This website requires JavaScript.

GENERAL TERMS AND CONDITIONS OF USE OF SPENDESK SERVICES

Version applicable as from 01.05.2024 / v2024.05

Important note

These General Terms and Conditions currently apply only to a limited list of Spendesk Customers benefiting from the Payment Services provided by Adyen.

The terms and conditions applicable to other Customers are available here.

Spendesk offers a spend management platform for companies. The purpose of these General Terms and Conditions is to govern the Services provided by Spendesk to its Customers. The Services include Payment Services.

As part of the Payment Services provided by SFS SAS, Spendesk acts as a PSP agent in the name and on behalf of SFS SAS. As such, Spendesk is registered with the ACPR and listed in the French financial firms register (accessible here: https://www.regafi.fr/) under number 74593.

Annexes:

1. Definitions and interpretation

1.1. Definitions

In these General Terms and Conditions, capitalised terms not specifically defined in the body of the General Terms and Conditions have the meaning attributed to them below:

TermDefinition
Acceptance Pointmeans the payment page or payment terminal allowing a Customer to send a Card Payment Order to an Acceptor;
Acceptormeans the acceptor of a Card Payment Order having an Acceptance Point;
Accountmeans, depending on the context, a Euro SFS SAS Account, a USD Sutton Account and/or a GBP Adyen Account;
ACPRmeans the French supervisory authority, Autorité de contrôle prudentiel et de résolution located at 4, place de Budapest – 75436 Paris Cedex 09;
Adyenmeans Adyen N.V, a public company registered with the Dutch Chamber of Commerce under number 34259528, whose registered office is at Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam - the Netherlands, licensed as a credit institution by the Netherlands Bank under number 34259528, acting, as the case may be, through its local affiliates and/or branches (including its branch in the United Kingdom authorised by the Financial Conduct Authority to provide Payment Services under number 779800);
Affiliatemeans, with respect to a Party, any company which holds that Party, or that is held by that Party (the term "hold" ("contrôle" in French) having the meaning given to it in article L. 233-3, I, 1° and 2° of the French Commercial Code);
AML-CFTmeans anti-money laundering and countering the financing of terrorism;
Beneficiarymeans any natural person or legal entity who is the intended recipient of funds that are the subject of a Payment Transaction;
Business Daymeans (i) for Spendesk, a calendar day, with the exception of Saturdays, Sundays, and public holidays in metropolitan France, (ii) for the Partners, a business day as defined respectively in the different Partners’ Documents;
Cardmeans, depending on the context, a Euro SFS SAS Card, a USD Sutton Card and/or a GBP Adyen Card;
CMFmeans the French Monetary and Financial Code (Code monétaire et financier);
Contractmeans the contractual framework governing the use of the Services, including (i) the current General Terms and Conditions, (ii) the Pricing Terms and (iii) the Partners' Documents;
Customermeans a legal entity acting on its own behalf in the context of its professional activity, having accepted the Contract and wishing to use the Services provided by Spendesk;
Dematerialisation Servicemeans the service described in article 5;
Dwollameans Dwolla, Inc., a company incorporated in the United States (Iowa), whose registered office is at 909 Locust Street, Suite 201, Des Moines, IA 50309 - United States, working with several financial institutions partners to provide Transfer services in the United States;
EEAmeans the European Economic Area;
Effective Datemeans the effective date of the Contract (i) agreed between the Parties in the Pricing Terms or (ii) failing that, corresponding to the date on which the Contract is signed by the Customer under the conditions of article 2.3;
Euro SFS SAS Accountmeans a payment account denominated in euros (EUR) and opened in the name of the Customer registered in an EEA Member State in the books of SFS SAS, and which is governed by the contractual documentation available in Annex 1;
Euro SFS SAS Cardmeans a physical or virtual debit card denominated in euros (EUR) which is made available to the Customer registered in an EEA Member State by SFS SAS, and which is governed by the contractual documentation available in Annex 1;
External Accountmeans a bank or payment account held by the Customer with a PSP other than the Partners;
Feesmeans the fees due by the Customer in return for the provision of the Services, as defined in the Pricing Terms;
Force Majeure Eventmeans a cause beyond the Parties’ control and/or which may be interpreted by a French court as a force majeure event. The Parties agree that a Force Majeure Event will include in particular the following events: adverse weather conditions, acts or omissions of a public authority, including changes to any regulations applicable to the Services, failures or constraints related to a means of telecommunications or a supplier, upheavals, insurrections and acts of a similar nature, declared or undeclared wars, strikes, sabotage, theft, vandalism, explosions, fires, lightning, natural disasters, or acts of third parties;
GBP Adyen Accountmeans an electronic money account denominated in pounds sterling (GBP) and opened in the name of the Customer registered in the United Kingdom in the books of Adyen, and which is governed by the contractual documentation available in Annex 1;
GBP Adyen Cardmeans a physical or virtual debit card denominated in pounds sterling (GBP) which is made available to the Customer registered in the United Kingdom by Adyen, and which is governed by the contractual documentation available in Annex 1;
General Terms and Conditionsmeans the current general terms and conditions of use of Spendesk Services, including their annexes and the US Specific Terms, but excluding the Partners' Documents;
Insurance Servicemeans the possibility for the Customer to subscribe to an insurance for Cards as described in Annex 4;
Main Usermeans a natural person duly authorised by the Customer to (i) enter into the Contract on behalf of the Customer and (ii) perform the functions provided for in the General Terms and Conditions, in particular those indicated in article 3;
Partiesmeans, within the framework of the General Terms and Conditions, together, (i) the Customer and (ii) Spendesk acting, as the case may be, either in its own name and on its own behalf, or as an agent of SFS SAS;
Partners' Documentsmeans, together, the contractual documentation relating to the Payment Services provided by the Partners, available in Annex 1;
Partnermeans, depending on the context, SFS SAS, Sutton Bank, Dwolla and/or Adyen;
Payermeans any natural person or legal entity giving or authorising a Payment Order;
Payment Ordermeans an instruction by a Payer or Beneficiary to its PSP requesting the execution of a Payment Transaction;
Payment Servicesmeans the payment services provided by SFS SAS, Sutton Bank, Dwolla and/or Adyen (including the issuance, management, and provision of electronic money by Adyen) as part of the provision of Euro SFS SAS Accounts, Euro SFS SAS Cards, USD Sutton Accounts, USD Sutton Cards, GBP Adyen Accounts, and GBP Adyen Cards;
Payment Transactionmeans an act of placing, transferring, or withdrawing funds from or to an Account, irrespective of any underlying obligations between the Payer and the Beneficiary;
Personal Datameans personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
Personalised Security Credentialsmeans the personalised data provided to a User by Spendesk or, as the case may be, chosen by a User, which must be used by that User in order to log in to access the Platform and/or perform an action on the Platform, including to request the execution of a Payment Transaction (including the PIN Code associated with a Card);
PIN Codemeans the four (4) digit code associated with a Card;
Platformmeans the SaaS solution provided by Spendesk which allows Customers to use the Services, and which includes in particular the website available at https://www.spendesk.com (and/or any other website of which the Customer may subsequently be informed) and/or any mobile application that Spendesk may make available to the Customer;
Pricing Termsmeans the following elements which together define the Fees due by the Customer under the Contract: (i) the pricing agreement agreed between the Parties for accessing the Platform and the Services, and (ii) the pricing terms set out in Annex 1 for the additional Fees due to Spendesk and/or the Partners in respect of the Payment Services;
PSPmeans a payment service provider;
Servicesmeans the access to the Platform and related services, including the Payment Services and the Dematerialisation Service but excluding the Insurance Service, which will be addressed only in Annex 4;
SFS SASmeans Spendesk Financial Services, a simplified joint-stock company registered with the Paris trade and companies Register under number 900 518 101, whose registered office is at 51 rue de Londres, 75008 Paris – France. SFS SAS is licensed as a payment institution by the ACPR under number 17518 and is subject to the ACPR's supervision;
Spendeskmeans (i) Spendesk SAS, a simplified joint-stock company registered with the Paris trade and companies Register under number 821 893 286, whose registered office is at 51 rue de Londres, 75008 Paris – France, if the Customer is registered in any country outside of the United States; or (ii) Spendesk Inc., a corporation registered in California under number C4307073, whose registered office is at c/o Jade Fiducial 490 Post Street, Suite 640, San Francisco, CA 94102, United States, if the Customer is registered in the United States. For the application of the provisions of these General Terms and Conditions relating to Payment Services provided by SFS SAS, any reference to Spendesk will be construed as a reference to Spendesk SAS acting as an agent of SFS SAS. For the application of the provisions of these General Terms and Conditions relating to the other Services, any reference to Spendesk will be construed as referring to Spendesk SAS or Spendesk Inc.;
Sutton Bankmeans Sutton Bank, a company registered in the United States (Ohio), whose registered office is at 1 South Main Street, PO Box 505, Attica, OH 44807 – United States, licensed as a state-chartered bank, not member of the Federal Reserve System (FRS), member of the Federal Deposit Insurance Corporation (FDIC) under number 5962;
Transfermeans a Payment Transaction whereby the PSP which holds the Payer's account transfers, on the instruction of the Payer, a sum of money from the Payer's account to another account opened in the name of the Beneficiary;
USD Sutton Accountmeans a payment account denominated in United States dollars (USD) and opened in the name of the Customer registered in the United States in the books of Sutton Bank, and which is governed by the contractual documentation available in Annex 1;
USD Sutton Cardmeans a physical or virtual debit card denominated in United States dollars (USD) which is made available to the Customer registered in the United States by Sutton Bank, and which is governed by the contractual documentation available in Annex 1;
US Specific Termsmeans the additional terms applicable only to Customers registered in the United States and available at this link: https://www.spendesk.com/en/legals/terms/us-specific-terms;
Usermeans, depending on the context, (i) the Main User and/or (ii) any other natural person acting in the name and on behalf of the Customer in the context of their professional activity and who is authorised to use the Services in the name and on behalf of the Customer, within the limits of the authorisations issued to them by the Main User.

