ACH Services Addendum

This ACH Services Addendum (this “Addendum”) applies to services offered by PayPal, Inc. (“PayPal”) that allow you to originate Automated Clearing House (“ACH”) credit and debit entries to a bank account (the “ACH Services”). This Addendum forms part of the applicable agreement between PayPal and you, a third-party platform or marketplace (the "Platform") or a merchant who owns a PayPal business account and enters into this agreement, that governs PayPal’s provision of ACH Services to you (the “Agreement”) and is incorporated by reference therein. In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum will control. Capitalized terms used but not defined in this Addendum have the meaning set out in the Agreement.

This Addendum is effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice posted or provided to you in connection with this Addendum. We may amend this Addendum from time to time. The revised version will be effective at the time we post it on our website, unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the "Policy Updates" page of our website within the timeframe required by the Agreement. If you do not agree with any change to this Addendum, you may discontinue your use of the ACH Services.

1. PayPal may offer to you the ability to validate bank account information (including, but not limited to, account number, routing number, and/or account holder name) in connection with the ACH Services (“Account Validation”). In that case, PayPal may share personal, financial, and/or transaction data (“Data”) related to your customers (and, in the case of Platforms, customers of its sellers or billers) with PayPal’s third-party service providers which may include data consortium providers (“Data Consortium Providers”) and open banking vendors (“Open Banking Providers” and, together with Data Consortium Providers, "Account Validation Providers”), and such providers may collect certain customer Data from third-party information sources where customers hold bank accounts (“Data Sources”) and share it with PayPal. You agree to use the Account Validation methods offered by PayPal in compliance with this Addendum, the Agreement, the Nacha Rules, applicable laws and regulations.
1. 1. If you select an Account Validation method offered through a Data Consortium Provider that is subject to the Fair Credit Reporting Act ("FCRA") or analogous applicable law, you instruct PayPal to act as agent for the purpose of obtaining any requested consumer report on your behalf and performing the requested validation. You agree to: (a) obtain the express written consent of the consumer before requesting any consumer report; (b) retain evidence of such consumer consent; and (c) if the information in a consumer report serves as a basis for declining a transaction or account validation request, provide notice of adverse action to the consumer.
1. 2. If you select an Account Validation method offered through Open Banking Providers, you must not use any Data obtained from it for any purpose that would reasonably be expected to implicate the FCRA.
2. To the extent that you obtain access to Data or to any system or technology in connection with the Account Validation methods offered by PayPal, you must, except to the extent prohibited by applicable legal, regulatory or law enforcement requirements:
   1. Follow a written privacy policy describing how you use, collect, store, handle and share Data. Your customers (and, in the case of Platforms, customers of its sellers or billers) must be able to access your privacy policy and you must clearly and conspicuously reference or display such policy (including, at a minimum, via a link on your website and within your mobile application, if applicable);
   2. when applicable, obtain customer consent for you to use, collect, store, handle and share customer Data in accordance with your privacy policy;
   3. obtain customer consent to Account Validation Providers’ terms and conditions presented to customer;
   4. if any customer submits a request to delete its Data, promptly: (i) delete using an industry standard method that ensures the deletion is permanent and information unrecoverable (“Securely Delete”), subject to any legal or regulatory requirements to maintain copies, and (ii) notify PayPal;
   5. develop, maintain and implement a comprehensive written information security program that includes, without limitation: (a) technical, physical, and administrative/organizational safeguards designed to ensure the security, integrity and confidentiality of Data and protect it against any anticipated threats, hazards or Security Issue (as defined below); and (b) regular testing or otherwise monitoring of the effectiveness of your information safeguards;
   6. use commercially reasonable efforts to prevent a Security Issue and Securely Delete all Data that may be at risk from a Security Issue upon PayPal’s request;
   7. promptly inform PayPal if any competent authority, regulator or public authority requests disclosure of, or information about, the Data that is processed in connection with any Account Validation methods and cooperate with PayPal as reasonably necessary to comply with any direction or ruling made by such authorities;
   8. obtain PayPal’s approval prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Security Issue that expressly mentions PayPal or Account Validation Providers; and
   9. only use, store, host, or process Data within the United States of America, however, you may allow read-only access to such data subject to confidentiality and security requirements.

   For purposes if this Addendum, “Security Issue” means any: (i) unauthorized or unlawful access, transmission, corruption, deletion, or use of any Data; (ii) unauthorized access to systems storing, processing, or providing access to the same; (iii) your material failure to comply with its information security requirements under this Addendum; or (iv) any reasonably suspected case of, or flaw in, your policies, procedures, or systems reasonably likely to give rise to an incident as described above.

