This Payflow Gateway Services Agreement ("Agreement") applies to your (the "Merchant’s") use of the Payflow Gateway Services (the "Payflow Services"). In this Agreement, "you" and "your" refer to Merchant and your designated agents, including your administrative contact, and "we,” "us" and "our" refer to PayPal. You must read, agree with, and accept all of the terms and conditions contained in this Agreement. By using the Payflow Services, you acknowledge that you have agreed to this Agreement. We may revise this Agreement and any applicable policies from time to time. The revised version will be effective at the time we post it unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the Policy Updates page of our website and provide you with the same length of advance notice as set forth in the PayPal User Agreement. By continuing to use the Payflow Services after any changes to this Agreement, you agree to abide by and be bound by those changes. If you do not agree with any changes to this Agreement, you may close your account.
The Payflow Services include Payflow Link or Payflow Pro and the “Add On Services” defined as Recurring Billing Service, the Fraud Protection Services, and the ACH Payment Service. In order to use the Payflow Services you or your PayPal authorized reseller must complete the online registration process (“Registration”) and set up an Internet merchant account with a Financial Institution to process payments. When you register for the Payflow Services, you may have PayPal payments automatically enabled. The e-mail address you designate when registering for the Payflow Services will be initially used to create your PayPal account, however, to access any PayPal payments you must finish completing your PayPal account and agree to the online PayPal user agreement, found on the applicable PayPal website. Use of the Add On Services may require additional documentation. You agree that you shall (i) use the Payflow Services in accordance with the applicable user guides and other documentation; and (ii) not use or permit others to use information obtained with the Payflow Services for any purpose other than in conjunction with the Payflow Services and in a manner described in this Agreement and in the documentation for the Payflow Services.
"ACH" shall mean Automated Clearing House.
"API" shall mean application programming interface.
"Financial Institution" shall mean banks or financial institutions having business relationships with one or more Financial Processors that have agreed to evaluate and provide merchant accounts and payment authorization services to merchants.
"Financial Processor" shall mean an entity with which PayPal has established a relationship that performs the back-end authorization and processing of Transactions between your Financial Institution and the cardholder's bank.
"Manager Web Site" means the online account management tools for merchants for the Payflow Services.
"Payflow Services" mean the payment gateways under the brand names Payflow Link or Payflow Pro that include, without limitation, real-time, secure data transmission and processing for multiple business-to-customer payment methods including, credit cards, and purchase cards and access to electronic checks allow Referred Merchants to process credit and debit cards, PayPal payments, Bill Me Later® payments, delayed shipment billing, electronic checks, and the Add On Services.
"Payflow Software" shall mean the object code version of the client Software Development Kit ("SDK"), HTML code, APIs, related documentation, and other client software or code, including updates, to enable PayPal to provide the Payflow Services to you. Unless otherwise specified, Payflow Software shall not include any source code.
"Transaction" shall mean information related to the purchase of goods and services from you by a third party. Specifically a Transaction is an authorization, delayed capture, sale, void, voice authorization, inquiry, verification, reference transaction, non-reference credit, or credit data transmission between PayPal and its back end processors.
4.1 Services. Subject to the terms in this Agreement, PayPal agrees to provide (i) the Payflow Services for which you have enrolled and the PayPal authorized reseller has paid the applicable fees on your behalf, and (ii) access to standardized reports regarding your Transactions processed using the Payflow Services and certain reporting tools to assist you in accounting activities.
4.2 Information Conduit. You acknowledge that PayPal is not a financial or credit reporting institution. PayPal is responsible only for providing Data transmission to effect or direct certain payment authorizations for you and is not responsible for the results of any credit inquiry, the operation of web sites of Internet service providers (“ISP”), Financial Institutions, Financial Processors, the availability or performance of the Internet, or for any damages or costs you suffer or incur as a result of any instructions given, actions taken or omissions made by you, your Financial Processor(s), your Financial Institution, or any ISP. The Payflow Services present data and information collected from the you and data sources other than PayPal and PayPal makes no representations or warranties regarding the availability, accuracy, timeliness or completeness of such data and information or any output or results of the Payflow Services based in whole or in part on such data and information. You are solely responsible for the accuracy and completeness of all Data you supply.
