Data Processing Addendum
Last revised: July 22 2021
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the Master Services Agreement (the “Agreement”) between the Merchant listed on the Order Form (“Merchant”) and Bolt Financial, Inc. (“Bolt”).
- Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Merchant Personal Data in connection with Bolt’s execution of the Agreement. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. If and to the extent language in this Addendum conflicts with the Agreement, this Addendum shall control.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) “Merchant Personal Data” means Personal Data Processed by Bolt on behalf of Merchant in providing the Services.
b) “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Merchant Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).
c) “Personal Data” means any Merchant data relating to an identified or identifiable natural person (“data subject”) and/or any Merchant data assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
d) “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
e) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Merchant Personal Data attributable to Bolt.
f) “Services” means the Services offered and contemplated by Bolt in the Agreement.
g) “Subprocessor(s)” means Bolt’s authorized vendors and third party service providers that Process Merchant Personal Data.
- Data Use and Processing.
a) Documented Instructions. Bolt shall Process Merchant Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Bolt will, unless legally prohibited from doing so, inform Merchant in writing if it reasonably believes that there is a conflict between Merchant’s instructions and applicable law or otherwise seeks to Process Merchant Personal Data in a manner that is inconsistent with Merchant’s instructions.
b) Subprocessor Requirements. To the extent necessary to fulfill Bolt’s contractual obligations under the Agreement, Merchant hereby authorizes Bolt to engage Subprocessors. Bolt agrees to (i) enter into a written agreement with Subprocessors that imposes on such Subprocessors data protection requirements for Merchant Personal Data that are consistent with this Addendum ; and (ii) remain responsible to Merchant for Bolt’s Subprocessors’ failure to perform their obligations with respect to the Processing of Merchant Personal Data to the extent required by applicable Data Protection Laws.
c) Confidentiality. Any person authorized to Process Merchant Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality and that they process the Merchant Personal Data only for the purpose of delivering the Services under the Agreement to Merchant in accordance with this Addendum. Bolt shall ensure that Bolt’s access to Merchant Personal Data is limited to those personnel that have a need to know basis for purposes of performing the Services.
d) Personal Data Inquiries and Requests. Where required by Data Protection Laws, Bolt agrees to provide reasonable assistance and comply with reasonable instructions from Merchant related to any requests, complaints or other communications from individuals, data subjects, and/or regulatory or judicial bodies relating to the processing of Merchant Personal Data under the Agreement, including requests from individuals or data subjects seeking to exercise their rights in Merchant Personal Data granted to them under Data Protection Laws.
e) Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Bolt agrees to provide reasonable assistance at Merchant’s expense to Merchant where, in Merchant’s judgement, the type of Processing performed by Bolt requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
f) Demonstrable Compliance. Bolt agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Merchant’s reasonable request.
- Cross-Border Transfers of Personal Data.
a) Cross-Border Transfers of Personal Data. Merchant authorizes Bolt to transfer Merchant Personal Data across international borders, including from the European Economic Area to the United States, and shall assist Merchant in assessing the parties’ respective obligations to comply with Data Protection Laws.
a) Standard Contractual Clauses. Where required, Vendor and Bolt will use the European Commission Decision 2021/914 (EU) Standard Contractual Clauses for Controllers to Processors and Processors to Processors (“Standard Contractual Clauses” or “SCC”) attached to support the transfer of Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom, the terms of which are herein incorporated by reference. The parties agree that the audits described in Clause 8.9 of the Model Clauses shall be carried out in accordance with Section 7 of this Addendum. Each party’s signature to the Agreement or this Addendum shall be considered a signature to the Model Clauses to the extent that the Model Clauses apply hereunder. If required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Model Clauses as separate documents.
b) Disclosure of Agreement. Merchant acknowledges that Bolt may disclose this Addendum and any relevant privacy provisions in the Agreement(s) to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.
