Kyriba Technology Platform Customer Privacy Notice

Scope and Relation to Other Policies

This Technology Platform Customer Privacy Notice (the “Policy”) applies to our collection and use of the Personal Data and limited Sensitive Personal Data, if any, received by (as applicable) : Kyriba Corp. and its affiliates Kyriba SAS, Kyriba SEMEA SAS, Kyriba UK Ltd., Kyriba HK Limited, Kyriba (Chongqing) Software Development Ltd., Kyriba SEA PTE. Ltd., Kyriba Japan, Co., Ltd., Kyriba Software Technology (Shanghai) Limited, and Rim Tec Inc. (collectively “Kyriba” or “we” or “us” or “our”), in electronic and paper format, from Kyriba’s Customers only. We limit our use of the Personal Data collected through our service for the purpose of providing the treasury management, payment processing, and liquidity solution on a software as a service technology platform and associated support, maintenance, implementation and/or training services (“SaaS Services”) for which you as Customer have engaged Kyriba.

By using the SaaS Services, you are agreeing to this Policy.

This Policy does not apply to information that may be received via Kyriba’s website located at www.kyriba.com, which is governed by a separate privacy policy, located at: https://www.kyriba.com/privacy-policy.

Adherence by Kyriba to this Policy may be limited (a) to the extent required or permitted by law or legal process, such as to respond to or investigate a legal or ethical obligation or request or pursuant to court orders, subpoenas, interrogatories or similar directive carrying the force of law, including any matters related to national security or public interest; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

If you are a resident of California, Japan, Canada, Mexico or Singapore, then you may have additional rights available to you. Please see the applicable section below that are specific to your jurisdiction.

Definitions

“Anonymized” means the stripping and masking of Personal Data, using obfuscation and non-reversible hashing cryptographic algorithms, such that the data in no way identifies or is connected to any person. “Anonymized” shall also mean making it impossible to identify individuals within data sets and is an irreversible process. When this anonymization is effective, the data is no longer considered as Personal Data.

“Customer(s)” means any individual or entity that legally purchases, installs, activates or subscribes to Kyriba’s products or services. Kyriba acts as a processor with respect to Personal Data collected through the technology platform, Kyriba Social, and Kyriba’s Support Portal. The Customer is the Data Controller.

“Personal Data” means any information that (i) relates to an identified or identifiable natural person. Personal Data does not include information that has been Anonymized.

“Sensitive Personal Data” means, as defined by Applicable Law, Personal Data specifying racial or ethnic origin or government Identification.

Personal Information We Collect, Use and Disclose

We generally do not collect nor seek to collect Personal Data from our Customers, but minimal Personal Data is required for the use of the SaaS Services. Where such Personal Data is collected, it is limited to information necessary to use the SaaS Services. When you use the SaaS Services, including Kyriba’s technology platform, Kyriba’s Support Portal and Kyriba Social, we use any Personal Data that you voluntarily submit through the SaaS Services in order to provide you with the ability to use the same. You may choose to submit through the SaaS Services a variety of Personal Data, including names, addresses, email addresses, phone numbers, birthdate, country of origin, financial account information, passport numbers and other government issued identification.

The SaaS Services does allow Customers to provide information via “custom fields,” so Customers may store Sensitive Personal Data within the platform. The uploading of Sensitive Personal Data Is not required for the use of the SaaS Services, but you may do so if you want to use the SaaS Services for certain purposes, including to process payments to individuals or to track financial transactions.

You represent and warrant that you will only provide information and use the SaaS Services acting in your capacity as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit or other legal entity, and that your communications and transactions with Kyriba occur solely within the context of Kyriba providing the SaaS Services to the company, partnership, sole proprietorship, nonprofit, or other legal entity that you represent.

