QuickBooks Time and Payroll Services Data Processing Agreement

This Version is Effective September 14, 2023

This Data Processing Agreement (“DPA“) forms part of the agreement between Intuit and customer (“Customer“) for the purchase of QuickBooks Time ("QB Time") Services and QuickBooks Payroll (the “Payroll Services”) (together with the QB Time Services, the “Services“) and related technical support to Customer (as amended from time to time) (the “Agreement“). This DPA reflects the parties’ agreement with respect to the terms governing Intuit’s processing and security of Customer Data. For any other data from or about Customer or its users, Intuit shall be a controller, and this DPA shall not apply.

How this DPA applies.

●  If (i) the Customer entity that is agreeing to this DPA is a party to the Agreement between Customer and Intuit, (ii) Intuit is acting as a Processor of Customer Data for Customer (except for those limited circumstances in which this DPA expressly applies to Intuit’s processing as a controller), and (iii) the Customer Data is a type of which that is subject to an Applicable Data Protection Law, then this DPA applies and is an addendum to and forms part of the Agreement.

●  If the Customer entity agreeing to this DPA is not a party to the Agreement between Intuit and Customer, this DPA is not legally binding or valid.

●  This DPA shall not replace any additional or comparable rights relating to the processing of Customer Data in the Agreement.

●  In the event of any discrepancies between the terms of this DPA and the Agreement with respect to the processing of Customer Data, this DPA shall control.

1. Definitions and interpretation

 1.1. Definitions: In this DPA, the following terms shall have the following meanings:

“controller“, “processor“, “data subject“, “personal data (also referred to as Personal Information in the Agreement)” and “processing” (and “process“) shall have the meanings given in Applicable Data Protection Law.

“Applicable Data Protection Law” means all data protection and privacy laws applicable to the Processing of Personal Data and employee monitoring laws, including, where applicable and without limitation, European Union and United Kingdom data protection laws, the California Consumer Privacy Act of 2018, as amended (including the California Privacy Rights Act of 2020) (the “CCPA”), vehicle and device location tracking laws, wiretap laws or other laws relating to the monitoring of communications, employee electronic monitoring laws, and the data protection and privacy laws of Australia, the Electronic Communications Privacy Act of 1986; in each case as may be amended, repealed, replaced, or superseded from time to time.

“Account Data” means the Personal Data collected in connection with account-related data provided by you to Intuit during the purchase, sign up, billing, or support of your account, or any other data generated by you during your use of the Services. Account Data includes, without limitation, contact information for Administrators, product feedback and surveys, information collected in connection with our events, training sessions, webinars, sales and marketing purposes, and de-identified technical data used for support and product maintenance.

“Customer” means the customer entity that entered into the Agreement with Intuit for QB Time Service and/or the Payroll Services.

“Customer Data” means the Personal Data (also referred to as Personal Information in the Agreement) contained in: i) any data you upload or input into the Service, ii) data generated or collected in the course of your configuration or use of the Service, and iii) Usage Data. Customer Data does not include Business Relationship Data.

“Intuit” means Intuit, Ltd. Or any other entity that directly or indirectly controls, is controlled by, or is under common control with Intuit, Ltd.

“Security Incident” means “Personal Data Breach” as defined under the GDPR.“Standard Contractual Clauses” means the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021.

“Subprocessor” means any third-party Processors engaged directly by Intuit to assist with Intuit’s processing of Customer Data.

"UK Addendum" means the International Data Transfer Addendum issued by Information Commissioner’s Office under S.119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.

“Usage Data” means any data collected related to the end-user’s interaction with the Services.

 1.2. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement.

2. Data Protection 

2.1. Relationship of the parties: Customer (in its role as controller) appoints Intuit as a processor to process the Customer Data when Intuit is acting directly on Customer’s behalf. Intuit shall be the controller of Account Data and Customer Data when Intuit uses the Personal Information for Intuit’s own purposes, including for improvements in its products and presenting opportunities with Intuit to end users. When acting as a controller, Account Data and Customer Data will be handled in accordance with our Global Data Privacy Statement: https://www.intuit.com/privacy/statement/. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. 

2.2. Purpose limitation: When acting as processor, Intuit shall process the Customer Data as a processor only as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required by any Applicable Data Protection Law applicable to Customer. When acting as controller, e.g., for product improvement or to market offers to employee end-users of the Services, Intuit will individually determine the purpose and means of processing Customer Data and Account Data.

