TimeClock Plus
Data Processing Addendum

In consideration of the mutual promises and covenants contained herein and other good and valuable consideration, the sufficiency of which is hereby acknowledged, TCP and Client agree as follows:

  1. Definitions

    1.1 "Personal Data" means any information that can be used to identify, locate or contact an Employee or User.

    1.2 "Subprocessor" mean any third party processor engaged by TCP for the purposes of processing Personal Data.

    1.3 "Biometric Data", including biometric identifiers and biometric information, means a retina or iris scan, fingerprint, photograph, voiceprint, or scan of hand or face geometry, regardless of how it is captured, converted, stored, or shared, which is used to identify an individual.

  2. Client’s Responsibilities. Client agrees to act as the Data Controller, and appoint TCP as Data Processor, of information entered by its authorized Employees and Users into the software. Client agrees to impose similar data protection-related terms that will not be less protective than those imposed on TCP by the Agreement and the Global Data Privacy Policy found at www.timeclockplus.com/privacy. Client has specified in the Licensing Agreement the subject matter and duration of the processing; the nature and purpose of the processing; and the type of Personal Data to be processed by TCP.

    2.1 To the extent that Client collects, captures, or otherwise obtains biometric data relating to an employee, Client must first (i) inform the employee in writing that Client is collecting, capturing, or otherwise obtaining the employee’s biometric data, and that Client is providing such biometric data to TCP; (ii) inform the employee in writing of the specific purpose and length of time for which the employee’s biometric data is being collected, stored, and used; and (iii) receive a written or electronic release by the employee authorizing Client to collect, store, and use the employee’s biometric data for the specific purposes disclosed by Client, and for Client to provide such biometric data to TCP.

  3. Subprocessors. TCP has appointed third party data Subprocessors for the purposes of providing hosting and security services. These Subprocessors may process Personal Data in accordance with the terms of this agreement and the Global Data Privacy Policy. The Subprocessor agreements impose similar data protection-related processing terms on the third party Subprocessor that are not less protective than those imposed on TCP in the Licensing Agreement and the TCP Privacy Code for Client Data Processing Services. TCP has publish an overview of the categories of Subprocessors involved in the performance of the relevant Services which can be found at www.timeclockplus.com/privacy.

  4. Data Protection. TCP has adopted the provisions contained in the Global Data Privacy Policy for the processing of Client Employee Personal Data in accordance with the EU’s General Data Protection Regulations ("GDPR"), Illinois Biometric Privacy Act ("BIPA") and other applicable data protection laws. Each party certifies that it will comply with all applicable laws or regulations related to acceptance, transmission, and/or storage of Personal Data in accordance with the applicable laws.

    4.1 Instructions. TCP will process certain categories and types of Personal Data only upon Client’s instructions and in accordance with applicable data protection laws (e.g. GDPR, BIPA). Client is responsible for ensuring that all Users who provide instructions are authorized to do so and agrees that TCP will only perform processing activities that are necessary and relevant to provide the Services.

    4.2 Requests. Client will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which is was obtained. Client agrees to adopt a balanced and reasonable policy for managing Subject Access Requests (SARs) and 3rd party disclosures which safeguard the rights of all data subjects and respects the original purpose of the data collection. Client, as Data Controller, will be responsible for receiving, investigating, documenting, and responding to all User and Employee requests for inspection or erasure of Personal Data.

    4.3 Assistance. Should Client receive a request from a data subject for the exercise of the data subject’s rights under applicable data protection laws, and the correct and legitimate reply to such a request necessitates TCP’s assistance, TCP shall assist the Client by providing the necessary information and documentation. TCP shall be given reasonable time to assist the Client with such requests in accordance with the applicable law.

    4.4 Confidentiality. TCP shall treat all Personal Data as strictly confidential information that may not be copied, transferred, or otherwise processed without the instruction of the Client. Transfer of Personal Data to another data controller or data processor (e.g. HRIS or Payroll application) is at the sole discretion of the Client and shall comply with applicable data protection laws.

    Further information about TCP’s use of data and data retention policies can be found in the Global Data Privacy Policy at: www.timeclockplus.com/privacy.

  5. Breaches of Security. TCP shall implement reasonable and appropriate security procedures consistent with prevailing industry standards and applicable data protection laws to protect Client Data from unauthorized access by physical and electronic intrusion. TCP will promptly report to Client any unauthorized access to Client Data upon discovery and in accordance with applicable data breach notification laws. TCP will use diligent efforts to promptly remedy any breach of security that permitted such unauthorized access. In the event notification to persons included in such Client Data is required, TCP and TCP’s third party breach notification contractor will control all breach notifications.

All other terms and conditions of the Licensing Agreement shall remain in full force and effect. In the event terms of this Amendment conflict with terms of the Licensing Agreement, the terms of this Agreement shall govern.