1.2. Interpretation

Unless otherwise stated in these General Terms and Conditions, (i) words of one gender imply the other gender, (ii) words in the singular also imply the plural and vice versa, and (iii) the expressions "these General Terms and Conditions", "herein" and their derivative forms or similar expressions refer to the General Terms and Conditions in their entirety.

Unless otherwise stated in these General Terms and Conditions, in case of contradiction between the General Terms and Conditions and the Partners' Documents, the latter will prevail over the General Terms and Conditions.

In the absence of use of the term "Business Day" as defined in article 1.1, the term "day" means a calendar day.

2. Subscription to the Services

2.1. Registration

If the Customer meets all the criteria indicated on the Platform at the time of registration, it can subscribe to the Services by following the steps indicated on the Platform.

The Customer may only be a legal entity acting for business purposes. The Services are intended exclusively for professional customers and are not intended for consumers.

In any event, the Customer's registration implies in particular (i) the acceptance of the entire Contract and (ii) the payment of the Fees.

Spendesk may, at its sole discretion, refuse to allow any person to register for the Services, without having to explain its refusal.

2.2. US Specific Terms

Customers registered in the United States must accept the US Specific Terms.

2.3. Acceptance of the Contract

The acceptance of the Contract by the Customer is evidenced, during the registration process detailed in article 2.1, by the electronic signature of the Contract by an authorised representative of the Customer.

By accepting the Contract, the Customer expressly acknowledges that it has carefully read the General Terms and Conditions, the Partners' Documents, and the Pricing Terms in force on the day of its acceptance, that it has understood them and that it accepts them in their entirety and without reservation.

The Customer undertakes to bring the Contract to the attention of any User and, to ensure compliance with the provisions of the Contract by any User.

The Customer accepts the transmission and signature of any document by electronic means and acknowledges their enforceability in the event of a dispute.

2.4. AML-CFT checks

In accordance with applicable regulations, the Partners are required to collect certain documents and information about the Customer (including its legal representatives and its Main User), as well as its beneficial owner(s), (i) before entering into a relationship with the Customer and providing Payment Services, and then (ii) during the course of the business relationship with the Customer.

In this context, the Customer undertakes to provide Spendesk, at any time during the relationship, with any document and/or any information necessary to enable the Partners to comply with their AML-CFT obligations (the "KYC Information"). Verification and certification measures of the documents communicated by the Customer may be requested or carried out, if necessary. The Customer undertakes to promptly provide all the information requested; failing to do so will result in the suspension of its access to the Services.

The Customer acknowledges that, in the event that it does not provide the requested documents and information, Spendesk will be unable to provide the Services and, if necessary, will be obliged to terminate the Contract.

In case of any change affecting the KYC Information, the Customer must inform Spendesk as soon as possible.

The Customer agrees that the KYC Information is kept by the Partners, as the case may be, for the duration and under the conditions provided for by the applicable regulations.

3. Access to the Services

In these General Terms and Conditions, the term "Customer" must be interpreted as referring to the Customer acting through a User (either the Main User or a User with the necessary powers and authorisations).

When the Main User is not the Customer or a legal representative of the Customer, it must be a natural person (employee or third party) specially authorised to act in the name and on behalf of the Customer (including to enter into the Contract on behalf of the Customer) through a power of attorney or delegation of powers granted by a legal representative of the Customer. The Customer undertakes to provide Spendesk, upon request, with proof of the Main User's powers.

Any act, decision, instruction, or request entered by a User on the Platform will be considered as an act, decision, instruction, or request of the Customer.

Access to the Services by Users requires their registration on the Platform. The Customer undertakes to have the Users register on the Platform and use the Services in compliance with the provisions of the Contract.

The Main User may carry out via the Platform any act to manage the Services (including the Payment Services), including:

(i) inviting others to become Users and empower them to perform certain actions on the Platform (including actions listed below);

(ii) requesting the issuance of Cards;

(iii) allocating a spending or withdrawal limit to each Card, within the maximum amounts authorised by Spendesk and the Partners;

(iv) requesting the execution of outgoing Transfers, including to an External Account; and/or

(v) crediting an Account.

The Main User may delegate powers to a User by assigning such User a profile on the Platform. When assigning powers to a User, the Main User may be required to select one of the predefined profiles offered by Spendesk, without being able to choose the combination of delegated powers/authorisations, or the terminology assigned to each profile ("Administrator", "Requester", "Controller", etc.).

4. Payment Services

The provisions included in the various contractual documents in Annex 1 apply alternatively according to (i) the Customer’s country of registration and (ii) the Payment Services requested during its registration.

The Payment Services are accessible only to Customers registered in an EEA Member State, in the United Kingdom or in the United States. Customers located outside of these territories will not be entitled to access any Payment Services through the Platform.

When using the Platform, the Customer gives Spendesk the right to transfer to the relevant Partner, in its name and on its behalf, its instructions relating to Accounts and Cards.

5. Dematerialisation Service

5.1. Operation of the Dematerialisation Service

Spendesk proceeds on behalf of the Customer to the dematerialisation of scans or photographs of invoices, estimates, expense reports and other similar documents (the "Content") uploaded by the Users on the Platform.

The Customer accepts and acknowledges that the dematerialisation of the Content uploaded by the User is carried out by Spendesk on behalf of the Customer.

The Content uploaded on the Platform is converted if necessary to PDF format. Each PDF file is then sealed and time-stamped via an electronic seal with a unique number provided by a third-party service provider. The seal complies with the eIDAS regulation providing proof of integrity of each Content, which is kept on a secure server (ISO 27001 certified) based in the European Union. Each Content is stored securely during the retention period mentioned in Spendesk's Personal Data privacy policy.

5.2. Download of dematerialised Content

The Customer, subject to acting as the Main User or another User with corresponding rights, may download and export at any time the raw version of the Content uploaded on the Platform by its Users (i.e., the unconverted, unsealed, and non-timestamped version of the document).

The Customer may also at any time, during the term of the Contract and until its effective termination date, ask Spendesk to download and transmit to it the Content that has been subject to the Dematerialisation Service described in article 5.1 (i.e., the version of the document converted (if necessary), sealed and timestamped via an electronic seal).

The download is not instantaneous insofar as the Content subject to the Dematerialisation Service is stored on servers dedicated to long-term storage that imply a recovery period of several hours.

Notwithstanding the above provisions, Spendesk may retain a copy of the Customer’s Content, in particular for statistical and/or probative purposes, within the limits and periods permitted by law.

5.3. Liability for Contents

The Customer is solely liable for the Content it uploads on the Platform.

The timestamping service compliant with the eIDAS regulation does not constitute an electronic signature procedure. As such, the Dematerialisation Service does not have the objective or effect of certifying the authenticity of an invoice (within the meaning of the provisions of article 96 F bis of annex 3 and/or article 289, VII, 1° or 2° of the French General Tax Code), but only to guarantee the integrity of dematerialised Content. Spendesk cannot be held liable in this respect.

6. Customer's undertakings and guarantees

6.1. Supply and update of information

The Customer undertakes to supply Spendesk with all the information and/or documents necessary for the proper execution of the Contract and the provision of the Services and, more generally, to actively cooperate with Spendesk for the proper performance hereof. If the Customer does not comply with this obligation, Spendesk reserves the right to suspend the Services until the required information or documents are obtained.

The Customer guarantees to Spendesk that all information and documents it supplies to Spendesk, including those supplied on the Platform and those concerning each User, are accurate, up-to-date, and truthful on the day they are communicated to Spendesk, and are not vitiated by any information of a false or misleading nature.

If the information and/or documents supplied become inaccurate or obsolete during the term of the Contract, the Customer undertakes to update them and/or to transmit an updated version of the relevant documents on the Platform as soon as possible.

More generally, it is up to the Customer to formally notify Spendesk of any change in the relevant information. Spendesk will under no circumstances be liable for any damage suffered by the Customer resulting from any inaccuracy or change of which Spendesk has not been notified.

6.2. Compliance with regulations

The Customer undertakes, for itself and each of the Users, to (i) comply, in the context of its use of the Services, with the laws and regulations in force and not to infringe the rights of third parties or public order and (ii) only carry out activities that comply with applicable regulations.

