This Data Processing Agreement (“DPA”) is an agreement between you and the entity you represent (“Reseller” or “you”), on the one hand, and CyberSource Corporation and/or any other applicable affiliated CyberSource contracting entity(ies) (“CyberSource”), on the other hand. It forms part of any written or electronic agreement between you and CyberSource under which CyberSource Processes Personal Information on behalf of Reseller’s customers (each, an “Agreement”), except with respect to any Agreement under which you and CyberSource have entered data processing terms that address the subject matter hereof.

1    Processing of Customer Personal Information

1.1      Processor designation. The parties acknowledge and agree that CyberSource will Process Personal Information of Reseller customers to provide the Transaction Services, which Processing may include, by way of example and for illustrative purposes, the Processing detailed on Details of Processing Customer Personal Information (Exhibit 1). For the purposes of the Applicable Data Protection Laws and the provisions of this Agreement, the Reseller’s customers shall be considered as controllers (or equivalent term pursuant to Applicable Data Protection Laws), Reseller shall be considered a data processor, and CyberSource (as the “Sub-Processor” herein) shall be considered a sub-processor engaged by Reseller to carry out specific processing activities for Reseller’s customers.

1.2      Authorization to Process. Reseller instructs Sub-Processor to Process Customer Personal Information to provide such Transaction Services, and Sub-Processor is authorized to Process Customer Personal Information solely in connection with the following activities:

1.2.1      In accordance with the applicable Agreement(s), including, without limitation, any exhibits, schedules, and applicable price schedule(s), to provide the Transaction Services, and any Processing required under applicable law or regulations;

1.2.2      Based on the instructions of Reseller and in its use of the Transactions Services, Sub-Processor transfers Personal Information to acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers performing payer authentication services used by Reseller’s customers, such as Verified by Visa and Mastercard Identity Check (ID Check); and

1.2.3      As reasonably necessary to enable Sub-Processor to comply with any other directions or instructions provided by Reseller on behalf of Reseller’s customers.

1.3    Controller designation: The parties acknowledge and agree that CyberSource will Process Customer Personal Information in the context of the Fraud Services as detailed in the table appended to this DPA at paragraph 2, Exhibit 1. In respect of the Processing of such Customer Personal Information for the purpose of the Fraud Services, both Reseller’s customers and CyberSource shall act as controllers.

2          Compliance with Law. Reseller shall, in its use of the Transaction Services, Process Customer Personal Information in accordance with the requirements of Applicable Data Protection Laws. Sub- Processor shall, in its provision of the Transaction Services, Process Customer Personal Information of Reseller’s customers in accordance with the requirements of Applicable Data Protection Laws.

3          Reseller obligations. With respect to the Processing of Customer Personal Information by Sub- Processor under this Schedule and Agreement, Reseller shall ensure that its customers shall:

3.1      provide its End-User(s) with all privacy notices, information and any necessary choices under Applicable Data Protection Laws with respect to the use of Customer Personal Information in connection with the Transaction Services as set out in the Agreement and this DPA, including providing information to End-Users for fair, lawful and transparent Processing of Customer Personal Information when required and shall obtain any necessary consents to enable the parties to comply with Applicable Data Protection Law;

3.2      promptly inform Sub-Processor when Customer Personal Information must be corrected, updated, and/or deleted, where required by Applicable Data Protection Law; and

3.3      ensure that at the point of transferring Customer Personal Information to Sub-Processor, the Customer Personal Information is adequate, relevant and limited to what is necessary in relation to the Processing envisaged under the Agreement and this DPA.

3.4      Reseller shall comply (and ensure that its third party auditors comply) with Sub-Processors relevant security policies and appropriate confidentiality obligations as set out in the Agreement.

4    CyberSource obligations

4.1      Applicable Data Protection Law. To the extent necessary to enable Reseller’s customers to comply with their obligations under Applicable Data Protection Law, Sub-Processor further agrees to comply with any required provisions of the GDPR Schedule (other than when acting in accordance with Section 1.2 (Authorization to Process) of this DPA) and/or CCPA Schedule, each, to the extent applicable.

