(a) comply with and perform our obligations under Data Protection Laws, including with regard to Data Subject rights, data security and confidentiality, and establishing an appropriate legal basis for the Processing of Personal Data in the performance of the Services; and
(b) publish a transparent and easily accessible public privacy notice that provides Data Subjects with all necessary information regarding our Processing of Personal Data in the performance of the Services.
4. Your obligations as a Controller
4.1 You will:
(a) only provide Instructions to Brex that are lawful;
(b) comply with Data Protection Laws in your use of the Services and the performance of any obligations you may have under the Agreement, including with regard to Data Subject rights, data security and confidentiality, and establishing an appropriate legal basis for the Processing of Personal Data;
(c) obtain any necessary consents, authorizations or permissions from Data Subjects required to lawfully share Personal Data with Brex for the purposes described in the Agreement, including this DPA; and
(d) provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice and ensuring that Data Subjects are aware of the Brex Privacy Policy) regarding, respectively, Brex's and your Processing of Personal Data for the purposes described in the Agreement, including this DPA.
5. Brex as your Processor
5.1 To the extent that Brex is acting as a Processor of Personal Data for you:
(a) Processing Purposes. Brex will process the Personal Data described in Annex 1 on your behalf and strictly in accordance with your Instructions (the "Permitted Purpose"). In accordance with applicable Data Protection Laws, Brex will:
(i) not "sell" or "share" Personal Data, as such terms are defined in the CCPA;
(ii) not retain, use, or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and to comply with applicable law, unless otherwise permitted by the Agreement (including this DPA) or Data Protection Law;
(iii) not attempt to re-identify any, anonymized, aggregate, or de-identified Personal Data without your express written permission;
(iv) not retain, use, or disclose Personal Data outside of the direct business relationship between you and Brex;
(v) inform you if Brex reasonably believes that your Instructions violate or infringe Data Protection Laws, but without an obligation to actively monitor your compliance with Data Protection Laws; and
(vi) promptly inform you if we determine that we can no longer meet our obligations under applicable Data Protection Laws.
(b) Authorized Persons. Brex will ensure that any person that it authorizes to Process the Personal Data (including Brex's personnel, agents, and Sub-processors) (an "Authorized Person") shall be subject to a duty of confidentiality (whether contractual or statutory), and . shall only process the Personal Data for the purpose of delivering the Services under the Agreement in accordance with this DPA. Brex will ensure that access to the Personal Data is limited to those Authorized Persons that have a need to know basis for purposes of performing the Services.
(c) Security Breach Response. Upon becoming aware of a Security Breach that is notifiable to you under applicable Data Protection Laws, Brex will notify you without undue delay and in any event within seventy-two (72) hours. In connection with any such Security Breach, Brex shall provide access to information reasonably required by you to fulfil your Security Breach reporting obligations under (and in accordance with the timescales required by) Data Protection Laws and will make personnel available to answer questions or otherwise assist you in determining the impact to the Services.
(d) Authorized Sub-processors. You specifically authorize Brex to engage its Sub-processors from the Brex Sub-processors list as set out in Trust-portal.brex.com/subprocessors. Brex will notify you of any changes Brex intends to make to the Brex Sub-processors list by Brex’s standard customer notification mechanism. You acknowledge that Brex’s Sub-processors are essential to provide the Services and that if you object to Brex’s use of a Sub-processor, then notwithstanding anything to the contrary in the Agreement (including this DPA), Brex will not be obligated to provide you the Services for which Brex uses that Sub-processor, and your only relief is to terminate those applicable Services.
(e) Sub-processor Obligations. Brex will enter into a written agreement with each Sub-processor that imposes on that Sub-processor, in substance, the same obligations as those imposed on Brex under this DPA, including implementing appropriate technical and organisational security measures. Brex will remain liable to you for the acts and omissions of its Sub-processor to the same extent Brex would be liable if performing the relevant Services directly under this DPA.
(f) Cooperation with Data Subject Requests. Brex shall, taking into account the nature of the processing, provide all reasonable and timely assistance to you to enable you to respond to: (i) any request from a Data Subject to exercise any of its rights under Data Protection Laws (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) any other correspondence, enquiry, or complaint received from a Data Subject, regulator, or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Brex, we shall promptly inform you providing full details of the same and shall not, unless required to do so in order to comply with Data Protection Law, respond directly to the Data Subject, except to direct the data subject to you.
(g) Cooperation with DPIAs. Upon your request and taking into account the nature of the applicable processing, Brex shall provide you with any assistance you may reasonably require in order to enable you to conduct a data protection impact assessment in accordance with Data Protection Law including, if necessary, to assist you to consult with your relevant data protection authority.