The Customer will bear any fine, financial penalty or damages incurred by Spendesk resulting from an activity of the Customer that is illegal, unlawful, or contrary to common decency.

6.3. Use of the Platform and the Services

The Customer undertakes, for itself and for each of the Users:

(i) not to breach or attempt to breach, scan, or test the vulnerability of the security system and related systems of the Platform;

(ii) not to access or attempt to access any data that is not intended for the Customer;

(iii) to refrain from interfering with the normal operation of the Platform and from performing any action that could cause the interruption or degradation of one or more Service(s);

(iv) not to upload on the Platform, display, send by email or otherwise transmit any material containing software viruses or other computer codes, files or programs designed to interrupt, destroy, or limit the operation of the Platform;

(v) not to attempt to interfere with the Services provided to any other customer, user, host, or network, including but not limited to exposing the Services to a virus, creating server overload, flooding the server, or flooding the messaging services; and

(vi) not to use the Services in a manner that: (a) violates or infringes the rights of a third party, including those relating to a contract, intellectual property, privacy, or advertising; or (b) makes or facilitates the storage or transmission of defamatory, tortious, or otherwise illegal content, including, but not limited to, harassing, threatening or obscene content.

The Customer acknowledges having read the characteristics and constraints, in particular technical, of all Services. The Customer is solely responsible for its use of the Services.

The Customer is informed and accepts that the use of the Services requires an Internet connection, and that the quality of the Services depends directly on this connection, as well as on computer equipment and/or third-party software, for which the Customer is solely responsible.

6.4. Security and confidentiality obligations

The Customer is solely responsible for Users maintaining the confidentiality of their Personalised Security Credentials, as well as any other data or information necessary to access the Platform and/or use the Services.

Users must not disclose to third parties their Personalised Security Credentials, as well as any other data or information necessary to access the Platform and/or use the Services. The Customer undertakes that the Users comply with this obligation of confidentiality.

6.5. Use of the Services solely for the account of the Customer

The Customer undertakes to use the Platform and the Services only on its own behalf, and not to allow any third party to use them in its place or on its behalf, without bearing full liability. Users may only use the Platform and the Services in the name and on behalf of the Customer.

6.6. Testing of new features

Spendesk may occasionally make new features available to some Customers prior to their official release date to all Customers (the "Beta Tests"). These features are referred to by Spendesk as "beta", "test" or another similar name.

The Customer is free to register to participate in the Beta Tests at its sole discretion. All restrictions on the use of the Services and Customer's undertakings under the Contract will apply to access and use of the Beta Tests. Spendesk may disable, modify, or discontinue the Beta Tests at any time, at its sole discretion and without notice. By participating in the Beta Tests, the Customer acknowledges and agrees that:

(i) Beta Tests must only be used for evaluation and testing purposes;

(ii) Spendesk provides the Beta Tests as is and without any guarantee;

(iii) Spendesk cannot be liable for any damages arising from or in connection with the Beta Tests, including those arising from the Customer's use of or inability to use the Beta Tests; and

(iv) Any Feedback of the Customer relating to the Beta Tests will be subject to the provisions of article 11.

7. Spendesk's undertakings and guarantees

Spendesk undertakes to provide the Services with diligence and according to best practices, it being specified that it is bound by an obligation of means, to the exclusion of any obligation of result, which the Customer expressly acknowledges and accepts.

Spendesk does not guarantee to the Customer that the Services will be completely free from errors, faults, or defects, or that they will be continuously available. In addition, the Services are standard and are therefore not offered for the sole purpose of a given Customer, according to its own individual constraints, nor to specifically meet its needs and expectations.

Spendesk undertakes to:

(i) make its best efforts to ensure the security of the Platform;

(ii) inform the Customer of any reasonably foreseeable difficulty, in particular regarding the provision of the Services or the proper operation of the Platform; and

(iii) carry out regular checks to verify the proper operation and accessibility of the Platform.

Spendesk reserves the right to modify at any time the technical arrangements for access to the Services and/or the Platform depending, in particular, on the evolution of the technology, the regulations, or its offer of Services, it being understood that such a modification cannot have the effect of reducing the general level of security of the Platform. It is the Customer's responsibility to ensure that the IT or telecommunications tools or equipment at its disposal are adapted to these evolutions.

8. Financial conditions

8.1. Pricing Terms

The prices of the Services are indicated in the Pricing Terms. The Pricing Terms may be provided free of charge to the Customer, upon request, on a durable medium.

8.2. Provision of invoices

Invoices are provided to the Customer on the Platform.

If the Customer wishes to dispute an invoice, it must inform Spendesk within sixty (60) days after the date of the invoice. After this period, the invoice can no longer be disputed.

8.3. Fees payment terms

The Fees due by the Customer to Spendesk or to a Partner in return for the provision of the Services are debited directly from the Account.

If the Customer has several Accounts and its debt is not inherent to a particular Account, Spendesk may decide at its sole discretion to debit all or part of the Fees from one of the Customer's Accounts.

The Customer expressly authorises Spendesk to debit from the Customer's Account(s) the Fees payable under the Contract.

8.4. Late payment

In the event that the credit balance of an Account proves insufficient to allow the debiting of all Fees, the Customer undertakes to immediately credit the Account up to the amount due.

In the event of any late payment or non-payment, in whole or in part, of any invoiced Fees not subject to a good faith dispute, Spendesk may charge late interest fees equal to the interest rate applied by the European Central Bank to its most recent refinancing operation, increased by 10%. Spendesk may also charge an additional lump sum of forty euros (€40) as a compensation for collection costs.

Notwithstanding any of the foregoing and in addition, in the event of late payment, Spendesk may, at its sole discretion, suspend the Customer’s access to the Services (including all Payment Services) until full payment of the Fees due and/or terminate the Contract in whole or in part, in accordance with article 16.2, without any liability whatsoever and without prejudice to its right to claim all Fees due by the Customer to Spendesk or a Partner.

8.5. Fees payment frequency

Fees relating to the use of the Platform are invoiced and debited:

(i) monthly, if the Contract is for an indefinite term; or

(ii) according to the frequency provided for in the Pricing Terms, if the Contract is for a fixed term (as agreed between the Parties if applicable, under the conditions provided for in article 15).

The amount of the first invoice relating to the use of the Platform is debited by Spendesk one (1) month after the date of subscription to the Services by the Customer.

The Fees relating to the Payment Services provided for in Annex 1 are also debited directly by the Partners or by Spendesk on the date of the relevant Payment Transaction and in the manner provided for in the Partners' Documents.

9. Processing of complaints

Any complaint related to the provision of the Services must be addressed by the Customer to Spendesk customer service:

  • by email to the following address: support@spendesk.com;

  • by using the "chat" function available on the Platform; or

  • by post to the customer service address, at the registered office of Spendesk: 51 rue de Londres, 75008 Paris – France.

In the event of a complaint relating to the Payment Services, the time limits for processing complaints are specified in the Partners' Documents.

10. Amendment of the Contract

Spendesk reserves the right to amend, at any time, all or part of the Contract between Spendesk and the Customer. Any proposed amendment of the Contract will be sent by Spendesk to the Customer, on the Platform and/or by email, no later than two (2) months before the date proposed for its entry into force. The Customer will be deemed to have accepted the proposed amendments if it has not notified Spendesk, before the proposed effective date of these amendments, that it does not accept them. If the Customer refuses the amendments, it may terminate the Contract, without charge, before the proposed effective date of the amendments, under the conditions provided for in article 16. Spendesk may exceptionally reduce this prior notice period if the amendment of the Contract is necessary to comply with its legal and regulatory obligations or instructions from a competent supervisory authority.

As an exception to the above, under a fixed-term Contract, if the Customer refuses the amendments, the previous version of the Contract will continue to apply (excluding technical modification related to the evolution of the Platform or modification necessary under the applicable regulations, which will apply in any case), and the termination will be effective at the end of the current contractual term, as defined in the Pricing Terms.

The Partners' Documents may be amended at any time under the conditions and according to the time periods provided for in the Partners' Documents.

Spendesk cannot under any circumstances be held liable for any damage, in any capacity whatsoever, in connection with the amendment of the Contract, if the Customer refrains from terminating the Contract and continues to use the Services after the effective date of the amendments.

11. Intellectual property

The Parties expressly agree that no intellectual property rights are transferred to the Customer over any of the elements of the Services and the Platform made available to it under the Contract, including software, structures, infrastructures, source codes, databases, know-how, user interfaces, photos, brands, interactive elements or any content of any kind (texts, images, visuals, music, logos, brands, database, etc.) operated by Spendesk, and any technical documentation that may be provided by Spendesk to the Customer.

Subject to the payment of the Fees due to Spendesk and the provisions and limitations specified in the Contract, Spendesk grants the Customer a personal, non-exclusive, and non-transferable licence to use the Platform and the Services for its own purposes only. This right is granted for the term of the Contract.