In the event you upload any Personal Data into the SaaS Services, you as the Customer are solely responsible for the accuracy, quality, and legality of the Personal Data input into the SaaS Services. Further, you represent and warrant that you have the necessary authority, license, or consent to provide the Personal Data, and have a lawful basis that allows for Kyriba to process Personal Data submitted through the SaaS Services, Kyriba Support Portal or Kyriba Social.

Personal Data that Customers choose to post on Kyriba Social will be accessible to other Customers. When you post Personal Data, comment, vote, collaborate, upload, or share ideas or content on or through Kyriba Social, please think carefully about what you are sharing with other Customers and potentially the public. You are solely responsible for any information, including Personal Data, that you include in uploaded information, content or other ideas on Kyriba Social. You represent and warrant that any content submitted is your own content and, where you do not own the same, you have licenses to all underlying rights.

Your Choice

We disclose Personal Data to service providers only to the extent necessary for the provision of the SaaS Services.

Kyriba will offer you the opportunity to opt-out if Kyriba decides (i) to disclose Customer Personal Data to a non-agent third party, or (ii) to use such Customer Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Customer. You can exercise opt-out rights at any time by contacting us.

Onward Transfers (Transfers to Third Parties)

Kyriba will also provide notice, or obtain consent when required by applicable law, before Kyriba uses or discloses such Personal Data for a purpose other than that for which it was originally collected or discloses information to a non-agent third party, if Kyriba ever engages in such use or disclosure.

There are circumstances in which Kyriba collects Personal Data about EU, UK, or Swiss residents with whom Kyriba does not have a direct relationship because Kyriba obtained or maintains such Personal Data as vendor for its Customers. In those circumstances, you as the Customer are responsible for providing the relevant individuals with a choice as to whether their Personal Data may be (i) disclosed to and by Kyriba to certain third parties, or (ii) used for a purpose that is incompatible with the purpose for which the information originally was collected or subsequently authorized by such individual.

Kyriba may disclose Personal Data gathered from its Customers (i) if it is required to do so by law, regulation or legal process (such as a court order or subpoena), (ii) in response to requests by government agencies, such as law enforcement authorities, or (iii) when Kyriba believes disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual illegal activity. Kyriba also reserves the right to transfer Personal Data in the event it sells or transfers all or a portion of its business or assets, or merges with another entity. Should such a sale, transfer or merger occur, Kyriba will use reasonable efforts to direct the transferee to use the Personal Data in a manner that is consistent with this Policy.

We disclose information (described herein) that we collect, in accordance with our legitimate interests and business purposes as stated in this Policy including as set forth in this section. We share information we collect with our affiliates, subsidiaries and service providers who perform activities on our behalf, such as hosting and technical support.

We do not disclose Personal Data about you to third parties for their independent use unless you expressly authorize Kyriba and direct Kyriba to do so.

Kyriba also discloses Personal Data when it is required or permitted to do so for any or all of the following reasons: (i) to comply with a subpoena, legal process, government request or any other legal obligation, (ii) to prevent, investigate, detect, or prosecute criminal offenses or attacks on the technical integrity of the technology platform or our network or systems, and/or (iii) to protect the rights, privacy, property, business, or safety of Kyriba, their partners and employees, the technology platform, or the public.

Kyriba may share Personal Data with Kyriba’s subsidiaries and affiliates to provide SaaS Services. Please also note that Kyriba may also share Personal Data with service providers we have retained to provide SaaS Services on our behalf. We require service providers to whom we disclose Personal Data and who are not subject to either the laws based on the European Union Data Protection Directive the UK General Data Protection Regulation, or the Swiss Federal Act on Data Protection, as applicable, to either (i) enter into the EU Standard Contractual Clauses, or (ii) be subject to another European Commission adequacy finding.