4.3 Security and Stability. You acknowledge that it is in the best interests of both parties that PayPal maintains a secure and stable environment; to that end, PayPal may change the method of access to the Payflow Services at any time. You also agree that, in the event of degradation or instability of the Payflow Services or an emergency, PayPal may temporarily suspend your access to the Payflow Services, any API, and/or any PayPal content under this Agreement in order to minimize threats to and protect the operational stability and security of the Payflow Services. Each party represents, warrants and covenants that it shall at all times comply with applicable Payment Card Industry Data Security Standards, (“PCI DSS”) as such may be amended from time to time, with respect to all card data received by it in connection with this Agreement. PayPal does not guarantee the security of the Payflow Services or Transaction data, and PayPal will not be responsible in the event of any infiltration of its security systems, if PayPal has used commercially reasonable efforts to prevent any such infiltration. Your customers’ card data is handled by PayPal if: (a) you use Payflow Link, or (b) you use Payflow Pro and you choose to activate the “transparent redirect” feature and integrate the feature pursuant to PayPal’s instructions. PayPal adheres to Payment Card Industry Data Security Standards (“PCI DSS”).
4.4 Technical Support for Payflow Services. You shall obtain your primary customer support from your PayPal authorized reseller and may contact PayPal for secondary technical support.
5.1 Fees. You agree to pay the PayPal authorized reseller the applicable fees for the Payflow Services. All fees are due immediately and are non-refundable, except as otherwise expressly noted herein.
5.2 Taxes. The fees are exclusive of tax. You are responsible for all taxes, duties, levies or tariffs or charges of any kind imposed by any federal, state, or local governmental entity on the fees for the Payflow Services, excluding taxes based on PayPal’s net income.
6.1 Term; Renewal. This Agreement will commence on the date you accept the terms of this Agreement (the "Effective Date") and continues until terminated as set out herein.
6.2 Termination. You may terminate the Payflow Services through your PayPal authorized reseller at any time by providing 30 days prior written notice to your PayPal authorized reseller. PayPal may terminate this Agreement, effective immediately, (i) in the event of insolvency, receivership or voluntary or involuntary bankruptcy, or an assignment for the benefit of your creditors, or in the event that a substantial part of your property is or becomes subject to any levy, seizure, assignment or sale for or by any creditor or governmental agency without being released or satisfied within thirty days thereafter; (ii) if you fail to comply with applicable laws or regulations; (iii) for any of the reasons listed in Section 6.3 below; or (iv) you fail to materially comply with this Agreement.
6.3 Suspension. PayPal may suspend your access to the Payflow Services effective immediately if: (i) certain third party licenses or access to third party components of the Payflow Services are terminated; (ii) if you cause or fail to fix a security breach relating to the Payflow Services; (iii) PayPal reasonably believes your breach compromises the security of the Payflow Services; (iv) PayPal reasonably believes fraudulent Transactions are being submitted on your account knowingly or negligently; (v) your Financial Processor or Financial Institution requires such suspension; (vi) you fail to pay any fees when due; or (vii) you fail to upgrade to the most current Payflow Software version, security updates and/or patches;
6.4 Effect of Termination. PayPal will cease providing the Payflow Services as of the expiration of the billing cycle in which the termination is effective. Upon termination, your rights to use the Payflow Services, and any other rights granted hereunder, shall immediately cease, and you shall destroy any copy of the PayPal Documentation or other materials licensed to you hereunder and referenced herein. Termination of this Agreement will not relieve either Party from any liability arising prior to the termination of this Agreement. If your PayPal authorized reseller ceases to be an authorized reseller, you may continue to access the Payflow Services as mutually agreed between Merchant and PayPal. To the extent permitted by applicable law, you agree that upon termination, we may delete all information relating to your use of the Service.
7.2 Compliance with Data Protection Schedule. You (as a “Merchant”) and we agree to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule shall prevail over any conflicting terms in this Agreement relating to data protection and privacy.
