Data Processing Terms

These Data Processing Terms govern the processing by Speramus, Inc. (“Crew”) of your employees’ personal data with respect to your employees who reside in a Data Protection Legislation (as defined in Section 1 of these Data Processing Terms) relevant jurisdiction. Effective upon your use of any of the Services (as defined in the General Terms), you accept and agree to be bound by these Data Processing Terms with respect to your employees residing in a Data Protection Legislation relevant jurisdiction. If you are using the Services on behalf of a business, you agree that you are accepting these Data Processing Terms and have authority to enter into these Data Processing Terms, on behalf of that business.

For purposes of these Data Processing Terms, “data controller”, “data processor”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the applicable Data Protection Legislation of a relevant jurisdiction. All other defined terms have the same meaning as those found in the General Terms, unless otherwise defined herein.

Application of Data Protection Legislation and Your Authorizations

1. Crew’s Role

Square Europe, Square International, and their affiliates, including Crew, are subject to European Directive 2002/58/EC (the “e-Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”, and together with the e-Privacy Directive and any legislation and/or regulation implementing or made pursuant to, or which amends, replaces, re-enacts or consolidates GDPR and/or the e-Privacy Directive, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities, “Data Protection Legislation”), because, in the course of providing you Services, they access information (“Personal Data”) relating to identified or identifiable natural persons residing in a Data Protection Legislation relevant jurisdiction (“Data Subjects”). For purposes of these Data Processing Terms, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

When Crew accesses the Personal Data of your Data Subjects in the course of providing you Services, Crew and its affiliates are data processors under the applicable Data Protection Legislation of relevant jurisdiction.

2. Description of Crew’s Processing in the Context of the Services

Subject-matter of processing. Crew will process your Data Subjects’ Personal Data in order to allow Crew to provide the Services and as described in the General Terms and Additional Terms, including the Privacy Policy.

Nature and purpose of processing. Crew will process your Data Subjects’ Personal Data in order to carry out the Services.

The Personal Data we may process relates to the following categories of Data:

• Personal Information of your Employees that You Invite to Use the Crew Platform.

Types of Personal Data. The Personal Data we process comprises the categories of data described in our Privacy Notice.

Term of Crew’s processing. Crew will process your Data Subjects’ Personal Data during the term of the General Terms.

3. Your Authorizations

You accept and agree that Crew and its affiliates are processors when Crew accesses Personal Data pertaining to your Data Subjects in the course of providing the Services.

You authorize Crew to use sub-processors, provided that:

• Crew provides the names of all sub-processors to you on request;
• Crew signs a written agreement with each sub-processor that imposes obligations on that sub-processor that are no less stringent than those required of Crew under the Data Protection Legislation or these Data Processing Terms;
• Crew is not be relieved of any of its obligations under these Data Processing Terms by engaging sub-processors; and
• where Crew intends to add or replace a sub-processor, it will provide you the opportunity to object to such changes.

You appoint Crew as your agent to sign Standard Contractual Clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission decision of 5 February 2010, published under document number C(2010) 593 2010/87/EU (the “Standard Contractual Clauses”) between you and sub-processors established in third countries that process personal data on your behalf. For a copy of Crew’s Standard Contractual Clauses, please contact privacy@squareup.com.

The obligations contained in this Section 3 will not be applicable when Crew acts as a data controller.

Personal Data Processing

4. Crew’s Obligations as a Processor

When Crew processes Personal Data in the course of providing the Services, Crew will:

1. Process Personal Data only in accordance with your authorizations set forth in these Data Processing Terms and as strictly necessary to perform the Services. If Crew is required to process the Personal Data for any other purpose by Applicable Law, Crew will inform the Data Subject of this requirement first, unless such Applicable Law prohibits doing so on important grounds of public interest; or
2. Assist you, taking into account the nature of the processing:
   1. by taking appropriate technical and organizational measures and, in so far as is possible, in fulfilling your obligations to respond to requests from Data Subjects exercising their rights;
   2. in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, taking into account the information available to Crew; and
   3. by making available to you all information which you reasonably request to allow you to demonstrate that the obligations set out in Article 28 of GDPR relating to the appointment of processors have been met.
3. Implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected;
4. Except as provided in these Data Processing Terms, the General Terms or any other Additional Terms, not give access to or transfer any Personal Data to any third party without your prior written consent;
5. Ensure that personnel required to access the Personal Data are subject to a binding duty of confidentiality in respect of such Personal Data;
6. Ensure that none of Crew's personnel publish, disclose, or divulge any of the Personal Data to any third party unless you direct Crew to do so in writing;
7. At the end of the Services, upon your request, securely destroy or return such Personal Data to you, and delete existing copies unless Applicable Laws require storage of such Personal Data; and
8. Allow you or an independent auditor appointed by you to conduct audits or inspections during the term of these Data Processing Terms. The purposes of an audit pursuant to this paragraph include verifying that Crew is processing Personal Data in accordance with Crew's obligations under these Data Processing Terms.

The obligations contained in this Section 4 will not be applicable when Crew acts as a data controller.

Security Breaches

5. Crew’s Response to Suspected and Actual Security Breaches

In the event of any suspected destruction, loss, alteration, or disclosure of, or access to the Personal Data that the Data Processor processes or is responsible for processing in the course of providing the Services, whether accidental, unauthorized or unlawful (each such event, a “Security Breach”), Crew will take action to investigate the suspected Security Breach and to identify, prevent, and mitigate the effects of the suspected Security Breach and to remedy the Security Breach. Crew will notify you of any Security Breach without undue delay.

Miscellaneous

6. Conflicts

In the event of any conflict or inconsistency between the provisions of these Data Processing Terms, the General Terms, or any other Additional Terms, these Data Processing Terms shall prevail in relation to the subject matter of the Data Protection Legislation.