2.3. International transfers: Intuit shall not transfer the QB Time Customer Data (nor allow the Customer Data to be transferred) outside of the European Economic Area (“EEA“) unless (a) it has first obtained Customer’s prior written consent; or (b) either (i) such transfer of Customer Data is to a jurisdiction that is recognized as an adequate jurisdiction (as defined by the European Commission) outside of the EEA; or (ii) if Intuit desires to transfer (or allow to be transferred) the Customer Data to a non-adequate jurisdiction outside of the European Economic area of United Kingdom, the parties hereby enter into and execute the Standard Contractual Clauses as described in Attachment 1 hereto, by deeming that the Standard Contractual Clauses are incorporated into this DPA. If there is a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail. For clarity, no Payroll Services Customer Data will be transferred out of the United States. 

2.4. Confidentiality of processing: Intuit shall ensure that any person that it authorizes to process the Customer Data (including Intuit’s staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a duty under internal policy, contractual duty or a statutory duty), and shall not permit any person to process the Customer Data who is not under such a duty of confidentiality. Intuit shall ensure that all Authorized Persons process the Customer Data only as necessary for the Permitted Purpose.

2.5. Security: Intuit shall implement appropriate technical and organizational measures to protect the Customer Data from a Security Incident. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 

For more information about our technical and organizational measures to protect the Data from a Security Incident please see: https://security.intuit.com/&sa=D&source=docs&ust=1681488505410166&usg=AOvVaw2VLpi-5g9dg_hxA53egHf2 

2.6. Subprocessing: Customer consents to Intuit engaging third-party subprocessors to process the Customer Data provided that:

Intuit provides notice of the addition or removal of any subprocessor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal which can be found in your QB Time account under “Profile”.

Intuit imposes data protection terms on any subprocessor it appoints that are consistent with the terms of this DPA; and

Intuit remains fully liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor that is acting on our behalf under this DPA. Intuit shall maintain and provide updated copies of this list which can be found in your QB Time account under “My Profile”. 

If Customer refuses to consent to Intuit’s appointment of a third-party subprocessor relating to the protection of the Customer Data, Customer may elect to suspend or terminate the Agreement, including this DPA, subject to all fees and payment due for services rendered.

2.7. Cooperation and data subjects’ rights:

2.7.1. During the Term, Intuit shall, in a manner consistent with the functionality of the Services and taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law, such as the GDPR (including its rights of access, deletion, restriction, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data as required under Applicable Data Protection Law.

2.7.2. If Intuit receives any requests from a data subject related to Customer Personal Data (acting as a processor), Intuit shall advise the data subject to provide such request directly to the Customer and Customer shall be responsible for responding to such request. Intuit shall provide commercially reasonable assistance as Customer may reasonably request to help Customer fulfill its obligations under Data Protection Laws to respond to data subject requests. 

2.8. Data Protection Impact Assessment and Consultation with Supervisory Authorities: Upon Customer’s written request and to the extent that Customer does not otherwise have access to the relevant information and the information is reasonably available to Intuit, Intuit shall provide Customer with reasonable assistance (at Customer’s cost) needed to fulfill the Customers obligations under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Service. To the extent necessary, Intuit shall provide reasonable assistance to the Customer in the consultation with its relevant data protection authority.

2.9. Security incidents:

2.9.1. If Intuit becomes aware of an actual Security Incident that involves Customer Data that Intuit is acting as a Processor of on Customer’s behalf, Intuit will: (a) notify Customer of the Security Incident without undue delay; (b) take appropriate steps to identify the cause of the Security Incident and minimize harm and secure the Customer Data, to the extent remediation is within Intuit’s reasonable control; and (c) provide Customer with information, subject to our privacy and data security policies, confidentiality and legal requirements, as may be reasonably necessary to assist Customer with its notification and reporting responsibilities. Intuit will not assess the contents of the Customer Data to identify any specific reporting or other legal obligations that are applicable to the Customer. Any and all regulatory and/or data subject reporting obligations related to the Security Incident are the responsibility of the Customer. Each party shall comply with applicable law with respect to any Security Incident involving Personal Information that the party processes as a Controller.

2.9.2. Intuit’s notification of or response to a Security Incident under this DPA will not be construed as an acknowledgement by Intuit of any liability or fault with respect to the Security Incident.

2.9.3. Notification(s) of any Security Incident(s) by Intuit shall be delivered to the notification email or address provided in the Agreement or, at Intuit’s discretion, by phone or in-person meeting. Customer is solely responsible for ensuring that the notification contact details (e.g., phone and email) are valid and accurate.