4.2      Data Subject Rights. Sub-Processor will, to the extent legally permitted, provide reasonable assistance to Reseller to respond to requests from End-Users to exercise their rights under Applicable Data Protection Law with respect to Customer Personal Information (e.g., rights to access or delete Customer Personal Information) in a manner that is consistent with the nature and functionality of the Transaction Services. Where Sub-Processor receives any such request, it shall notify Reseller without undue delay and Reseller shall ensure that its customers are responsible for handling such requests by an End User in accordance with Applicable Data Protection Law.

4.3      Engaging with Sub-Processors. Sub-Processor shall ensure that when engaging with another data processor including any Affiliates (a “Sub-Sub-Processor”) for the purposes of carrying out specific Processing activities related to Reseller’s customer’s, there is a written contract in place between Sub- Processor and the relevant Sub-Sub-Processor. Such written contracts, to the extent applicable to the nature of the Transaction Services provided by the relevant Sub-Sub-Processor, will provide at least the same level of protection for Customer Personal Information as set out in this DPA.

4.4      Staff. Sub-Processor shall ensure that persons authorized to Process Customer Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.5      Security of Processing. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sub-Processor shall implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Sub-Processor shall, in particular, take into account the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information transmitted, stored or otherwise Processed. Sub-Processor shall provide reasonable assistance to Reseller in ensuring Reseller meets its own compliance obligations with respect to these same security measures.

4.6   Security Breach

4.6.1      In the event of an actual Security Breach (defined below) affecting Customer Personal Information contained in Sub-Processor’s systems, Sub-Processor shall (i) investigate the circumstances, extent and causes of the Security Breach and report the results to Reseller and continue to keep Reseller informed on a regular basis of the progress of Sub-Processor’s investigation until the issue has been effectively resolved; and (ii) cooperate with Reseller in any legally required notification by Reseller’s customers of affected End-Users.

4.6.2      Sub-Processor shall notify Reseller without undue delay upon Sub-Processor or any Sub-Sub- Processor becoming aware of an actual Security Breach affecting Customer Personal Information, providing Reseller with sufficient information and reasonable assistance to allow Reseller’s customers to meet its obligations under Applicable Data Protection Law to (i) notify a Supervisory Authority (as defined under Applicable Data Protection Law) of the Security Breach; and (ii) communicate the Security Breach to the relevant Data Subjects.

4.6.3      Notice to Reseller in accordance with Section 4.6.2 of this Agreement shall be made by sending an email and/or text message to the email address and/or mobile phone number registered by Reseller in the Enterprise Business Center.

4.6.4      Except as required by applicable law or regulation, the notifying party will not make (or permit any third party to make) any statement concerning the Security Breach that directly or indirectly references the other party, unless the other party provides its explicit written authorization.

4.6.5      To the extent that a Security Breach was caused by Reseller, Reseller’s customers or End Users, Reseller shall be responsible for the costs arising from the Sub-Processor’s provision of assistance under this clause 4.6.

4.7      Deletion and Retention. Sub-Processor shall, at the choice of Reseller, delete or return all Customer Personal Information upon termination of the Agreement and delete existing copies unless storage is required by applicable law.

5      Miscellaneous. The terms of this DPA shall apply only to the extent required by Applicable Data Protection Law. To the extent not inconsistent herewith, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term or condition of the DPA, the DPA does not apply to any data or information that does not relate to one or more identifiable individuals, that has been aggregated or de-identified in accordance with Applicable Data Protection Law, or to the extent that Sub-Processor and Reseller have entered separate data processing terms that address the subject matter hereof.

