DailyPay Platform
Small Business 
Cycle
Tips 
Perks 
Data Protection Addendum
1. Resources to Provide Services. DailyPay shall provide all the facilities, personnel, equipment, communication lines, network equipment and components, bandwidth/connectivity, hardware, software and services necessary to provide the Service on a 24x7x365 basis, except for Scheduled Downtime and any unavailability caused by force majeure events (collectively, the “Service Resources”). As used herein, “Scheduled Downtime” means the downtime required by DailyPay for upgrading or maintaining the Service, provided that such downtime will occur no more frequently than once per week on Sundays between 4 a.m. and 6 a.m. ET and monthly on a Sunday between 12 a.m. and 6 a.m. ET, provided that DailyPay shall provide no less than 24 hours prior written notice of any changes in the downtime schedule. DailyPay shall provide the Service using a primary data center site (the “Primary Site”) as well as a secondary, back-up data center site (the “Back-Up Site”). The Primary Site and Back-Up Site shall (a) have redundant high speed connections to the Internet; and (b) have backup electrical systems, including an uninterruptible power supply and an electrical generator allowing for at least two months of generated power. Data from the Primary Site shall be replicated to the Back-Up Site every evening for disaster recovery purposes.
2. Maintenance and Support
(a) DailyPay shall provide Company, at no additional charge, with all support and maintenance necessary to ensure the Service is Available on a 24x7x365 basis (except for Scheduled Downtime and any unavailability caused by (i) force majeure events or (ii) third-party payment networks) and as more particularly set out in DailyPay’s Product Support Policy (the “Product Support Policy” and such support, the “Support”). In addition to the items set out in the Product Support Policy,
(b) DailyPay shall make available by telephone and email qualified technicians to respond to Company’s Support requests as set out in the Product Support Policy.
(c) DailyPay shall respond to and resolve Service issues as set out in the Product Support Policy.
3. Service Level Agreements.
(a) Uptime SLA. DailyPay agrees that the Service shall be Available (as defined below) to Company 99% of time during each month (the “Uptime SLA”). As used herein, “Available” means Company is able to access and use the Service, and the Service is not experiencing an urgent priority level issue, as more particularly set out in the Product Support Policy.
(b) Termination Rights. If (i) the Uptime SLA is not met more than three times during any 12-month period, or (ii) the Service is Available less than 95% of the time during any month, then Company shall have the right to terminate the Agreement.
4. Data Security
(a) Representations and Warranties.
(i) DailyPay represents and warrants to Company that its collection, access, use, storage, processing, disposal and disclosure of Personal Data does and shall at all times comply with all applicable laws, including without limitation all privacy and data protection laws and regulations such as the California Consumer Privacy Act of 2018 (as may be amended from time to time, the “CCPA”) to the extent it applies to the Service. In each case, such laws, regulations and requirements shall govern DailyPay’s processing of Personal Data and apply to the Service (collectively, “Privacy Laws”). DailyPay further represents and warrants that nothing in applicable Privacy Laws prevent it from performing its obligations as described in this Agreement. DailyPay further represents and warrants that any DailyPay subprocessors that process Personal Data are subject to obligations to keep any such data confidential and maintain data security and privacy measures in accordance with industry best practices and applicable Privacy Laws.
(ii) DailyPay represents and warrants that as of the date hereof, it is compliant, and shall ensure at all times during the Term that it will remain compliant, with the Payment Card Industry Data Security Standard requirements (“PCI-DSS”), in each case, to the extent PCI-DSS applies to the Service. Furthermore, DailyPay represents and warrants that as of the date hereof, it maintains, and shall ensure that at all times during the Term that it will continue to maintain, SOC 2 Type 2 and ISO 27001:2022 certifications and security controls consistent with such certifications.