2.9.4 If Intuit becomes aware of an actual Security Incident that involves Customer Data for which Intuit is acting as Controller, Intuit will follow requirements set forth in the Applicable Data Protection Laws. 

2.10. Deletion or return of Data: At Customer’s election, Intuit Shall return or destroy all Customer Data in its possession or control (including in the possession of any Subprocessor) in accordance with Intuit’s data retention and destruction procedures and timeframes unless otherwise agreed with Customer. This requirement shall not apply: (a) to the extent that Intuit is required by any Applicable Data Protection Law to retain some or all of the Data, in which event Intuit shall isolate and protect Customer Data from any further processing except to the extent required by such law or (b) to any data stored on back-ups such data will be destroyed in accordance with our standard destruction policies for back-up data due to the cost and technical difficult of deleting back-ups.

2.11. Audit: Intuit shall respond to any written audit questions related to Intuit’s security practices that submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.

2.12. Biometric Data. Certain parts of the Service may make use of biometric personal information (“Biometric Data“), such as facial recognition technology on photographs collected through the Service. Biometric Data can be subject to additional laws and regulations. Accordingly, in connection with the collection, retention, and use of Biometric Data, you agree that:

2.12.1. You are the Controller of any Biometric Data collected through the Service and we act only as a Processor with respect to any Biometric Data. You agree to provide appropriate notice and obtain all consents and rights necessary for us to Process the Biometric Data on your behalf. You recognize and agree that there are various laws that specifically govern the collection, use, and retention of Biometric Data, and understand that it is your responsibility to comply with all applicable laws. From time to time, we may provide reasonable assistance to you with certain obligations, when applicable, such as assisting you in responding to data subject requests and in providing relevant consent and disclosure language. Concerning assistance with consent and disclosure language, you agree that any such assistance does not constitute legal advice, is for informational purposes only, and that it is your ultimate responsibility to ensure compliance with all applicable law.

2.12.2. You agree to adopt a retention and destruction schedule applicable to Biometric Data and will make such schedule available to users of the Service.

2.12.3. You will use Biometric Data through the Service for identity verification and authentication purposes only. Any other use shall constitute a breach of this Agreement.

2.12.4. You will inform us if you wish to delete or otherwise change or remove any user’s Biometric Data from the Service, whether because the purpose for collection has been satisfied or for any other reason. You agree it is your responsibility to determine when any user’s Biometric Information is no longer required and/or may not be retained under Applicable Data Protection Law and to notify us accordingly.


3.1. As used in this Section, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA. Intuit will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal (i) for any purpose other than for the Business Purposes specified in the Agreement, namely employee and benefits management, including for any other Commercial Purpose, or (ii) outside of the parties’ direct business relationship; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Information received from or on behalf of any third party, or collected from Intuit’s own interaction with data subjects, except for any uses permitted for “service providers” under the CCPA.

3.2. The parties acknowledge that the Personal Information disclosed by Customer to Intuit, in Intuit’s role as a Processor, is provided to Intuit only for the limited and specified purposes set forth in the Agreement. Intuit will comply with applicable obligations under the CCPA and provide the same level of privacy protection to the Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps, as agreed upon by the parties, to help ensure that Intuit uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA.  

3.3. Notification. Either party will notify the other party if it makes a determination that the party can no longer meet its obligations under the CCPA. If Intuit notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps, as mutually agreed upon by the parties, to stop and remediate such unauthorized use. 

4. Miscellaneous

4.1. This version of the DPA will go into effect on September 14, 2023.

4.2. This DPA, including the terms of the underlying Agreement, is the entire agreement between you and Intuit and replaces all prior understandings, communications and agreements, oral or written, regarding its subject matter. If any court of law, having jurisdiction, rules that any part of this DPA is invalid, that section will be removed without affecting the remainder of the DPA. The remaining terms will be valid and enforceable.


  1. Application of Modules. If Intuit is acting as a controller with respect to Personal Information, “Module One: Transfer controller to controller” of the Standard Contractual Clauses shall apply. If Intuit is acting as a Processor with respect to Personal Information, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply. 
  2. Sections I-V. The parties agree to the following selections in Sections I-IV of the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in the DPA; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (d) in Clause 18(b), the parties select the courts of the Republic of Ireland.
  3. Annexes. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the DPA shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in the DPA shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the Irish Data Protection Commissioner. The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth in the DPA.