3. You shall not (a) attempt to gain unauthorized access to the Account Validation methods offered by PayPal or related systems or networks; (b) access and/or engage in any use of the Account Validation methods in a manner that abuses or materially disrupts PayPal’s or Account Validation Providers’ networks, security systems, and/or websites; (c) interfere with or disrupt the integrity or performance of Account Validation methods or third-party data contained therein; (d) access or use the Account Validation methods for fraudulent or unlawful purposes or otherwise in violation of the Nacha Rules or court orders; (e) access or use the Account Validation for purposes of competitive analysis, the development, provision or use of a competing software service or product; (f) retain, save or otherwise maintain any user credentials or other information that could be used to access customer’s Data (except for customers saving their own user credentials); (g) use any “screen scraping” process(es) to obtain customer Data directly or indirectly from any of the Data Sources from which PayPal or Account Validation Providers obtain customer Data on behalf of customer through the use of registration data (and not APIs or data feeds provided by or on behalf of PayPal or Account Validation Providers as part of the Account Validation); (h) in connection with cross-border transfer, export or re-export the Account Validation methods and/or any related system or technology; (i) use or disclose Data for any purpose that is not expressly permitted under this Addendum or by an explicit consent given by the customer (if applicable); and (j) sell, resell, license, transfer, or otherwise disclose Data to any other party, unless required by the Nacha Rules and or applicable laws or regulations.
4. If you become aware of any actual or threatened Security Issue or violation of its obligations under this Addendum, you must: (i) notify PayPal of any such actual or threatened Security Issue or violation and the corrective action taken or to be taken, within 48 hours of its discovery; and (ii) remediate or implement a plan to remediate the issue and mitigate its effects (including, where applicable, by discontinuing and preventing any unauthorized access to the Account Validation method) within the period determined by PayPal and communicated to you in writing. PayPal may report any Security Issue, investigations and/or remediation efforts to Account Validation Providers.
5. PayPal may immediately suspend your access to PayPal’s Account Validation and related Data, systems and/or technology, in whole or in part if PayPal reasonably believes that you violated any of your obligations under this Addendum or becomes aware of a Security Issue. In such cases, PayPal will use commercially reasonable efforts to give prior notice of any suspension but may immediately suspend access without prior notice if appropriate under the circumstances to protect customers, PayPal or Account Validation Providers from harm. PayPal may notify an Account Validation Provider of any condition permitting suspension (and related circumstances) if the condition relates to Data obtained from such Account Validation Provider (including the nature of such condition, whether access has been suspended, and the status of your efforts to cure the condition).
6. NEITHER PAYPAL NOR ANY ACCOUNT VALIDATION PROVIDER MAKE ANY WARRANTIES TO YOU OF ANY KIND (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE). PAYPAL, ACCOUNT VALIDATION PROVIDERS AND RELATED PARTIES WILL HAVE NO LIABILITY WHATSOEVER TO YOU RELATING TO (i) ACCESSING OR USING DATA; (ii) FOR ANY EXPENSES, LOSSES, OR DAMAGES RELATING TO YOUR ACCESS OR USE OF DATA, FOR ANY LOST PROFITS OR OTHER SPECIAL, CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES. THE LIMITATIONS IN THIS SECTION WILL APPLY TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND REGARDLESS OF THE FORM OF ACTION UNDER WHICH RECOVERY FOR ANY LOSS, DAMAGE, OR EXPENSE IS SOUGHT (INCLUDING NEGLIGENCE).
7. During the term of this Addendum, and for six (6) years thereafter (or a longer period if required under applicable law or regulation), you must keep documentation/records related to your use of the Account Validation methods and provide PayPal with access to such documentation/records upon request. PayPal may, by itself or through a third-party, audit your policies, procedures, books and records, data, systems, and activities to verify your compliance with this Addendum, including, but not limited to, the examination of your policies and/or procedures: (i) for ensuring the security and integrity of your systems for accessing, storing, and using Data; and (ii) in connection with FCRA related requirements, where applicable. You represent and warrant that the documents, information, responses, and materials that you provide to PayPal are true and accurate in all material respects. You agree that PayPal may provide such information to Account Validation Providers and/or Data Sources.
8. If you are a Platform, you must, prior to providing any Data or access to any Account Validation system or technology to your customers (e.g. sellers or billers on your platform), enter into a written agreement with each of them which contains terms that are substantially similar with the terms of this Addendum.
9. If any inconsistency exists between this Addendum and any applicable law or regulation (including rules implementing Section 1033 of the Consumer Financial Protection Act of 2010), then the terms of the applicable law and/or regulation shall control.