The Customer is prohibited from carrying out:

  • any adaptation, modification, duplication, decompilation, disassembly, reverse engineering or reproduction of the Services and the Platform, regardless of their nature, any total or partial extraction (including the source code or other trade secrets) and, in general, any act that may violate the rights of Spendesk and/or its suppliers;

  • any reproduction, by any means and on any medium whatsoever, of the Platform;

  • any form of use of the Platform and associated documentation in any manner whatsoever for the purpose of designing, producing, distributing, or marketing similar, equivalent or substitute software;

  • any adaptation, modification, transformation, translation, arrangement of the Platform for any reason whatsoever, in particular for the creation of derivative or entirely new software, including to correct errors;

  • any direct or indirect transcription, or translation into other languages of the Platform;

  • any modification or circumvention of the protection code such as, in particular, Personalised Security Credentials; and/or

  • any deletion, partial or total modification of the existing notices relating to copyright, trademarks and, more generally, to intellectual property rights, attached to the Platform.

Spendesk encourages the Customer to provide suggestions, proposals, ideas, recommendations, or other feedback to improve the Services and the Platform (the "Feedback"). To the extent that the provided Feedback does not identify the Customer, its Affiliates or Users and does not include any confidential data specific to the Customer, the Customer grants Spendesk a royalty-free, fully-paid, sub-licensable, transferable, non-exclusive, irrevocable, worldwide licence to produce, use, sell, offer for sale, import and otherwise exploit the Feedback (including by integrating the Feedback into the Services) without restriction, for the duration of the intellectual property rights applicable to such Feedback.

12. Processing of Personal Data

12.1. Spendesk as the Customer's data processor

As part of the processing carried out for (i) the provision of the Platform, (ii) the provision of Payment Services to the Customer and Users and (iii) the provision of anonymised data on industry trends in business expenses according to predetermined criteria depending on the Customer's area of work, Spendesk acts as a data processor in accordance with the terms of Annex 3 (Data Processing Agreement).

12.2. Spendesk as data controller

In addition, Spendesk carries out the following processing operations in its capacity as a data controller:

  • commercial and contractual management with the Customer;

  • research and development concerning the Platform;

  • video and audio recording of calls for the purpose of improving the Services and training Spendesk personnel; and

  • supervision of Users' account on the Platform for the provision of technical support to the Customer, and for training purposes of Spendesk personnel authorised to process the Customer’s information.

For these purposes, Spendesk undertakes to comply with the obligations related to its capacity as a data controller, in accordance with the applicable regulations.

12.3. Spendesk and SFS SAS as joint data controllers

For the provision of Payment Services and in accordance with applicable regulations, Spendesk and SFS SAS also process Personal Data as joint data controllers. The respective roles of each of the joint data controllers are defined in a joint controllership agreement in accordance with the applicable regulations, which useful information for the Customer is provided in the information note available on Spendesk website.

13. Professional secrecy and confidentiality

13.1. Professional secrecy

In accordance with the regulations, Spendesk (as PSP agent) and SFS SAS (as PSP) as well as their officers and employees are bound by professional secrecy regarding their Customers' data.

However, professional secrecy may not be held against the competent supervisory authority or against the judicial authority acting in the context of criminal proceedings.

In addition, Spendesk and SFS SAS may disclose information covered by professional secrecy to third parties, either when permitted by law or, on a case-by-case basis, with the express authorisation of the Customer.

13.2. Confidentiality

In addition to Spendesk’s professional secrecy, each of the Parties undertakes to keep strictly confidential all documents and information of a legal, commercial, industrial, strategic, technical, or financial nature relating to the other Party of which it may become aware in the context of the Contract acceptance and performance, and not to disclose them without the prior written consent of the other Party.

This obligation does not extend to documents and information for which it can be demonstrated:

(i) that they were already known by the receiving Party;

(ii) that they were already public at the time of their disclosure, or have become public without breach of the Contract;

(iii) that they have been lawfully received from a third party; or

(iv) that their disclosure is required by the judicial authorities, pursuant to applicable laws and regulations, or with a view to establishing the rights of a Party under the Contract.

This obligation of confidentiality extends to all employees, contractors, interns, officers, and directors of the Parties, as well as their advisers and Affiliates, to whom confidential documents or information may only be transmitted if they are bound by the same obligation of confidentiality as that provided for herein.

This will continue to have effect for three (3) years following the end of the Contract, or any longer period provided for by the applicable law or regulation.

Each Party will, at its own expense, at the end of the Contract or at any other time, upon receipt of a written request from the other Party, (i) return or destroy all written confidential information provided to it directly or to its advisers and which is in the possession of that Party or in its custody and control, without retaining copies thereof; and (ii) provide a certificate signed by a legal representative confirming that, to its knowledge, and after conducting all appropriate investigations, the requirements of this article have been fully complied with.

However, the receiving Party may retain the confidential information to the extent that it is required to do so by applicable law or regulation, or if such confidential information has been created in accordance with automatic electronic archiving procedures. Any confidential information that is retained by the receiving Party in accordance with the above will continue to be subject to the confidentiality obligations of the Contract until such confidential information is returned or destroyed.

14. Right of withdrawal in case of solicitation

If the Customer has been solicited by Spendesk within the meaning of article L. 341-1 of the CMF, and subject to the exceptions provided for by the regulations, the Customer has, in accordance with article L. 341-16 of the CMF, a right of withdrawal that it can exercise within a maximum period of fourteen (14) full calendar days from the date of acceptance of the Contract, without having to justify reasons or incur any penalties.

The exercise of the right of withdrawal within the period referred to above entails the automatic termination of the Contract.

The Customer may exercise its right of withdrawal by using the form in Annex 2 of the General Terms and Conditions, or by any other notification of its choice. In the latter case, its statement must be unambiguous and clearly express the Customer's desire to withdraw.

If the Customer exercises its right of withdrawal, it is only required to pay the price corresponding to the use of the Services actually provided between the Effective Date of the Contract and that on which the right of withdrawal is exercised, excluding any penalty.

The Customer expressly consents to Spendesk providing the Services (including Payment Services) to the Customer before the end of the withdrawal period.

15. Effective Date and duration of the Contract

Unless otherwise stated in the Pricing Terms, the Contract takes effect for an indefinite period from its Effective Date until its termination under the conditions provided for in article 16.

By way of exception, the Parties can agree in the Pricing Terms specific to the Customer that the Contract is entered into for a fixed term, and from a specific Effective Date. The Contract is then tacitly renewed at its end, for new successive periods whose duration is defined in the Pricing Terms, unless one of the Parties refuses the renewal at the end of the initial term or the renewed term, by written notification with a prior notice period of one (1) month (or any other notice period specifically defined in the Pricing Terms, which will prevail where applicable).

16. Termination or term of the Contract

16.1. Termination at the Customer’s initiative

Notwithstanding any provision to the contrary contained in the Partners' Documents, and in the case of an indefinite term Contract, the Customer may terminate the Contract at any time by giving two (2) months' notice, notifying Spendesk in the manner provided for in article 9.

Only in the case of an indefinite term Contract signed with a new Customer, no fee will be charged to the Customer for the termination notice period if the request for termination is notified by the Customer within ninety (90) days following the Effective Date of the Contract.

16.2. Termination at Spendesk’s initiative

Notwithstanding any provision to the contrary contained in the Partners' Documents, and in the case of an indefinite term Contract, Spendesk may terminate the Contract at any time by giving two (2) months' notice by notifying the Customer by any written means, and in particular by email or by message on the Platform.

By way of exception, and regardless of the Contract duration, Spendesk reserves the right to stop providing the Services to the Customer and to terminate the Contract as of right and without notice:

(i) in the event of a serious breach by the Customer and/or a User of the obligations provided for in the Contract, including, but not limited to, in case of communication of false information, exercise by the Customer of an activity that is illegal or contrary to common decency, threats against Spendesk's employees or a failure to pay;

(ii) in the event of fraudulent or abusive use of the Services by the Customer and/or a User;

(iii) in the event of a change in the applicable regulations and/or the interpretation thereof by the competent authorities which would affect the ability of Spendesk, the Partners or their service providers to provide the Services; or

(iv) in the event of termination by the Partners of one of the Partners' Documents.

In the event of immediate termination of the Contract, Spendesk will inform the Customer by any written means, and in particular by email.

16.3. Early termination of a fixed-term Contract

This article applies only to the case of a fixed-term Contract.

A fixed-term Contract may be terminated prior to its term, without associated cost for the Party terminating the Contract, only under the following conditions:

(i) termination by Spendesk in the cases provided for in article 16.2; or

(ii) termination by either Party in case of a material breach or non-performance by the other Party of any of its obligations under the Contract, after written notice of the breach or non-performance by the non-defaulting Party, and in the absence of remedy by the defaulting Party within thirty (30) days of receipt of the written notice.

The Customer can notify the early termination of the Contract in the absence of fault from Spendesk, subject to the immediate payment by the Customer of a break-up fee amounting to the total monthly payments remaining due until the term of the Contract. The Customer authorises Spendesk to debit its Account for the Fees due in this respect, under the conditions provided for in article 8.3.