7.3 Data Portability. Upon any termination or expiration of this Agreement, PayPal agrees, upon your written request, to provide your new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to your Customers (“Card Information”). In order to do so, you must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) you provide PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws).
8.1 Confidential Information Defined. A party’s “Confidential Information” is defined as any information of the disclosing party, which (i) if disclosed in a tangible form is marked using a legend such as “Confidential” or “Proprietary” or if not so marked, should be reasonably understood by the receiving party from the context of disclosure or from the information itself, to be confidential, or (ii) if disclosed orally or visually is declared to be confidential or, if not so declared, should be reasonably understood by the receiving party from the context of disclosure or from the information itself to be confidential. Confidential Information shall include, the terms of this Agreement; the integration requirements; information accessed via the Payflow APIs; information relating to the PayPal’s systems, technology, processes, and financial information; your user ID; information relating to your business, security and technology; and all user data and customer information (including user IDs and passwords) regardless of whether marked “Confidential.”
8.2 Mutual Obligations. Each party shall hold the other party’s Confidential Information in confidence and shall not disclose such Confidential Information to third parties nor use the other party’s Confidential Information for any purpose other than as required to perform its obligations under this Agreement. Such restrictions shall not apply to Confidential Information that (i) is already known by the recipient, (ii) becomes publicly known through no act or fault of the recipient, (iii) is received by recipient from a third party without a restriction on disclosure or use, or (iv) is independently developed by recipient without reference to the Confidential Information or (v) where Confidential Information is required to be disclosed by a court, government agency, law enforcement agency, regulatory requirement, or similar disclosure requirement. The parties’ respective obligations to maintain the confidentiality of information disclosed hereunder shall survive the expiration or early termination of this Agreement or until such time as such information becomes public information through no fault of the receiving party. Upon termination or expiration of this Agreement, the receiving party shall immediately return to the disclosing party all manifestations of the Confidential Information or shall destroy all such Confidential Information as the disclosing party may designate; provided that such action may be delayed for so long as, and to the extent that, such Confidential Information relates to outstanding payment obligations or is subject to audit, reporting, or retention requirements under this Agreement or applicable law.
9.1 Intellectual Property. You acknowledge that PayPal and its licensors retain all intellectual property rights (including all patent, trademark, copyright, trade dress, trade secrets, database rights and all other intellectual property rights) and title in and to all of their Confidential Information; other proprietary information, products and services; and the ideas, concepts, techniques, inventions, processes, software or works of authorship developed, embodied in, or practiced in connection with the Payflow Services and provided by PayPal hereunder, including without limitation all modifications, enhancements, derivative works, configurations, translations, upgrades, and interfaces thereto (all of the foregoing “PayPal Intellectual Property”). PayPal Intellectual Property does not include your preexisting hardware, software, data, or networks. Except as otherwise expressly provided herein, nothing in this Agreement shall create any right of ownership or license in, and to the other Party’s intellectual property rights and each Party shall continue to independently own and maintain its intellectual property rights. There are no implied licenses under this Agreement and any rights not expressly granted to you under this Agreement are reserved by PayPal or its suppliers. You shall not reverse engineer, decompile, modify in any manner, or create derivative works from the Payflow Services, API License, (defined below) or any PayPal Intellectual Property.
9.2 License. PayPal hereby grants you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to use PayPal’s Intellectual Property solely as required and necessary to use the Payflow Services in accordance with the terms and conditions of this Agreement and any user guides provided by PayPal to you (the “IP License” and with respect to the APIs, the “API License”).