Access and Correction

Upon request, Kyriba will provide you with information about whether or not we hold any of your Personal Data. To the extent required by law, we provide you with (i) reasonable access to the Personal Data you provide to us, and (ii) the ability to review, correct, suspend the use of and delete such Personal Data. In some jurisdictions, you may also have the right to obtain information about the ways in which your Personal Data has been used or disclosed by us in the twelve months prior to your request. If you believe that any of the Personal Data that you have submitted through Kyriba’s technology platform is no longer accurate, or you wish to make any updates or changes, or request the suspension of the use or the deletion, you may do so by emailing us at [email protected]. Upon appropriate request we will update amend or delete your information, but we reserve the right to use any information previously obtained to verify your identity or take other actions that we believe are appropriate and lawful. In some jurisdictions, we may also have the right to charge a reasonable fee for processing your request. We will endeavor to comply with your request as soon as reasonably practicable.

We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are impractical, or for which access is not otherwise required by local law. Please note we may need to retain certain information for record keeping purposes, and there may also be residual information that will remain within our archival databases and other records.

Security

The security of your Personal Data is important to us. We implement appropriate technical and organizational measures designed to protect the Personal Data submitted to us, both during transmission and once it is received.

Data Integrity

Kyriba takes reasonable steps designed to ensure that Customer Personal Data collected by Kyriba is (i) relevant for the purposes for which it is to be used, (ii) reliable for its intended use, and (iii) accurate, complete and current. We depend on our Customers to update or correct their Personal Data whenever necessary. Kyriba will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Please note that in circumstances in which Kyriba maintains Personal Data about EU, UK, or Swiss residents on behalf of one of its Customers, we do not take any responsibility for the integrity of the Personal Data.

Enforcement & Oversight

Kyriba will conduct compliance audits, as needed, of its relevant privacy practices to verify adherence to this Policy. should any process or procedure be found not to be in accordance with this Policy, Kyriba will amend as needed.

When transferring data from the EU, UK, and Switzerland, Kyriba relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, Standard Contractual Clauses (including the UK addendum thereto), and the European Commission’s adequacy decisions about certain countries, as applicable.

In circumstances in which Kyriba maintains Personal Data about EU, UK or Swiss consumers with whom Kyriba does not have a direct relationship because we obtained or maintain such consumer’s Personal Data as an agent for our Customer(s), consumers are directed to submit any complaints concerning the processing of their Personal Data to the relevant Customer, in accordance with the Customer’s dispute resolution process. Kyriba will participate in this process as required and at the request of the Customer. If the issue cannot be resolved through the Customer’s internal dispute resolution mechanism, the consumer may submit the complaint to the relevant data protection authority in the EEA, UK or Switzerland.

Kyriba has established procedures for periodically verifying implementation of and compliance with the applicable data protection laws. Kyriba will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data by reference to the principles contained in this Policy.

Clients or Employees of Customers

Kyriba collects information under the direction of our Customers, and has no direct relationship with the individuals whose Personal Data we process. If you are a client or employee of one of our Customers and would no longer like to be contacted by one of our Customers that use our service, please contact the Customer that you interact with directly. We may transfer Personal Data (e.g., name, email, address, telephone, government-issued identification) to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Customers.

If you would like to gain access, seek correction, amendment or deletion of inaccurate information you should direct your query to Kyriba’s Customer (the data controller). If requested to remove data we will respond within a reasonable timeframe. We will retain the Personal Data we process on behalf of our Customers for as long as needed to provide services to our Customer. Kyriba will retain this Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

How to Contact Us

If you have any questions or concerns about our Privacy Policy or data practices, or our compliance with applicable law please contact us by email at [email protected] or by writing to, as applicable:

Kyriba Corp.
4435 Eastgate Mall, Suite 200
San Diego, CA 92121

or

Kyriba SEMEA
247 Bureaux de la Colline
92210 Saint-Cloud CEDEX, France

Amendment

We may update this Policy to reflect changes to our information practices. If we make any material changes we will notify you by means of a notice on this website.

This Policy was last updated and posted on 4th July, 2023.