(h) Disclosure of Agreement.Customer acknowledges that Brex may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authorities, or any other US or EU judicial or regulatory body upon their request.
(i) Deletion. Following termination or expiration of the Agreement, Brex will, upon your written request, delete all Personal Data from Brex's systems and, if requested, certify in writing of its completion within 30 days of such request. Notwithstanding the foregoing, Brex may retain Personal Data as (i) where required to comply with applicable law, including Data Protection Laws; or (ii) in accordance with its standard backup and archive policies, provided that Brex shall maintain the confidentiality of such Personal Data and not further Process it except for such purposes.
(j) Audit Rights. You acknowledge that Brex is regularly audited against SSAE 18 SOC 2 standards by independent third party auditors. Upon written request and at reasonable intervals, Brex shall supply a summary copy of its most recent audit report(s) ("Audit Reports") to you, which shall be subject to the confidentiality provisions of the Agreement. To the extent that the Audit Reports do not provide sufficient information to allow you to assess Brex's compliance with this DPA or Data Protection Laws, Brex shall also respond to any written audit questions reasonably submitted by you, provided that you shall not exercise this right more than once per year. Customer acknowledges the rights granted under this section satisfy any audit rights provided under applicable Data Protection Laws.
(k) Legality of Instructions. Brex is not responsible for determining if your Instructions are compliant with applicable law, however Brex shall inform you if, in its opinion, your Instructions infringe Data Protection Law and Brex shall not be required to comply with such Instruction. Taking into account the nature of the Processing, you agree that it is unlikely that Brex would become aware that any Personal Data Processed by Brex as a Processor is inaccurate or outdated. To the extent Brex becomes aware of such inaccurate or outdated data, Brex will inform you.
6. Security
Brex will implement and maintain appropriate technical and organisational measures designed to protect the Personal Data from a Security Breach and to preserve the security, confidentiality, and integrity of Personal Data Processed by Brex under the Agreement, as further described in the BrexSecurity Measures in Annex 2. Brex may update such Security Measures from time to time, provided such updates do not degrade the level of protection given to the Personal Data.
7. Data transfers
7.1 Brex may transfer Personal Data on a global basis as necessary to provide the Services. Wherever Brex transfers Personal Data, Brex will ensure that such transfers are made in compliance with Data Protection Laws.
7.2 When the transfer of Personal Data from you to us is a Restricted Transfer and Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the Standard Contractual Clauses, which are incorporated into and form an integral part of this DPA as follows:
(a) in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply as follows:
(i) where Brex is a Controller, Module One will apply;
(ii) where Brex is a Processor, Module Two will apply;
(iii) in Clause 7, the optional docking clause will apply;
(iv) where Brex is a Processor, in Clause 9, Option 2 will apply and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.1(d) of this DPA;
(v) in Clause 11, the optional language will not apply;
(vi) in Clause 17, Option 1 will apply and the EU SCCs will be governed by Irish law;
(vii) in Clause 18(b), disputes will be resolved before the courts of Ireland;
(viii) Annex I of the EU SCCs will be deemed completed with the information set out in Annex 1; and
(ix) Annex II of the EU SCCs will be deemed completed with the information set out in Annex 2;
(b) in relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply as follows:
(i) the EU SCCs, as completed as set out above in Section 7.2(a) of this DPA, will also apply to transfers of such Personal Data; and
(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, the option "neither party" shall be deemed checked in Table 4, and the start date of the UK Addendum shall be the date of this DPA;
(c) in relation to Personal Data that is protected by the Swiss FADP, the EU SCCs in the form described in Section 7.2(a) of the DPA will apply as adapted and supplemented as follows:
(i) any reference to “Member State” will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland);
(ii) any references to “personal data” extend to Personal Data of legal entities if and to the extent such personal data pertaining to legal entities is within the scope of the Swiss FADP; and
(iii) to the extent the transfer of Personal Data is governed by the FADP, the Swiss Federal Data Protection and Information Commissioner will act as the competent supervisory authority; to the extent the transfer of Personal Data is governed by the GDPR, the supervisory authority determined in accordance with Clause 13 of the EU SCCs will act as the competent supervisory authority; any references to the "competent supervisory authority" will be interpreted accordingly.
8. General
8.1 If there is any conflict or ambiguity between:
(a) the provisions of this DPA and the provisions of your Agreement regarding Personal Data Processing, the provisions of this DPA will prevail; and
(b) the provisions of this DPA and any provision contained in the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses will prevail.
8.2 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws or the Standard Contractual Clauses.