In case of notice of early termination of the Contract by Spendesk for fault of the Customer under the terms of this article, the Customer will be immediately liable for all the monthly payments remaining due until the term of the Contract. The Customer authorises Spendesk to debit its Account for the Fees due in this respect, under the conditions provided for in article 8.3.

In case of notice of early termination of the Contract (a) by the Customer for Spendesk's fault under the terms of this article or (b) by Spendesk pursuant to article 16.2 (iii) or 16.2 (iv), Spendesk will promptly provide a refund proportional to the remaining contractual period of any Fees prepaid by the Customer for the Services.

16.4. Effects of termination or term

The non-renewal or termination of the Contract by the Customer or by Spendesk will result in the termination of all Services provided under the Contract, including termination of all Payment Services described in the Partners' Documents, in accordance with the termination conditions set forth therein.

Likewise, the termination by the Customer or by the Partners of all Payment Services will entail termination of the Contract on the effective termination date of the last Payment Service provided to the Customer.

The end of the Services, regardless of the cause, will automatically and as of right result in the deactivation of all Users' access to the Platform. It is the Customer’s responsibility, prior to this deactivation, to retrieve the documents, elements, data, and information that it has stored on the Platform as part of its use of the Services.

17. Third-party claims

17.1. Indemnification by Spendesk

Spendesk undertakes to indemnify, defend, and hold harmless the Customer and its officers, directors, employees, Affiliates and Users against any claim, action or proceeding of third parties, insofar as it is caused by the Services breaching the intellectual property rights of a third party.

Notwithstanding the terms contained in this article and article 17.4, Spendesk will not be liable for third-party claims if the alleged infringement is based on or arises from (a) the combination or use of the Services with software or other materials not provided or approved for use by Spendesk, (b) the modification of the Services by any person other than Spendesk or its employees, or (c) the use of the Services non-compliant with the documentation provided or the Contract.

17.2. Indemnification by the Customer

The Customer undertakes to indemnify, defend, and hold harmless Spendesk and its officers, directors, employees and Affiliates against any claim, action or proceeding of third parties, insofar as it is caused by a breach by the Customer of its obligations under the Contract. The Customer undertakes to indemnify Spendesk for any damage that the latter may suffer, and to pay it all fees, charges and/or penalties that it may incur as a result.

17.3. Indemnification procedure

Any Party entitled to indemnification under this article (the "Indemnified Party") will comply with the following conditions in order to benefit from said indemnification:

(i) a prompt written notice by the Indemnified Party to the indemnifying Party (the "Indemnifying Party") of any third-party claim for which indemnification may be requested under this article (provided, however, that any failure or delay in providing such notice will not relieve the Indemnifying Party of its obligations, except to the extent that the failure or delay prejudices the defence of the Indemnifying Party);

(ii) a transfer to the Indemnifying Party of full control of the defence and settlement of the claim; and

(iii) a reasonable cooperation of the Indemnified Party, at the expense of the Indemnifying Party, to facilitate such defence or settlement.

Notwithstanding the above, the Indemnifying Party will not consent to the recording of a judgment or enter into any compromise or settlement agreement with respect to any third-party claim for which it defends the Indemnified Party under this article without the prior written consent of said Indemnified Party, unless such judgment, compromise, or settlement agreement:

(i) provides for the payment by the Indemnifying Party of money as sole remedy for the third party making a claim;

(ii) results in the Indemnified Party's full and general release from all liability arising from, relating to, or in connection with, the third-party claim; and

(iii) does not imply any finding or admission of a breach of law, regulation, or the rights of a third party by the Indemnified Party, and has no effect on other claims.

17.4. Other remedies of the Customer in the event of a claim from third parties

If the Services are, or, according to Spendesk, are likely to be, the subject of a third-party claim for infringement preventing the Customer's use of the Services, Spendesk may, at its sole discretion: (i) obtain for the Customer the right to continue to use the Services, (ii) replace or modify the relevant Services so that they are no longer in breach while providing substantially equivalent features, or (iii) if such solutions are not achievable on commercially reasonable terms, as determined by Spendesk, terminate the licence to use the relevant part of the Services, and promptly provide a pro rata refund of any Fees prepaid by Customer for the relevant part of the Services.

Without limiting Spendesk's obligation to indemnify the Customer in accordance with the provisions of article 17.1, the remedies provided for in this article will be the Customer's exclusive remedies with respect to third-party claims for any actual or alleged infringement by Spendesk of any third-party intellectual property right.

18. Liability

18.1. Liability limited to direct damages

Each Party’s liability under the Contract is limited to the direct damages suffered by the other Party, excluding any indirect damages.

18.2. Liability of the Customer

The Customer, acknowledging having read the characteristics and constraints, in particular technical, of all Services, is solely liable for the use of the Services by the Users.

The Customer is solely liable for the acts performed by the Users in connection with the use of the Services, including in the event of non-compliance with regulations, fraud, negligence, or abusive use of the Services. Spendesk cannot be held liable to the Customer or any third party for any fraudulent or abusive use of the Services by one or more User(s).

18.3. Liability of Spendesk

Spendesk cannot be held liable in the event of:

(i) misappropriation of Personalised Security Credentials and, more generally, any information of a sensitive nature for the Customer of which, for example, a third party might make a fraudulent use, if this misappropriation results from an action or omission of the Customer;

(ii) litigation related to the underlying relationship existing between (a) the Customer and (b) as the case may be, the Payer, the Beneficiary and/or the Acceptor, in particular in the event of breach by the Customer of its obligations towards the persons referred to in (b); or

(iii) damage suffered by the Customer resulting from an act or omission of a third party, including in the event of suspension of the Services or termination of the Contract at the request of a supervisory authority such as the ACPR.

In addition, the liability of Spendesk is limited, for all damages, to the amount of the Fees paid by the Customer during the twelve (12) calendar months preceding the event giving rise to the liability of Spendesk; it being specified that this limitation of liability does not apply (a) in the event of gross negligence or fraudulent misconduct by Spendesk and (b) in the context of the indemnification procedure provided for in article 17.1.

18.4. Force majeure

The Parties will not be liable for any damage, delay, non-performance, or partial performance of their respective obligations under the Contract resulting from a Force Majeure Event.

The obligations of the Party affected by the Force Majeure Event will be suspended without incurring any liability whatsoever.

If a Force Majeure Event prevents either Party from performing an essential obligation under the Contract for a period of more than five (5) consecutive Business Days, the Parties will consult with a view to reaching a satisfactory solution. In the absence of agreement on such a solution within fifteen (15) Business Days following the expiry of the period of five (5) Business Days, either Party may terminate the Contract without compensation for the other Party in accordance with the provisions of article 16.

18.5. Liability of the Partners

The liability of the Partners as part of the provision of the Payment Services is provided for in the Partners’ Documents.

18.6. Third-Party Services

The Customer may choose at its discretion to integrate the Services provided by Spendesk with third-party products and services (the "Third-Party Services"). Any acquisition by the Customer of Third-Party Services is solely between the Customer and the relevant Third-Party Service provider, and Spendesk does not guarantee, support, or assume any liability or other obligation with respect to such Third-Party Services unless expressly provided otherwise in the Contract.

In the event that the Customer elects to integrate or interoperate Third-Party Services with the Services provided by Spendesk in a manner that requires Spendesk or the Platform to exchange the Customer’s data with such Third-Party Services or Third-Party Service provider, the Customer will: (a) grant Spendesk permission to allow the Third-Party Services and Third-Party Service provider to access the Customer’s data and information relating to the Customer’s use of the Services in an appropriate and necessary manner to enable the interoperability of such Third-Party Services with the Services provided by Spendesk; (b) acknowledge that any exchange of data between the Customer and any Third-Party Services is solely between the Customer and the Third-Party Service provider and is subject to the Third-Party Service provider's terms and conditions governing the use and provision of such Third-Party Services; and (c) release Spendesk from any liability for any disclosure, modification or deletion of the Customer’s data resulting from access to such data by the Third-Party Services and the Third-Party Service provider.

19. Assignment

The Customer may not assign or transfer all or part of its rights or obligations under the Contract to a third party, in any manner whatsoever.

Notwithstanding any contrary provision contained in the Partners' Documents, the Customer expressly authorises Spendesk and/or the Partners to assign to a third party all or part of their obligations under the Contract, subject to informing the Customer in advance.

20. Miscellaneous

20.1. Severability

If one or more provision(s) of the Contract are considered invalid or declared as such pursuant to a law, a regulation or following a final decision of a competent court, the other provisions will remain in full force and effect.

20.2. No waiver

Neither Party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under the Contract.

20.3. Electronic communication

The Parties acknowledge that emails have the same probative force as written documents on paper. Consequently, emails and messages received electronically, including via the Platform, must be kept by the Parties under conditions that prevent any alteration of their form or content so as to constitute reliable copies.

20.4. Notifications

All notifications made by email in the context of executing the Contract will be sent:

  • with respect to the Customer: to the address of the Main User or the User concerned, as registered on the Platform; and

  • with respect to Spendesk: to the address support@spendesk.com.