Additional Information for California Residents

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively “CCPA”), California residents have the right to receive certain disclosures regarding our information practices related to “Personal Information,” as defined under the CCPA. To the extent you are a resident of California, and we collect Personal Information subject to CCPA, the following applies.

What Personal Information We Collect

The following identifies the categories of Personal Information we collect (and have collected in the prior 12 months), as enumerated by the CCPA.

• Identifiers, such as your name, address, country, email address, and phone number.

• Internet or Other Electric Network Activity Information, such as device operating system, browser type, and IP address. For more information, please see our Cookie Policy available on our website.

• Financial Information, such as bank account information and financial institution name.

• Sensitive Personal Information, such as account login, passport numbers, and other government issued identification, may be provided by you to us. The uploading of any identification is not required for the use of our platform. Our processing of Sensitive Personal Information is limited to what is reasonable and proportionate to provide our SaaS Service.

For more information about the Personal Information we collect and how we use or disclose it please refer to the sections above.

How Long We Retain Personal Information

We store your Personal Information for as long as needed, or permitted, based on the reason why we obtained it (consistent with applicable law). When deciding how long to keep your Personal Information, we consider whether we are subject to any legal obligations (e.g., any laws that require us to keep records for a certain period of time before we can delete them) or whether we have taken any legal positions that require data retention (e.g., issued any legal holds or otherwise need to preserve data).

Rather than delete your Personal Information, we may also deidentify it in accordance with the CCPA, by removing identifying details. If we deidentify any Personal Information, we will not attempt to reidentify it.

Your California Privacy Rights

If you are a California resident, you may have the following rights under the CCPA with respect to your Personal Information.

• Right to Know/Access. You have the right to request (subject to certain exemptions):
  • The categories of Personal Information we collected about you;
  • The sources from which we have collected that Personal Information;
  • Our business or commercial purpose for collecting, selling, or sharing that Personal Information;
  • The categories of third parties to whom we have disclosed that Personal Information; and
  • A copy of the specific pieces of Personal Information we have collected.
• Right to Correct. You have the right to request that we correct inaccuracies in your Personal Information.
• Right to Delete. Subject to certain exceptions, you have the right to request deletion of Personal Information that we have collected from you. Please note, Kyriba is not obligated to delete Personal Information that is necessary to provide services that you request or required to comply with applicable laws.
• Right to Opt-Out. Under the CCPA, California residents may have the right to opt-out of the “sale,” or “sharing,” of Personal Information. California CCPA defines a “sale” as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available Personal Information to a third party for purposes of cross-context behavioral advertising. We do not disclose personal information to third parties in exchange for monetary compensation. We do not “sell” or “share” (as defined by the CCPA).
• Right to Limit Use and Disclosure. Subject to certain conditions and exceptions, you may have the right to limit the use and disclosure of “sensitive personal information,” as defined under the CPRA. However, we do not engage in activities triggering this right.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of the rights described in this section.

How To Exercise Your Privacy Rights

To exercise any of these rights, California residents may submit a request call our toll free number at 844-845-7161, or email us at [email protected].

In the request, please include “California Privacy Rights Request” in the first line of the description and specify which right you are seeking to exercise. Kyriba will need to confirm your identity before fulfilling the request, so please provide us with your name, street address, city, state, and ZIP code. We may require additional information from you to help us verify your identity and process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.

You may designate someone as an authorized agent to submit requests and act on your behalf. To do so, you must provide us with written permission to allow the authorized agent to act on your behalf. We may also ask you directly to verify that you have authorized your authorized agent to act on your behalf.