6      Definitions. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Law.

6.1      “Applicable Data Protection Law” means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, Applicable Data Protection Laws include, without limitation, and to the extent applicable, the General Data Protection

Regulation (Regulation (EU) 2016/679 (the “GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), and any associated regulations or any other legislation or regulations that transpose or supersede the above;

6.2      "Customer Personal Information" means Personal Information originating from the Reseller’s customers or their End-Users and provided to or accessed by CyberSource pursuant to the Agreement;

6.3      “End-User(s)” means any person that purchases goods or services of Reseller’s customers, whose information is submitted by Reseller’s customers to CyberSource during the course of Reseller’s customers using the Transaction Services hereunder;

6.4    "Fraud Services" – means CyberSource's provision of its fraud prevention and risk management tool(s) as described in the table appended to this DPA at paragraph 2, Exhibit 1;

6.5      “Personal Information” means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household or that is regulated as “personal data,” “personal information,” or otherwise under Applicable Data Protection Law. For the avoidance of doubt, this includes any information relating to an End-User as defined in the Agreement;

6.6      “Process” or “Processed” or “Processing” means any operation or set of operations which is performed upon Personal Information , whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction; and

6.7      “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system” or similar term (as defined in any other applicable privacy laws) as well as any other event that compromises the security, confidentiality or integrity of Personal Information.

 

SCHEDULE A

CALIFORNIA CONSUMER PRIVACY ACT

 

This CCPA Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the CCPA applies to Reseller’s use of Transaction Services on behalf of its customers. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this CCPA Schedule and the DPA, this CCPA Schedule shall prevail.

1      CyberSource shall not:

1.1      sell Customer Personal Information; or

1.2      retain, use or disclose Customer Personal Information other than as set forth in the body of the DPA, except as required or permitted by Applicable Data Protection Law.

2      When providing or making available Personal Information to CyberSource, Reseller shall ensure that its customers shall only disclose or transmit that Personal Information which is necessary for CyberSource to perform its obligations under the applicable Agreement(s).

3      To the extent required by Applicable Data Protection Law, this CCPA Schedule constitutes its certification to the Processing restrictions herein.

 

SCHEDULE B

GENERAL DATA PROTECTION REGULATION

 

This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR applies to Reseller’s customers’ use of Transaction Services. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.

1   Sub-Processor Obligations

1.1    Processing of Customer Personal Information. Sub-Processor shall Process Customer Personal Information only on documented reasonable instructions from Reseller (including instructions with respect to transfers of Customer Personal Information to a third country, if applicable) unless required to do so by Applicable Data Protection Law. In such circumstances, Sub-Processor shall inform Reseller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Sub-Processor shall immediately inform Reseller if, in Sub-Processor’s opinion, Reseller’s instructions would be in breach of Applicable Data Protection Law. Reseller agrees that Sub-Processor shall be under no obligation to take actions designed to form any such opinion.

1.2   Use of Sub-Sub-Processor

1.2.1      Sub-Processor shall not engage any Sub-Sub-Processor without the specific or general written authorization from Reseller.

1.2.2      In the case of a general authorization, Sub-Processor shall inform Reseller of any intended changes concerning the addition or replacement of other Sub-Sub-Processors to give Reseller the reasonable opportunity to object to such changes. In the event Reseller objects to Sub-Processor’s change or addition of Sub-Sub-Processor, Reseller shall promptly notify Sub-Processor of its objections in writing within 10 business days after receipt of Sub-Processor’s notice of such change or addition.

1.2.3      Sub-Processor may, at its option, undertake reasonable efforts to make available to Reseller a change in the Transaction Services or recommend a commercially reasonable change to Reseller’s configuration or use of the Transaction Services to avoid Processing of Customer Personal Information by the objected-to new Sub-Sub-processor. If Sub-Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Reseller may terminate the Agreement with respect to only those aspects of the Transaction Services, which cannot be provided by Sub-Processor without the use of the objected-to new Sub- Sub-Processor by providing written notice to Sub-Processor. If the Transaction Services as a whole cannot be performed without the objected-to new Sub-Sub-Processor, Reseller may terminate the entire Agreement.

1.2.4      Sub-Processor agrees not to impose a penalty for any termination under Section 1.2.3 of this GDPR Schedule on Reseller. Sub-Processor reserves the right to maintain its Sub-Sub-Processor list through means such as publication of its Sub-Sub-Processor list online. In accordance with Section

1.2.1 of this GDPR Schedule, Reseller provides authorization for Sub-Processor to engage with the Sub-Sub-Processors listed on the EBC, or upon Reseller’s request.