20.5. Languages of the Contract

The Customer acknowledges and agrees that:

  • the language used in its pre-contractual and contractual relationship with Spendesk may be either English or French, or both, depending on the Partners' Documents applicable to the Services; and

  • to the extent permitted by law, (i) the French version of the General Terms and Conditions is deemed authentic for Customers registered in France and (ii) the English version of the General Terms and Conditions is deemed authentic for Customers registered outside of France; any other available translation of the General Terms and Conditions exists for information purposes only.

The Customer is informed that it can obtain at any time and free of charge from Spendesk a copy of the Contract on a durable medium.

20.6. Prior agreements

This Contract supersedes any prior oral or written agreement, and any other communications between the Customer and Spendesk relating to the subject matter of this Contract, including any confidentiality or non-disclosure agreements.

20.7. Commercial reference

The Parties are not authorised, except for any obligation imposed by applicable law or regulation, to publish or release any announcement, statement, press release or other publicity or marketing material relating to this Contract, or use the other Party's trademarks or logos without the other Party's prior written consent.

As an exception to the foregoing, Spendesk may include the Customer's name and logo as a commercial reference, including during events, in its commercial documents and on its website, in any form whatsoever, during the term of the Contract and beyond, for a period of six (6) months.

Spendesk agrees to cease such use of the Customer's name and logo as soon as possible upon receipt of a request from the Customer to logos@spendesk.com.

21. Applicable law and competent jurisdictions

21.1. Applicable law

The General Terms and Conditions are subject to French law.

The Partners' Documents are subject to the law specified in the Partners' Documents.

21.2. Competent jurisdictions

Any dispute relating in particular to the validity, interpretation, or execution of the General Terms and Conditions will be subject to the exclusive jurisdiction of the Commercial Court of Paris.

Any dispute relating in particular to the validity, interpretation, or execution of the Partners' Documents will be subject to the jurisdiction of the court(s) indicated in the Partners' Documents.

Annex 1

Contractual documentation applicable to Payment Services

Contractual documentation applicable to Payment Services provided by SFS SAS:

Euro SFS SAS Accounts and Euro SFS SAS Cards

EEA Customers 🇪🇺

SFS SAS Payment Services framework contract: Link

Fee information document for SFS SAS Payment Services: Link

Contractual documentation applicable to Payment Services provided by Adyen:

GBP Adyen Accounts and GBP Adyen Cards

United Kingdom Customers 🇬🇧

Adyen business account agreement: Link

Adyen card user agreement : Link

Adyen privacy policy: Link

Professional client confirmation request (PCCR): Link

Fee information document for Adyen Payment Services (Fees paid to Spendesk): Link

Contractual documentation applicable to Payment Services provided by Sutton Bank and Dwolla:

USD Sutton Accounts and USD Sutton Cards (and Dwolla services for outgoing Transfers)

United States Customers 🇺🇸

General terms and conditions USD Sutton Accounts and USD Sutton Cards: Link

Sutton Bank privacy policy: Link

Dwolla account terms of Service: Link

Dwolla privacy policy: Link

Annex 2

Withdrawal form in case of banking or financial solicitation

FORM RELATING TO THE WITHDRAWAL PERIOD PROVIDED FOR IN ARTICLE L. 341-16 OF THE CMF

Form to be returned no later than fourteen (14) calendar days after the date of entering into the Contract (as defined below), by registered letter with acknowledgement of receipt, to:

Spendesk SAS

51 rue de Londres

75008 Paris

Contract name: general terms and conditions of use of Spendesk services (the "Contract").

In accordance with article L. 341-16 of the French Monetary and Financial Code, the right of withdrawal may be exercised within fourteen (14) calendar days from entering into the Contract, or from the receipt of the contractual conditions, if the latter date falls later.

This withdrawal will only be valid if it is sent, by registered letter with acknowledgement of receipt, legibly and duly completed, before the expiry of the period of 14 calendar days provided for in article L. 341-16 of the French Monetary and Financial Code.

I, the undersigned ________________________________, [duly authorised to represent the company __________________________________] (hereinafter the "Professional Customer"), declare that I exercise the Professional Customer's right of withdrawal, and waive the entire Contract entered into on ________________ with Spendesk SAS for the provision (in particular) of payment services.

Signing location: ______________

Date: ______________

Signature of the Customer ______________

Annex 3

Data Processing Agreement

This Data Processing Agreement (the "Agreement") forms part of the general terms and conditions of use of Spendesk Services (the "General Terms and Conditions") entered into between the Customer (the "Data Controller") and Spendesk (the"Data Processor"), as respectively defined in the General Terms and Conditions (together, the "Parties").

Spendesk provides Services to the Customer, which imply the Processing of Personal Data. As such, the Parties wish to implement this Agreement, in accordance with the Data Protection Legislation, and in particular article 28 of the GDPR, to define their respective rights and obligations.

1. Definitions

In this Agreement, capitalised terms not specifically defined in the body of the Agreement have the meaning attributed to them (a) below, (b) failing that, in the body of the General Terms and Conditions or (c) failing that, in the GDPR:

TermDefinition
Authorised Recipientmeans an officer, director, employee, partner payment service provider or adviser of the Data Processor who has a legitimate need to receive and review the Personal Data for the purposes of the Data Processor's exercise of its rights and/or performance of its obligations under this Agreement, and/or any authorised sub-processor used by the Data Processor as part of the provision of the Services;
Contractmeans the contractual framework governing the use of the Services, as defined in the body of the General Terms and Conditions;
Data Protection Legislationmeans the laws and regulations applicable to the Processing of Personal Data including (but not limited to): (i) The GDPR and the legislation implemented by each EEA Member State in relation to the GDPR; (ii) Any specific legislation that may impact the Processing carried out under this Agreement (including legislation applicable in the United Kingdom, such as the Data Protection Act 2018, if the Customer is registered in that country); (iii) Any recommendation or directive issued by a Supervisory Authority;
GDPRmeans Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
Permitted Purposesmeans the Processing of Personal Data implemented within the context of the Contract and described in Annex A;
Personal Datameans personal data within the meaning of the GDPR;
Servicesmeans the services provided by the Data Processor under the Contract;
Third Countrymeans any country which is not an EEA Member State.

2. Designation and role of the Parties

As part of the Processing carried out for (i) the provision of the Platform to the Users and (ii) the collection of Personal Data for the provision of Payment Services to the Customer and the Users:

2.1. The Customer acts as a Data Controller; and

2.2. Spendesk acts as a Data Processor.

3. Obligations of the Data Processor

The Data Processor:

3.1. Will process Personal Data only to the extent, and in the manner, necessary for the Permitted Purposes, and in accordance with the Data Controller's written instructions (including the instructions set out in this Contract and in the body of the General Terms and Conditions), with the following consequences:

(i) The Data Processor will not process Personal Data for any other purpose, unless the Processing is required by laws applicable to the Data Processor, in which case the Data Processor will, to the extent permitted by applicable laws, promptly notify the Data Controller of such legal requirement when the Data Processor becomes aware of it, and in any event prior to the Processing of such Personal Data;

(ii) The Data Controller is solely responsible for the Personal Data that it communicates to the Data Processor, and must refund the Data Processor for any costs and expenses incurred resulting from an individual instruction that goes beyond (a) what is defined by the Data Protection Legislation and/or (b) the Processing activities provided for in the Contract or in this Agreement;

(iii) If the Data Processor considers that an instruction from the Data Controller constitutes an infringement of the Data Protection Legislation, it must inform the Data Controller without delay; in addition, the Data Processor has the right to suspend the execution of the instruction until it is confirmed by the Data Controller;

3.2. Will comply, and ensure that any Authorised Recipient complies, with the Data Protection Legislation and, where applicable, with the policies and directives of the Data Controller previously communicated to the Data Processor;

3.3. Will comply, and ensure that all systems, Services, and products provided by the Data Processor to the Data Controller comply, with all laws, decrees, regulations, orders, standards, and other similar instruments (including the Data Protection Legislation) applicable in connection with the Processing of Personal Data;

3.4. Will cooperate and comply with the instructions or decisions of any Supervisory Authority, and in each case within a period allowing the Data Controller to comply with any deadline imposed by the Supervisory Authority. In the event that such a requirement or the deadlines imposed by a Supervisory Authority would place an unreasonable burden on the Data Processor, the Parties will cooperate to approach the Supervisory Authority in order to modify these requirements and/or adjust some deadlines.