9.3 Payflow APIs. PayPal shall make available to you its API integration and user guides and SDKs (collectively “PayPal Documentation”). You shall comply with the PayPal Documentation in connection with the integration and use of APIs. You shall keep all user ID, passwords and other access codes pertaining to the Payflow Services and API License confidential and secure from all unauthorized persons. You will immediately terminate the access rights of any user who ceases to act in an authorized capacity on your behalf for any reason, including because of a change in employment status or in the event of theft, loss or authorized disclosure or misuse of that user ID. You agree to notify PayPal immediately upon learning of any unauthorized use of your user name or password. You shall be solely responsible for (i) updating your passwords for access to the Payflow Services periodically, and (ii) creating passwords that are reasonably “strong” under the circumstances. The user ID is the property of PayPal and may be immediately revoked or terminated by PayPal if you share the same with any third party, or otherwise breach this API License. In connection with your use of Payflow’s API’s, you are prohibited from doing any of the following: (i) selling, transferring, sublicensing, or disclosing your user ID to any third party (other than third party service providers); (ii) selling, transferring, sublicensing, and/or assigning any interest in PayPal’s Confidential Information accessed by the APIs; (iii) collecting any customer’s personally identifiable information that is accessed through the APIs without that customer’s express permission; (iv) providing timeshare, service bureau, application service provider or similar services to any other third party; and (v) interfacing or connecting the Payflow Services, or the API License with any other computer software or system without the prior written approval of PayPal. PayPal shall have no responsibility or liability for the performance of the Payflow Services and Payflow Software, in the event that the Payflow Services or Payflow Software are not used in accordance with this Agreement or any instructions for use provided by PayPal.
10.1 Authority. Each party represents and warrants that (a) it has full power and authority to enter into and perform this Agreement; and (b) its execution and performance of this Agreement does not violate, conflict with, or result in a material default under any other contract or agreement to which it is a party, or by which it is bound.
10.2 Compliance with Laws. You represent and warrant that you shall comply with all applicable privacy, consumer and other laws and regulations with respect to (i) provision, use and disclosure of the Data; (ii) dealings with the users providing the Data; and (iii) use of the Payflow Services.
THE PAYFLOW SERVICES AND PAYFLOW SOFTWARE INCLUDING THE API LICENSE ARE PROVIDED HEREUNDER ON AN “AS IS” BASIS WITHOUT WARRANTY OF ANY KIND AND EXCEPT AS EXPRESSLY STATED HEREIN, PAYPAL DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARDS TO THE PAYFLOW SERVICES AND PAYFLOW SOFTWARE. PAYPAL DOES NOT REPRESENT OR WARRANT THAT THE PAYFLOW SERVICES AND PAYFLOW SOFTWARE SHALL OPERATE SECURELY OR WITHOUT INTERRUPTION.
Merchant will defend, indemnify and hold harmless PayPal, its affiliates, and its officers, directors, employees, and agents from any loss, damage, liability, claim, demand or cost (including reasonable attorneys’ fees) (“Claim”) made or incurred by any third party due to or arising out of (i) your breach of this Agreement; (ii) (ii) the sale or use of any product or services sold by you; (iii) your use of the Payflow Services; or (iv) your negligence or misconduct.
IN NO EVENT WILL PAYPAL'S LIABILITY ARISING OUT OF THIS AGREEMENT EXCEED THE FEES PAID TO PAYPAL BY MERCHANT OR BY PAYPAL’S AUTHORIZED RESELLER ON BEHALF OF MERCHANT HEREUNDER DURING THE 12 MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT THAT GAVE RISE TO THE CLAIM FOR DAMAGES. IN NO EVENT WILL PAYPAL OR ITS LICENSORS HAVE ANY LIABILITY TO MERCHANT OR ANY OTHER PARTY FOR ANY LOST OPPORTUNITY OR PROFITS, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR SPECIAL DAMAGES ARISING OUT OF THIS AGREEMENT, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY (INCLUDING NEGLIGENCE), AND WHETHER OR NOT PAYPAL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. The limitations set forth above shall be enforceable to the maximum extent allowed by applicable law.
14.1 Force Majeure. Neither Party shall be responsible for any failure to perform its obligations under this Agreement if such failure is caused by acts of God, war, strikes, revolutions, lack or failure of transportation facilities, laws or governmental regulations or other causes that are beyond the reasonable control of such Party. Obligations hereunder, however, shall in not be excused but shall be suspended only until the cessation of any cause of such failure.