2    Data Protection Impact Assessments and Prior Consultation with Regulator

 

2.1      Sub-Processor shall provide reasonable assistance to Reseller with any legally required (a) data protection impact assessments; and (b) prior consultations initiated by Reseller with its regulator in connection with such data protection impact assessments. Such assistance shall be strictly limited to the Processing of Customer Personal Information by Sub-Processor on behalf of Reseller’s customers under the Agreement taking into account the nature of the Processing and information available to Sub-Processor.

3      Demonstrating Compliance with this DPA

3.1      Sub-Processor shall make available to Reseller all information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by Reseller or another auditor under the instruction of the Reseller for the same purposes of demonstrating compliance with obligations set out in this DPA.

3.2      Reseller’s right under Section 3.1 of this GDPR Schedule is subject to the following:

3.2.1      if Sub-Processor can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification or by providing Reseller with an audit report issued by an independent third party auditor (provided that Customer will comply with appropriate confidentiality obligations as set out in the Agreement and shall not use such audit report for any other purpose), Reseller agrees that it will not conduct an audit or inspection under Section 3.1 above;

3.2.2      in acknowledgement of the time, expense and disruption to business associated with performing audits and inspections involving interviews and onsite visits, Reseller agrees to only conduct such audits and inspections on condition that Reseller can demonstrate such audit or inspection is necessary beyond the information made available by Sub-Processor under Section 3.1 above. Such audits and inspections, shall be at reasonable intervals (but not more than once per year) upon not less than 60 days' notice and at a date mutually agreed by the Parties, provided that the audit will

(i)   not disrupt Sub-Processor's business; (ii) be conducted during business hours and at the Reseller’s expense; (iii) not interfere with the interests of Sub-Processor’s other customers; and (iv) not exceed a period of two successive business days.

3.3      With regard to Section 3.1 of the GDPR Schedule, Sub-Processor shall immediately inform Reseller if, in Sub-Processor’s opinion, Reseller’s instructions would be in breach of Applicable Data Protection Law. Reseller agrees that Sub-Processor shall be under no obligation to take actions designed to form any such opinion.

4    Cross-Border Transfers

4.1      Sub-Processor shall comply with Reseller’s documented instructions concerning the transfer of Customer Personal Information to a third country.

4.2      The Sub-Processor shall only transfer any Customer Personal Information outside the European Economic Area (“EEA”), the UK or Switzerland in compliance with the Applicable Data Protection Law.

4.3      Reseller agrees and acknowledges that Sub-Processor transfers and stores certain Customer Personal Information (relating to individuals located in the EEA) in the United States.

4.4      Reseller agrees:

4.4.1  To enter into Standard Contractual Clauses (as set out in Commission Decision C(2010)593 dated 5 February 2010 made under Directive 95/46/EC of the European Parliament and of the Council as amended or superseded from time to time) (the “C2P Standard Contractual Clauses”) with its customers to legitimize any transfer of Customer Personal Information outside of the European Economic Area from Reseller’s customers to Sub-Processor and any of its affiliated entities in the United States or other third countries. CyberSource will comply with the same obligations that are imposed on Reseller under the Standard Contractual Clauses to the extent that such obligations are applicable to CyberSource acting as a Sub-Processor.

4.4.2  Solely when CyberSource is acting as a controller for the purposes of the Fraud Services, to procure that Reseller’s customers enter into controller to controller Standard Contractual Clauses (adopted by Commission Decision 2004/915/EC dated 27 December 2004 made under Directive 95/46/EC of the European Parliament and of the Council as amended or superseded from time to time) (the “C2C Standard Contractual Clauses”)with CyberSource to legitimize any transfer of Customer Personal Information outside of the European Economic Area from Reseller’s customers to CyberSource and any of its affiliated entities in the United States or other third countries.

4.5    Reseller shall ensure that it obtains written agreement from its customers on the data transfer terms set out in Sections 4.3 and 4.4 above.

5       Fraud Services

5.1    In relation to the Fraud Services, the parties shall, without undue delay, notify each other of any;

5.1.1  Data Subject Rights requests made by a Data Subject; and

5.1.2  correspondence from a Supervisory Authority where and to the extent permitted by law.