4. Cooperation and assistance

The Data Processor undertakes:

4.1. To the extent legally permitted, and to the extent that the Data Controller does not have access to such Personal Data as part of its use of the Services, to promptly modify, transfer, change and/or delete any Personal Data held on behalf of the Data Controller in accordance with any written instruction of the Data Controller. The Data Controller will assume all additional costs resulting from such actions that go beyond (a) what is defined by the Data Protection Legislation and/or (b) the Processing activities provided for in the Contract or in this Agreement, following approval of the quotation;

4.2. To notify the Data Controller without undue delay:

(i) If the Data Processor considers that an instruction from the Data Controller relating to the Processing of Personal Data infringes Data Protection Legislation;

(ii) Of any breach of the Data Protection Legislation by the Data Processor or any of its sub-processors;

(iii) If the Data Processor or any of its sub-processors suffers a Personal Data Breach;

(iv) Of the results of investigations related to the breaches referred to in article 4.2 (ii) or to the Personal Data Breaches referred to in article 4.2 (iii);

(v) If the Data Processor or any of its sub-processors receives any complaint, notice or communication from a Supervisory Authority or governmental authority that relates directly to a requirement relating to the above Processing of Personal Data;

and, with respect to article 4.2 (iii), to comply with the provisions of article 4.3, and with respect to articles 4.2 (i) to (v), to provide the Data Controller with full cooperation, information and assistance in connection with any such complaint, notice or communication or any Personal Data Breach, and not to make any public statement or announcement to any third party, including (without limitation) any governmental authority or Supervisory Authority, without first having, where reasonably possible and unless prohibited by applicable laws, consulted with the Data Controller concerning the content of such public statements or announcements;

4.3. With respect to article 4.2 (iii), to:

(i) Take all reasonable steps necessary to remedy or protect the Data Processor's systems against the Personal Data Breach;

(ii) Implement measures to restore any lost, corrupted, or unusable Personal Data;

(iii) Provide reports to the Data Controller that are sufficient to enable it to notify the Personal Data Breach to the relevant Supervisory Authorities and, if necessary, to the Data Subjects in accordance with Data Protection Legislation;

(iv) Take measures to mitigate the adverse effects arising from the Personal Data Breach as directed by the Data Controller, or in any event as a prudent operator would; and

(v) Take steps to prevent a similar Personal Data Breach in the future.

4.4. To assist the Data Controller in ensuring compliance with the obligations provided for in articles 32 to 36 (included) of the GDPR, taking into account the nature of the Processing carried out by the Data Processor and the information available to the Data Processor. This assistance includes, to the appropriate and necessary extent, the provision of information and assistance to the Data Controller in carrying out impact assessments on the protection of Personal Data in connection with the Processing carried out by the Data Processor as part of the Services.

5. Obligations of the Data Controller

The Customer, as Data Controller, is solely liable for compliance with all obligations attached to this status arising from the Data Protection Legislation, and in particular:

5.1. To ensure the lawfulness, the accuracy of Data Subjects’ Personal Data, and to have the authorisation from Users to the Processing of their Personal Data by the Data Processor as part of the Services provided;

5.2. Information provided to Users regarding the Processing of their Personal Data by the Data Processor under the conditions described in this Agreement, and how Users may exercise their rights with the Data Processor;

5.3. Information provided to the Main User, legal representatives and beneficial owners concerning the Processing and transfer of their Personal Data by the Data Processor to partner payment service providers, required to carry out the Processing related to AML-CFT procedures in accordance with their legal and regulatory obligations, in the manner described in the article "AML-CFT checks" of the General Terms and Conditions;

5.4. To inform the Data Processor without delay if a User no longer acts in the name and on behalf of or with the authorisation of the Data Controller.

6. Technical and organisational measures - Security

The Data Processor undertakes to implement appropriate technical and organisational measures compliant with the Data Protection Legislation.

The Data Processor undertakes:

(i) To ensure that it has appropriate technical and organisational measures in place against the destruction, loss, alteration (accidental or unlawful), unauthorised disclosure or access to the Personal Data it processes;

(ii) To ensure that the Authorised Recipients comply with all reasonable requests of the Data Controller with regard to the security and the Processing of Personal Data.

The Data Processor must carry out an annual review of its technical and organisational measures and update them regularly to reflect:

(i) Major technological developments and best standard practices;

(ii) Any change or proposed change to the Data Processor's procedures, sites and systems, Services and/or associated operating modes;

(iii) Any new threat identified or modified with regard to the Data Processor's procedures, sites, and systems.

7. Authorised Recipients and confidentiality

The Data Processor undertakes to:

7.1. Restrict access to Personal Data to Authorised Recipients who need to obtain access for Permitted Purposes;

7.2. Ensure that all Authorised Recipients are made aware of the data protection;

7.3. Impose on Authorised Recipients legally binding confidentiality and security obligations equivalent to those contained in this Agreement.

8. Records of Processing

The Data Processor undertakes to the Data Controller to keep a record of any Processing of Personal Data carried out on behalf of the Data Controller, including the record of Processing activities required in accordance with article 30 (2) of the GDPR.

9. Rights of Data Subjects

The Data Processor will:

9.1. Notify the Data Controller promptly, and in any event no later than fifteen (15) days, of any request from a Data Subject wishing to exercise their rights under the Data Protection Legislation;

9.2. Provide the Data Controller with reasonable cooperation and assistance to enable the Data Controller to respond to requests from Data Subjects who wish to exercise their rights under the Data Protection Legislation (whether such requests are received by the Data Processor or the Data Controller), to the extent that this is legally permitted, and to the extent that the Data Controller does not have access to such Personal Data as part of its use of the Services; and

9.3. Not disclose or communicate any Personal Data in response to a Data Subject or not respond to any other request for disclosure of Personal Data without first consulting and obtaining the written consent of the Data Controller.

10. Collection of Personal Data

If the Data Processor is required to collect Personal Data on behalf of the Data Controller requiring the consent of the Data Subjects, the Data Processor will collect the Personal Data in the format agreed in writing with the Data Controller, and will provide the Data Subjects at the time of collection with a privacy policy (including, if necessary, a consent form) according to the format authorised by the Data Controller and depending on the type of collection (direct or indirect).

11. Sub-processors

The Data Controller authorises the Data Processor to subcontract part of the Processing to its current sub-processors as mentioned in the sub-processors list available on the Data Processor’s website. This list includes the identities of each current sub-processor, the categories of Personal Data they process, their country location, and information about their compliance with Data Protection Legislation.

The Data Processor can update the sub-processors list and will inform the Data Controller of the recruitment of a new sub-processor.

The Data Controller may oppose the use of a new sub-processor by the Data Processor by promptly notifying the Data Processor in the form provided for in the General Terms and Conditions. In the event that the Data Controller objects to the appointment of a new sub-processor, the Data Controller may terminate the applicable Contract by sending the Data Processor a written notification in the form provided for in the General Terms and Conditions.

Any sub-processing of Personal Data will not release the Data Processor from its duties, responsibilities and obligations to the Data Controller under this Agreement, and the Data Processor will remain fully liable for the acts and omissions of its sub-processors.

12. Transfers to Third Countries

Any transfer of Personal Data to a Third Country or an international organisation by the Data Processor in the context of the Services will only be carried out on the basis of documented instructions from the Data Controller, or in order to fulfil a specific requirement of the law or regulation to which the Data Processor is subject, and will be carried out in accordance with Chapter V of the GDPR.

The Data Controller agrees that, where the Data Processor recruits a sub-processor in accordance with article 11 to carry out specific Processing activities (on behalf of the Data Controller), and such Processing activities involve a transfer of Personal Data within the meaning of Chapter V of the GDPR, the Data Processor and the sub-processor will comply with Chapter V of the GDPR by using the appropriate transfer mechanisms (in particular the standard contractual clauses published by the European Commission (the "Standard Contractual Clauses")).

In the event that the Data Processor is under an obligation to transfer Personal Data, under applicable law, to a Third Country or an international organisation, the Data Processor must inform the Data Controller without delay, and in any event before the performance of said mandatory transfer, unless applicable law prohibits such information for grounds of public interest.

13. Liability

Each Party is and will remain liable for any breach of Data Protection Legislation and will indemnify the other Party against the possible consequences of such breach.

The Data Processor’s liability will be limited to (i) its own Processing activities under this Agreement, and (ii) only the damages and maximum amounts specified in the General Terms and Conditions.

14. Entry into force and termination

This Agreement will take effect on the Effective Date defined in the General Terms and Conditions and will remain in force until the Data Processor ceases to Process the Personal Data on behalf of the Data Controller.

15. Consequences of Termination

Upon expiry or termination of the Contract (for any reason whatsoever), the Data Processor must cease the Processing on behalf of the Data Controller and, depending on the applicable retention periods set out in Annex A, and upon written request of the Data Controller, promptly return all Personal Data to it via a secured means (regardless of its form, and whether the Personal Data is electronic or physical).

16. Information and audit

The Data Processor will make available to the Data Controller all information necessary to demonstrate compliance with the obligations provided for in this Agreement and to allow audits to be carried out.

The Data Controller may carry out, at its own expense, any check it deems useful to verify compliance with the Data Processor’s obligations, under the conditions of the Data Processor's external audit policy.

The Data Processor will allow and contribute to the audits that the Data Controller or an auditor of its choice, subject to an obligation of confidentiality, will conduct for the purpose of reviewing the Data Processor's compliance with the obligations set out in this Agreement, subject to at least sixty (60) Business Days' written notice.

The Data Controller may request, carry out or have an audit carried out once every twelve (12) months. The Data Processor may object to the choice of an independent auditor made by the Data Controller within ten (10) days of notification by the Data Controller.