- Information Security Program.
a) Security Measures. Bolt will implement and maintain an information security program, practices and procedures (collectively, “Information Security Program”) that: (i) is consistent with industry standard practices taking into consideration the sensitivity of the relevant Merchant Personal Data, and the nature and scope of the Services to be provided; and (ii) includes reasonable administrative, technical and physical safeguards designed to protect Merchant Personal Data. At a minimum, the Information Security Program shall include:
i) Information Security Policy. Bolt shall maintain a written Information Security Program applicable to all authorized personnel. Bolt shall keep its Information Security Program current and up to date in order to continually improve the security of the Information Security Program, but in no event will Bolt render the Information Security Program less comprehensive, secure, or robust.
ii) Training. Bolt will provide and require annual role-based information security training.
iii) Access Control. Bolt will maintain an access control policy, procedures, and controls consistent with industry standard practices. Bolt will limit access to Merchant Personal Data to those employees and Subprocessors with a need-to-know and who require such access to perform the Services.
iv) Logical Separation. Bolt will ensure Merchant Personal Data is logically separated from other Bolt client data.
v) Encryption. Bolt will utilize industry standard encryption technologies with respect to all storage and transmission of Merchant Personal Data. Merchant Personal Data shall be encrypted at all times in transit and at rest, and that any Merchant Personal Data stored as part of Bolt’s designated backup and recovery process shall also be in encrypted form, using a commercially supported encrypted solution.
vi) Incident Response Plan. Bolt will maintain an incident response plan that addresses Security Incident handling. Upon request, Bolt will provide Merchant with a copy of its incident response plan.
vii) Backups of Merchant Personal Data. Bolt will maintain an industry standard backup system and backup of Merchant Personal Data to facilitate timely recovery in the event of a service interruption.
viii) Disaster Recovery and Business Continuity Plan. Bolt will maintain a written Disaster Recovery and Business Continuity Plan for Merchant Personal Data consistent with industry standard practices. Bolt shall keep its Disaster Recovery and Business Continuity Plan current and up to date in order to continually improve the effectiveness of the Disaster Recovery and Business Continuity Plan, but in no event will Bolt render the Disaster Recovery and Business Continuity Plan less comprehensive, secure, or robust.
ix) Ongoing Inspections. Bolt shall, consistent with best industry practices, continuously monitor and inspect all Bolt’s systems to identify security vulnerabilities.
- Security Incidents.
a) Notice. Upon becoming aware of a Security Incident, Bolt agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Merchant’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Merchant to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
a) Merchant Audit. Where Data Protection Laws afford Merchant an audit right, Merchant may carry out an audit of Bolt’s policies, procedures, and records with respect to the Processing of Merchant Personal Data. Any audit must be: (i) conducted during Bolt’s regular business hours; (ii) with sixty (60) days’ advance notice to Bolt; (iii) carried out in a manner that prevents unnecessary disruption to Bolt’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.
- Data Deletion.
a) Data Deletion. Bolt will make Merchant Personal Data available for retrieval by Merchant via the Merchant self-service dashboard for a period of ninety (90) days following termination of the Agreement. After this ninety (90) day period, Bolt delete all Merchant Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Bolt’s data retention schedule), unless Bolt is required to retain copies under applicable laws, in which case Bolt will isolate that Merchant Personal Data from any further Processing except to the extent required by applicable laws.
a) Notices. All notices to Bolt and/or Merchant shall be sent to the Designated POC listed in Section 11 of this Addendum.
b) Conflicts. In the event of any conflict or inconsistency between this Addendum and any data privacy provisions set out in any Agreement(s), the parties agree that the terms of this Addendum shall prevail.
c) Governing Law. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions set forth in the Agreement, unless otherwise required by applicable privacy laws.
d) Modifications and Enforceability. This Addendum may not be modified except by a subsequent written instrument signed by both parties. If any part of this Addendum is held unenforceable, the validity of all remaining parts will not be affected.
- Processing Details.
a) Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
b) Duration. The Processing will continue until the expiration or termination of the Agreement.
c) Categories of Data Subjects. Data subjects whose Merchant Personal Data will be Processed pursuant to the Agreement.
d) Nature and Purpose of the Processing. The purpose of the Processing of Merchant Personal Data by Bolt is the performance of the Services.
e) Types of Merchant Personal Data. Merchant Personal Data that is Processed pursuant to the Agreement.
- Contact Information.
a) Merchant and Bolt agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”) in the Agreement.