5.2    Reseller shall ensure that its contracts with Reseller’s customers acknowledge that in relation to the Fraud Services:

5.2.1  Reseller’s customer shall be the designated point of contact for the Data Subject with respect to Data Subject Rights requests;

5.2.2  Reseller’s customer shall notify Reseller without undue delay of any:

a)           Data Subject Rights request made by a Data Subject;

b)           Correspondence from a Supervisory Authority, where and to the extent permitted by law.

5.3    CyberSource shall reasonably cooperate with and assist Reseller’s customers in the execution and fulfilment of its obligations under Applicable Data Protection Laws in relation to Data Subject Rights requests related to the Fraud Services.

EXHIBIT 1

DETAILS OF PROCESSING CUSTOMER PERSONAL INFORMATION

1. Details of Processing of Customer Personal Information in respect of the Services

The table below includes certain details of the Processing of Customer Personal Information in respect of the Services as required by Article 28(3) GDPR. Each of the service descriptions below apply to the extent that Reseller uses such service under the Agreement.

Service

Nature and purpose of the processing

Types of personal information

Categories of data subjects to whom the personal information relates to

Payment gateway service

Gateway services for bank transfers, direct debits, credit/debit card authorisation, settlement, authentication and credit, including processing, provision of customer support.

Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address.

 

Further detail is included in the applicable Services Documentation.

End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all end users whose cardholder or bank account data is submitted to Processor for processing).

Tokenization

Tokenization is a Data Security technology which helps customers facilitate a safe transfer and storage of sensitive information. CyberSource Tokenization service replaces sensitive payment data with a unique identifier or token. This simplifies customer operations and removes sensitive data from their environment. The actual payment data is securely stored in Visa data centers within the customers token vault.

If the Customer enrolls for the Tokenization service, they can choose which Customer data to store. CyberSource can support data such as account numbers, name, billing address, shipping address, phone number, e-mail address, etc.

 

 

Further detail is included in the applicable Services Documentation.

Authentication service

Personal Information is used to mitigate fraud on the Customer and Consumers behalf, based on the instructions of the Customer. Processor transfers (on the instructions of the Controller, Customer Personal Information to acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers performing Authentication service used by Reseller and/or its Customers, such as Verified by Visa and Mastercard Identity Check (ID Check).

If the Customer opts to use the Authentication service, it may use Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address as a part of processing the authentication request with the issuer.

 

 

Further detail is included in the applicable Services Documentation.

 

Payer Authentication

Payer Authentication provides Customer with risk management and authentication services.

If Customer opts to use Payer Authentication may use End-Users' banking information as a part of Processing the authentication request with the issuer.

 

 

Customer Personal Information is used to mitigate fraud on the Customer and End- User's behalf, based on the instructions of Customer.

 

 

Further detail is included in the applicable Services Documentation.

 

 

Order Screening

Order Screening provides customers risk management and order review services.

Customer Personal Information is used to (i) mitigate fraud on the Customer and End- User's behalf, based on the instructions of Customer; and (ii) support the creation and enhancement of security and fraud prevention products, services and tools, such as fraud models.

Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address, as well as cardholder’s device that is used to complete Customer’s transactions (such as device fingerprint).

Further detail is included in the applicable Services Documentation.

 

Performance Monitoring

Performance Monitoring is a service that provides a Customer with an expert risk analyst for consultative purposes in the fraud management space, specifically related to using Decision Manager.

A risk analyst supporting a Performance Monitoring engagement leverages the data available in the Decision Manager service. This data is used to analyze for fraud trends and give advice on how to best configure Decision Manager.

Further detail is included in the applicable Services Documentation.

 

 

2. Fraud Services

Types of Customer Personal Information to be Processed as part of the Fraud Services

 

Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address, as well as cardholder’s device that is used to complete Customer’s transactions (such as device fingerprint).

Customer Personal Information is used to (i) mitigate fraud on the Customer and End- User’s behalf and (ii) support the creation and enhancement of security and fraud prevention tools and models for use by Customer and any other customer of CyberSource. These models ensure that scoring in Fraud Services is kept up-to-date. Further detail is included in the applicable Services Documentation.

.