Additional Information and Rights for Individuals in Canada

Data Transfers to Third Parties

We may share Personal Data with third parties for processing, as described above. Those third parties may be located outside of your jurisdiction. Applicable ‎‎laws in ‎the applicable jurisdictions might permit foreign governments, courts, law enforcement or ‎‎regulatory ‎agencies to ‎access the Personal Data in those jurisdictions.‎ In these cases, Kyriba will comply with local ‎law requirements relating to the conditions for disclosure of Personal Data outside of your ‎jurisdiction.
‎
We may also disclose your Personal Data without your consent if authorized or required by law.‎

Your Data Rights

You have the following rights under Canadian laws:

• Right to Access Personal Data: Subject to applicable exceptions, you have the right to request that Kyriba provide you with (a) access to your Personal Data that Kyriba has under its control; and (b) information about the ‎ways in which that Personal Data is being ‎used and a description of ‎the individuals and organizations to ‎whom that Personal Data has been ‎disclosed‎.
• Right to Correct Personal Data: Kyriba will make reasonable efforts to ensure that your Personal Data is accurate, complete ‎‎and ‎up-to-date for the purposes for which it is to be used. In most cases, we will rely on you to ensure that ‎‎Personal Data is ‎correct, accurate and complete.‎ You can question the accuracy and completeness of your Personal Data and request in writing ‎that it ‎be ‎amended as appropriate. If you reasonably demonstrate that Personal Data is inaccurate or incomplete, we will update the Personal Data as required. If a challenge regarding the accuracy of Personal Data is not resolved to your ‎satisfaction, ‎‎we will make a note to the Personal Data that the correction was ‎requested but not ‎‎made.‎
• Right to Withdraw Consent: Applicable law may permit Kyriba to collect and Process your Personal Data without consent. To the extent that Kyriba relies on your consent to collect or Process your Personal Data, you have the right to withdraw your consent at any time. In this case, your withdrawal may have an impact on Kyriba’s ‎ability to provide the SaaS Services.‎

Questions or Complaints

Kyriba has designated Erin Doyle Toburen, Sr. Legal Counsel, and the Kyriba Privacy Office as the persons responsible for the protection of personal information matters within the Province of Quebec, who may be contacted at [email protected].

If you have any questions, please contact us at [email protected]. ‎

Additional Information and Rights for Individuals in Japan

This Section provides additional information for Japanese residents pursuant to the Act on the Protection of Personal Information (“APPI”). As used in this Section, “Personal Data” means any information relating to a living individual containing name, date of birth or other descriptions whereby a specific individual can be identified including those which can be readily collated with other information and thereby identify a specific individual and those containing an individual identification code as defined under Article 2.1 of the APPI.

You may provide us with your consent and process your Sensitive Personal Data in accordance with this Policy and the APPI.

Data Transfers Outside of Japan

Where Personal Data is transferred out of Japan to other countries and territories, Kyriba has put in place appropriate measures to ensure that such data transfers are made in accordance with the APPI.

You may request us to disclose the following:

• measures to ensure the data recipients located outside of Japan take sufficient data security measures (the “Measures”) and the details of the Measures;
• measures and frequency that we audit the data recipients’ implementation of the Measures;
• name of the recipient country and rules of the country that could hinder the implementation of the Measures; and
• other obstacles that could hinder the implementation of the Measures and measures that Kyriba has conducted to solve such obstacles, if any.

Data Transfers to Third Parties

Your Personal Data may be jointly used by the companies within the Kyriba group for the purposes stipulated in this Policy. Kyriba Japan Co., Ltd., JR Ebisu Bldg. 11F, 1-5-5 Ebisu Minami, Shibuya-ku, Tokyo 150-0022 will be responsible for management of the jointly used Personal Data.

In the case where we transfer your Personal Data to third parties other than companies within the Kyriba group and data processors such as service providers, we may request you to consent to such data transfer if required under the APPI.