(b) Security Measures. Without limiting DailyPay’s obligations under the Agreement, DailyPay shall implement administrative, physical and technical safeguards to protect Personal Data that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Personal Data is collected, accessed, used, stored, processed, disposed of and disclosed, comply with Privacy Laws, as well as the terms and conditions of the Agreement. At a minimum, DailyPay’s safeguards for the protection of Personal Data shall include: (i) limiting access of Personal Data to authorized persons; (ii) implementing network, device application, database and platform security; (iii) securing information transmission, storage and disposal; (iv) implementing authentication and access controls within media, applications, operating systems and equipment; (v) encrypting and pseudonymizing Personal Data stored on any DailyPay-supplied mobile media; (vi) encrypting and pseudonymizing Personal Data transmitted over public or wireless networks; (vii) logically segregating Personal Data from information of DailyPay or its other customers so that Personal Data is not commingled with any other customer’s information; (viii) validating security of software and websites through static and dynamic security testing processes; (ix) implementing appropriate personnel security and integrity procedures and practices; (x) providing appropriate privacy and information security training to DailyPay’s employees; (xi) ensuring all software developed by DailyPay is tested for security flaws and meets at a minimum OWASP top 10 security standards; (xii) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (xiii) ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (xiv) maintaining a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing Personal Data.
(c) Breach Notification. DailyPay shall notify Company of a Security Breach as soon as practicable, but no later than seventy-two (72) hours after DailyPay becomes aware of it. Where possible, the notice to Company shall describe the nature of incident, the number of individuals impacted, the type of records impacted, and any other information that may be relevant. Following DailyPay’s notification to Company of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach. DailyPay shall take all reasonable steps to investigate, mitigate, and remediate any Security Breach and prevent any further Security Breach at DailyPay’s expense in accordance with applicable laws. DailyPay shall provide Company with all such timely information and cooperation as Company may require so that it may fulfil its data breach reporting obligations under (and in accordance with the timescales required by) applicable Privacy Laws. The Parties agree to coordinate in good faith on developing the content of any related public statements. As used herein, “Security Breach” means any unauthorized access to or use, disclosure, alteration, or destruction of Personal Data known to DailyPay that materially compromises the privacy or security of Personal Data.
(d) Regulator Requests. DailyPay shall use commercially reasonable efforts to assist the Company in addressing any communications and abiding by any advice or orders from government authorities relating to the Personal Data within the timeframe specified by the government authorities.
(e) Assistance and Cooperation. If requested and upon reasonable prior written notice from Company, DailyPay shall provide commercially reasonable assistance to Company in completing any privacy impact assessments and/or data protection impact assessment, and any prior consultations with government authorities, that Company considers necessary to comply with applicable Privacy Law. Company shall be responsible for reasonable costs and expenses incurred by DailyPay related to any such assistance. Upon Company’s request, DailyPay shall provide Company all information reasonably necessary to demonstrate compliance with applicable Privacy Laws.
(f) Audit.
(i) Upon Company’s written request DailyPay will provide Company with all information reasonably necessary to demonstrate DailyPay’s compliance with applicable Privacy Laws, including of the measures DailyPay has taken to comply with its obligations under this Agreement. At its own cost, DailyPay will implement any further steps that are reasonably necessary to ensure compliance.
(ii) In addition, upon Company’s written request, DailyPay shall provide Company with the results of any audit performed by or on behalf of DailyPay that assesses the effectiveness of DailyPay’s information security program as relevant to the security and confidentiality of Personal Data shared during the Term of the Agreement.
(iii) Upon Company’s request, DailyPay agrees to provide to Company from DailyPay’s independent auditor, at DailyPay’s expense, a Type 2 SOC 2 report that includes a description of the “system” as well as a written assertion by management issued based on the criteria for a description of a service organization’s system in DC section 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (AICPA, Description Criteria) in addition to or replacement of any other applicable auditing and attestation standard(s) approved by the AICPA that are in effect during the time period in which the DailyPay’s independent auditor performs work related to the Type 2 SOC 2 report referred to herein (the “Report and Opinion”). DailyPay agrees to provide this Report and Opinion to Company for reasonable assurance that DailyPay’s service commitments and system requirements were achieved based on the trust services criteria relevant to Security, Availability, and Confidentiality (applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
(g) Return or Deletion of Personal Data. Upon termination of the Agreement, DailyPay shall upon Company’s request either return all Personal Data and copies of such data to Company or delete, and provide a certificate of destruction, (i) unless otherwise required to store such Personal Data (x) pursuant to applicable law or (y) DailyPay’s document retention policy or (ii) such Personal Data is necessary solely for the purpose of DailyPay recouping any amounts owed due to a negative remaining balance in any User’s or former User’s DailyPay Account. If required to store Personal Data pursuant to the preceding sentence, then the DailyPay shall notify Company and continue to safeguard such data in accordance with this Agreement.