The audit may relate only to the Data Processor's obligations under this Agreement and cannot, in particular, relate to:

(i) Data or information from other customers or prospects of the Data Processor;

(ii) Any internal data belonging to the Data Processor that is not directly and strictly relevant to the authorised audit objectives;

(iii) Any information the disclosure of which could affect the security of the Data Processor's systems and data (i.e., create a risk to the confidentiality of the information); and

(iv) The source code of the computer programs used for the provision of the Services.

The auditor may neither copy a document, file, data, or information, in whole or in part, nor take photos, scan, or make an audio, video or computer program without first informing the Data Processor.

The audit will take place on Business Days during working hours, and will be conducted in such a way as not to disrupt the activities of the Data Processor and the provision of the Services by the Data Processor to the benefit of its other customers. The audit duration may not exceed three (3) Business Days of involvement of the Data Processor's personnel, which may be spread over one (1) calendar month.

The Data Controller will bear the full costs of the audit, and the Data Processor will be entitled to invoice the Data Controller for any additional costs and expenses relating to the audit. The audit will be carried out jointly, and a copy of the audit report must be provided to the Data Processor.

17. Entire Agreement

This Agreement constitutes the entirety of the commitments entered into by the Parties with respect to its subject matter, and the terms of the Agreement will prevail over all other agreements.

Each Party acknowledges and agrees that by entering into this Agreement, it waives, and will have no recourse with respect to, any statement, representation, guarantee or understanding of any person (whether or not a Party to this Agreement) other than as expressly set forth in this Agreement.

18. Interpretation

In case of a conflict between the provisions of this Agreement and those of the body of the General Terms and Conditions, the provisions of this Agreement will prevail.

19. Applicable law and jurisdiction

This Agreement will be governed by and construed in accordance with French law, and any dispute arising out of or in connection with this Agreement will be subject to the exclusive jurisdiction of the courts of Paris (France), to which each of the Parties irrevocably submits.

20. Miscellaneous

Each Party must occasionally (both during the term of this Agreement and after its termination) carry out all acts and sign all documents as may be reasonably necessary to give effect to the provisions of this Agreement.

Annex A. Description of the Personal Data Processing

 

1. Data governance of the Data Processor

Data protection officer (DPO): François-Xavier Boulin (privacy@spendesk.com)

2. Details of the Personal Data Processing

2.1 Categories of Data Subjects:

(i) The Users designated by the Customer;

(ii) The Customer's legal representatives and beneficial owners;

(iii) The Main User designated by the Customer.

2.2 Purposes of the Personal Data Processing:

(i) Provision of a SaaS Platform for the management of payments, invoices and authorisation flows of Users' business expenses;

(ii) Provision of Payment Services to the Customer and Users, including:

  • opening an Account in the name of the Customer

  • issuance of Cards for each User at the request of the Customer

  • management of Payment Transactions (including by Card and Transfers)

  • management of requests and complaints from the Customer or one or more User(s)

(iii) Provision of anonymised data on industry trends in business expenses according to predetermined criteria depending on the Customer's area of work. 

2.3 Type of Personal Data and nature of the Processing:

(i) KYC Information relating to the Customer’s legal representatives and beneficial owners, to the Main User and to Users

Legal representativesBeneficial ownersMain UserUsers
First Name✔️✔️✔️✔️
Surname✔️✔️✔️✔️
Date of birth✔️✔️✔️✔️
Place and country of birth✔️✔️✔️✔️
Nationality✔️✔️✔️✔️
Postal address✔️✔️✔️Only for Users of UK Customers
Financial transaction data✔️✔️✔️✔️
Professional email address✔️
Identity document and any other proof necessary for the validation of the Customer's compliance for entering into a business relationship✔️✔️✔️
Nature of the relationship with the Customer✔️

Nature of the Processing: collecting of Personal Data as part of the opening of the Customer’s Account and collecting of information as part of the checks imposed by AML-CFT regulations on Spendesk's partner payment service provider(s).

(ii) Information relating to the Users (first name, surname, professional email address and phone number, postal address (only for the delivery of the Card), photo (with the User’s consent))

Nature of the Processing: to guarantee the sending of information relating to the status, collecting of information as part of the sending of the Card, the security code, and instructions as part of the authorisation process for Payment Transactions; creation of an account on the Spendesk Platform; management of requests and legal complaints; use of the Platform and the Services subscribed to by the Customer.

(iii) User login data (username, password, IP address)

Nature of the Processing: to ensure the connection of Users for identification purposes and access to the Spendesk Platform.

(iv) User professional position details

Nature of the Processing: to define the scope of the rights and authorisations of the User, and to limit the functions or access to the Spendesk Platform.

(v) User payment information (only IBAN or other bank account number)

Nature of the Processing: to ensure the payment (refund) of the User's professional expenses.

(vi) Invoices and receipts for professional expenses

Nature of the Processing: analysis and retention of invoices and receipts in order to preserve evidence and accounting information relating to payments and refunds.

2.4 Retention period:

(i) Data relating to the User(s): duration of the contractual relationship with the Customer and twenty-four (24) months from the deletion of the User (subject to another retention period defined in a specific regulation).

(ii) Data relating to the Main User, legal representatives, and beneficial owners of the Customer: duration of the contractual relationship with the Customer (subject to another retention period defined in a specific regulation).

(iii) Invoices and receipts for Users’ professional expenses: ten (10) years from the end of the calendar year in which they were received.

Annex 4

Card Insurance Service (option only available for Customers registered in France or Luxembourg)

As an option, the Customer has the possibility to provide all Card Users with group insurance taken out by Spendesk with a partner insurer.

1. Insurance Information

An information sheet on the various coverages, compensation ceilings and pricing terms is available here: https://www.spendesk.com/fr/product/insurance/.

The standardised insurance product information document is available here: https://spx-production.s3-eu-west-1.amazonaws.com/tos/2021_03_23-Fiche_IPID_Spendesk_03-03-2022.pdf.

If the Customer considers the product adapted to its needs and relevant to its activity and that of the Card Users, with Spendesk being available to assist the Customer in its choice, it is invited to read carefully the information notice of the group insurance contract no 4 091 933 available here: https://spx-production.s3-eu-west-1.amazonaws.com/tos/2021_03_10-notice_dinformation_des_assurances_spendesk.pdf.

This notice, for which Spendesk waives all responsibility, precisely defines the conditions of coverages, the applicable exclusions, the duration of cover and the formalities in the event of a claim. Adherence to the insurance policy requires the Customer to accept without reservation all the terms of the information notice. The Customer also undertakes to bring the information notice to the attention of all Card Users.

2. Management of claims

An insurance claim and its follow-up will be processed directly and exclusively with the partner insurer according to the instructions available here: https://helpcenter.spendesk.com/fr/articles/4967565-comment-faire-pour-contacter-l-assurance-ou-l-assistance, which the Customer will communicate to Card Users. Spendesk undertakes to assist Customers and Card Users to enable them to assert their rights effectively with the partner insurer.

3. Modifications of the insurance policy and insurance pricing terms

Spendesk draws the Customer's attention to the possibility that, after adherence, the partner insurer may make changes to its rights and obligations, as well as to those of the Card Users. Spendesk disclaims all liability in connection with the contractual and pricing changes, which are the sole decision of the partner insurer.

Any changes will be sent by Spendesk to the Customer, on the Platform and/or by email, no later than three (3) months before the date proposed for their entry into force. The Customer will be deemed to have accepted the proposed changes if it has not notified Spendesk of its refusal before the effective date indicated. The Customer will inform the Card Users of the changes made. If the Customer refuses the changes, it can withdraw from its insurance contract, without charge, by notification sent to Spendesk before the effective date of the changes, in the manner provided for in article 9 of the General Terms and Conditions. Its adherence will end upon the expiry of a period of two (2) months from the date of notification. The Customer will inform the Card Users of the termination of the insurance.

4. Termination of the insurance

Group insurance can be terminated by Spendesk or the partner insurer. No later than two (2) months before the proposed termination date, Spendesk will inform the Customer of this on the Platform and/or by email. The Customer will inform the Card Users. Termination is enforceable against the Customer and Card Users.

The Customer may terminate the insurance cover, after informing the Card Users by giving two (2) months' notice, notifying Spendesk in the manner provided for in article 9 of the General Terms and Conditions. The termination of the insurance by the Customer implies termination of the insurance cover for all Cards provided under the Contract.

Spendesk recalls that the insurance cover, inseparably linked to the Card, cannot continue after expiry or withdrawal of the Card. Non-payment for insurance services will also terminate the adherence.

5. Personal Data

By taking out insurance, the Customer expressly authorises Spendesk to transmit to the partner insurer all the information necessary for the subscription to said insurance, including Personal Data relating to the Card Users. The partner insurer will process this Personal Data as a data controller in accordance with the conditions and purposes defined in the information notice of the group insurance contract, referred to in article 1 of this Annex. The Customer is informed that the partner insurer, in its capacity as data controller, may, at the subscription stage and during the term of the insurance policy, request any additional information from it as well as from the relevant Users, including, where applicable, Personal Data.