Your Privacy Rights

You may have additional rights regarding your Personal Data under the APPI. These rights are described below:

• Right to access. You may access your Personal Data and record of transfer we are keeping about you, if applicable.
• Right to correct, add and delete incorrect or incomplete Personal Data. If the Personal Data we have pertaining to you are incorrect or incomplete, you are entitled to have the Personal Data corrected, added, or deleted.
• Right to erase and cease of processing. You have the right to request deletion of or cessation of processing of your Personal Data if your Personal Data has been used beyond the scope necessary to achieve the purpose for which they were collected, processed or obtained by deceit or in violation of the APPI, if our use of your Personal Data triggers illegal acts, are no longer necessary in relation to the purposes for which they were collected, compromised or otherwise processed in a manner which could harm the rights or legitimate interest of you. We may be permitted by applicable laws to retain some of your Personal Data to satisfy our business needs.
• Right to cease of transferring to third parties. You have the right to request cessation of transferring of your personal data if your Personal Data is transferred to a third party in violation of the APPI or the transfer could harm your rights or legitimate interest.

If you have any complaints regarding our processing of your Personal Data, questions on this Policy, our use of your Personal Data or our data protection measures implemented, and/or want to confirm the measures to exercise your privacy rights above, please contact us at [email protected].

Additional Information and Rights for Individuals in Mexico

This Section provides additional information for Mexico residents. Kyriba Corp., residing in San Diego, California, is the data controller (the “Data Controller”) of the processing and protection of your Personal Data, as defined by Mexican Federal Law for the Protection of Personal Data in Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the “Mexican Privacy Law”).

Means to revoke consent for the processing of your Personal Data

You can revoke the consent that, where appropriate, you have given us for the processing of your Personal Data. However, it is important that you bear in mind that not in all cases we will be able to respond to your request or terminate the use immediately, since it is possible that due to some legal obligation, we will need to continue processing your Personal Data. Likewise, you should consider that, for certain purposes, the revocation of your consent will imply the termination of your relationship with us.

The Data Controller has implemented a mechanism by which you can limit the use or disclosure of your Personal Data or revoke your consent for the processing of the same, by requesting via email to [email protected].

ARCO Rights

You have the right to: (i) access your Personal Data; (ii) rectify them, if t\hey are inaccurate or incomplete; (iii) cancel them; and (iv) oppose the use of the same for specific purposes (together, the “ARCO Rights”).

In case you wish to exercise any of the ARCO Rights, please send an email to [email protected], which must contain, at least, the following information:

1. Full name and email or address, to communicate the response to your request.
2. The documents that prove your identity, or where appropriate, that of your legal representative.
3. A clear description of the Personal Data with respect to which you seek to exercise any of the ARCO Rights.
4. Any other element or document that facilitates the location of the Personal Data.
   If required, the Data Controller may request additional information.
   The response to your request will be communicated to you within 20 (twenty) business days and, if it is appropriate, it will be implemented within a maximum period of 15 (fifteen) business days.

Disagreement or Complaint to the INAI

If you consider that your right to the protection of Personal Data has been harmed by any conduct or omission on the part of the Data Controller, or you presume any violation of the provisions provided in the Law, its Regulations and other applicable regulations, you may file your disagreement or Complaint before the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI). For more information, we suggest you visit its official website: www.inai.org.mx.

Additional Information and Rights of Individuals in Singapore

You may have the following rights under Singapore’s laws:

• Right to Access Personal Data. Subject to applicable exceptions, you have the right to request that we provide you with (a) Personal Data about you that is in our possession or under our control; and (b) information about the ways in which such Personal Data has or may have been used or disclosed by us within a year before the date of the request.
• Right to Correct Personal Data. Subject to applicable exceptions, you have the right to request that we correct an error or omission in Personal Data about you that is in our possession or under our control.

• Right to Withdraw Consent. Where you have provided your consent to the collection, use, disclosure and/or Processing of your personal information, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, contact the Kyriba Privacy Office via email at: [email protected]. Depending on the type of consent withdrawn, we may not be in a position to continue providing our SaaS Services.

If you would like to exercise your rights as set out above, contact the Kyriba Privacy Office via email at: [email protected].