CPRA ADDENDUM
Company and DailyPay (“Vendor”) have one or more written contracts, pursuant to which Vendor provides services on behalf of Company (collectively, the “Services”) that involve or may involve the processing of Personal Information of the Company.
The California Privacy Rights Act of 2020, Civil Code Sections 1798.100 et seq. together with any amendments, rules, regulations, and decisions (the “CPRA”) impose specific obligations on the Company as a Business and Vendor as a Service Provider with regard to the processing of Personal Information of Consumers.
This CPRA Service Provider Agreement Addendum (the “CPRA Addendum”) sets forth the data privacy requirements imposed by the CPRA and is incorporated by reference into the Agreement. In the event of a conflict between the terms of this CPRA Addendum and any part of the Agreement, the terms of the CPRA Addendum will apply.
1. Definitions
For purposes of this CPRA Addendum, the following terms are defined as follows:
(a) “Business purpose” means the use of Personal Information for the Company’s operational purposes, or other notified purposes, or for the Service Provider’s operational purposes, that is reasonably necessary and proportionate to achieve the purpose for which the Personal Information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected. Business purposes include:
(i) auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
(ii) ensuring security and integrity to the extent the use of the Consumer’s personal information is reasonably necessary and proportionate for these purposes;
(iii) debugging to identify and repair errors that impair existing intended functionality;
(iv) short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a Consumer’s current interaction with the Company, provided that the Consumer’s personal information is not disclosed to another third party and is not used to build a profile about the Consumer or otherwise alter the Consumer’s experience outside the current interaction with the Company;
(v) performing services on behalf of the Company, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business;
(vi) providing advertising and marketing services, except for cross-context behavioral advertising;
(vii) undertaking internal research for technological development and demonstration; and
(viii) undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the Company.
(b) “Commercial purpose” means to advance a person’s or entity’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
(c) “Consumer” means a natural person who is a California resident as defined under the CPRA including, but not limited to, job applicants, employees and their emergency contacts and beneficiaries, independent contractors, directors, officers, and medical staff.
(d) “Contractor” means a person or entity to whom the Company makes available a Consumer’s Personal Information for a business purpose, pursuant to a written agreement with the business, provided that the agreement complies with the CPRA.
(e) “Cross-context behavioral advertising” means the targeting of advertising to a Consumer based on the Consumer’s personal information obtained from the Consumer’s activity across businesses, distinctly- branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the Consumer intentionally interacts.
(f) “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household received by Vendor in connection with the Services including, but not limited to, the examples of Personal Information identified in the CPRA.
(g) “Personal Information Breach” means any breach of security leading to the unauthorized access and exfiltration, theft, or disclosure of nonencrypted or nonredacted Personal Information resulting from the failure to implement and maintain reasonable security procedures and practices as set forth in the CPRA.
(h) “Reasonable Security Procedures and Practices” means security measures appropriate to the nature of the Personal Information that are implemented and maintained to prevent the unauthorized access and exfiltration, theft, or disclosure of nonencrypted or nonredacted Personal Information and which comply with the applicable Center for Internet Security (“CIS”) Controls.
(i) “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by the Vendor to a third party for monetary or other valuable consideration.
(j) “Sensitive Personal Information” means and includes:
(i) Personal information that reveals a Consumer’s:
(1) social security, driver’s license, state identification card, or passport number;
(2) account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
(3) precise geolocation;
(4) racial or ethnic origin;
(5) religious or philosophical beliefs;
(6) union membership; or
(7) genetic data.
(ii) The contents of a Consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.
(iii) The processing of biometric information for the purpose of uniquely identifying a Consumer;
(iv) Personal information collected and analyzed concerning a Consumer’s health, sex life, or sexual orientation.
(k) “Service Provider” means an entity that collects, processes, or maintains information on behalf of the Company and to which the Company discloses a Consumer’s Personal Information for a business purpose pursuant to a written agreement as set forth in the CPRA.
(l) “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by the Company to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
2. Service Provider Relationship. The Company and Vendor agree that Vendor is acting as a Service Provider to provide Services to Company for the business purposes set forth in the Agreement. The Company may direct Vendor to collect Personal Information directly from a Consumer on the Company’s behalf. In such event, Vendor shall be deemed a Service Provider under this CPRA Addendum and the CPRA.
3. Obligations of Vendor
(a) Vendor shall comply with all applicable sections of the CPRA including providing the same level of privacy protection as required by the Company including implementing reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, the business to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with the CPRA, the California data breach notification law, and other applicable laws.
(b) Vendor shall notify the Company immediately upon becoming aware of a Personal Information Breach involving the Personal Information.
(c) Vendor shall grant the Company the right to take reasonable and appropriate steps to ensure that Vendor uses the Personal Information that it received from, or on behalf of, the Company in a manner consistent with the Company’s obligations under the CPRA. Reasonable and appropriate steps may include ongoing manual reviews and automated scans of Vendor’s system and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.
(d) Vendor shall assist the Company in responding to any Consumer request involving Personal Information held by Vendor. If Vendor receives a request to know, to delete, or to correct from a Consumer regarding the Personal Information, Vendor shall:
(i) notify the Company; or
(ii) act on behalf of the Company in accordance with statutory requirements for responding to the request.
The Company will inform Vendor of any Consumer request made pursuant to the CPRA that it must comply with and provide the information necessary to Vendor so that Vendor can comply with the request.
(e) Vendor, as a Service Provider, agrees that it will not retain, use, disclose, sell or share the Personal Information obtained in the course of providing services to the Company (i) outside the direct business relationship between the service provider, (ii) for commercial purposes, or (iii) for any other reason except:
(i) To process or maintain personal information on behalf of the Company that provided the personal information or directly authorized Vendor to collect the Personal Information;
(ii) For the specific business purposes and services set forth in, and in compliance with the written agreement for Services;
(iii) To retain and employ another Service Provider or Contractor as a subcontractor, where the subcontractor meets the requirements for a Service Provider or Contractor under the CPRA and these regulations;
(iv) For internal use by Vendor to build or improve the quality of its services, provided that Vendor use does not use the personal information to perform services on behalf of another person include building or modifying household or Consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source;
(v) To detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity;
(vi) To comply with federal, state, or local laws;
(vii) To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
(viii) To cooperate with law enforcement agencies concerning conduct or activity that the Company and Vendor reasonably and in good faith believes may violate federal, state, or local law;
(ix) To exercise or defend legal claims;
(x) To collect, use, retain, sell, or disclose Consumer information that is deidentified or in the aggregate Consumer information; or
(xi) To collect or sell a Consumer’s Personal Information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this section, commercial conduct takes place wholly outside of California if the Company collected that Personal Information while the Consumer was outside of California, no part of the sale of the Consumer’s Personal Information occurred in California, and no Personal Information collected while the Consumer was in California is sold. This paragraph shall not permit a Vendor to store, including on a device, Personal Information about a Consumer when the Consumer is in California for the purpose of later accessing that Personal Information when the Consumer and stored personal information is outside of California.
Vendor hereby certifies that it understands the restrictions set forth in (e) above.
(f) Vendor shall not engage in cross-contextual behavioral advertising by combining the personal information of Consumers who have opted-out of the sale/sharing that the Vendor receives from the Company with Personal Information that Vendor receives from, or on behalf of, another person or from its own interaction with Consumers.
(g) If Vendor subcontracts with another person or entity in providing services to the Company, Vendor shall have an agreement with the subcontractor that complies with the CPRA.
(h) Vendor shall notify the Company no later than three (3) business days after it makes a determination that it can no longer meet its obligations under the CPRA.
4. Deletion. Upon Company’s written request, and subject to and in accordance with all applicable laws, Vendor, as a Service Provider, agrees to promptly delete any and all Personal Information.
5. Termination. The Company shall have the right to terminate the Agreement and/or CPRA Addendum in the event that Vendor is or becomes non-compliant with this CPRA Addendum or the CPRA regarding the Personal Information.