14.2 Entire Agreement and Modification. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any prior oral, written, or online agreements. The PayPal authorized reseller is not authorized to alter or amend the terms of this Agreement. Except as otherwise provided for herein, any waiver, modification, or amendment of any provision of this Agreement will be effective only if in writing and signed by the parties herein.
14.3 Severability. If any provision of this Agreement shall be held illegal or unenforceable, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.
14.4 Assignment; No Waiver. This Agreement binds and is for the benefit of the successors and permitted assigns of each Party. You may not assign this Agreement or any rights under it, in whole or in part, without PayPal’s prior written consent. Any attempt to assign this Agreement other than as permitted above will be null and void. Failure by either Party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.
14.5 Governing Law and Jury Trial Waiver. This Agreement shall be governed by and construed in accordance with the laws of the State of California, U.S.A., except for its conflicts of laws principles. The Parties consent to the exclusive jurisdiction of, and venue in, the state and federal courts in Santa Clara County, California. PAYPAL AND MERCHANT IRREVOCABLY WAIVE ANY AND ALL RIGHTS THEY MAY HAVE TO A TRIAL BY JURY IN ANY JUDICIAL PROCEEDING INVOLVING ANY CLAIM RELATING TO OR ARISING UNDER THIS AGREEMENT.
14.6 Survival. Sections, which by their nature survive, shall survive any termination or expiration of this Agreement in accordance with their terms.
14.7 Export Restrictions. You agree that you shall not import, export, or re-export directly or indirectly, any commodity, including your products incorporating or using any PayPal products in violation of the laws and regulations of any applicable jurisdiction.
14.8 Notices. Except as otherwise expressly stated in this Agreement, all notices to PayPal shall be in writing and delivered, via courier or certified or registered mail, to General Counsel, 2211 North First Street, San Jose, CA 95131 or any other address provided by PayPal. All notices to you shall be delivered to your e-mail address as provided by you in your account information. Unless you choose to opt-out of receiving marketing notices, you authorize PayPal to notify you as our customer, via commercial e-mails, telephone calls and other means of communication, of information that we deem is of potential interest to you, including without limitation communications describing upgrades, new products and services or other information pertaining to the Payflow Services or other PayPal offerings relating to Internet security. Notwithstanding the above, you shall not have the right to opt-out of service or support notices relating to the Payflow Services, including without limitation, notices of service modifications, security, performance issues, or technical difficulties.
14.9 Headings. The section headings appearing in the Agreement are inserted only as a matter of convenience and in no way define, limit, construe or describe the scope or extent of such section or in any way affect such section.
14.10 Relationship of the Parties. The Parties are independent contractors and will have no power or authority to assume or create any obligation or responsibility on behalf of each other. This Agreement will not be construed to create or imply any partnership, agency, or joint venture.
14.11 Non-Disparagement; Publicity. During the term of the Agreement, neither party will disparage the other party or the other party's trademarks, web sites, products or services, or display any such items in a derogatory or negative manner on any web site or in any public forum or press release. All media releases, public announcements or public disclosures (including, but not limited to, promotional or marketing material) by either Party relating to this Agreement are prohibited without the prior written consent of both Parties.
14.12 Expenses. Except as otherwise specified herein or as otherwise mutually agreed upon by the Parties, each Party will bear its own costs of performing under this Agreement.
14.13 Government Use. If you are a branch or agency of the United States Government, the following provision applies. The software and any related documentation are comprised of "commercial computer software" and "commercial computer software documentation" as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and are provided to the Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227.7202-1 (JUN 1995) and 227.7202-3 (JUN 1995).
If at any time you process directly with American Express, you acknowledge and agree to comply with the terms of this Section as applicable.
In no event shall PayPal be liable for Transaction processing and other services performed by American Express.
RECURRING BILLING SERVICE.
If at any time you purchase the Recurring Billing Services, you agree to comply with the following terms and conditions.
FRAUD PROTECTION SERVICES.
DATA PROTECTION SCHEDULE
This Data Protection Schedule applies only to the extent that PayPal acts as a Service Provider to you.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION; SCHEDULE COMPOSITION
1.1 Definitions and Interpretation. The following terms have the following meanings when used in this Schedule:
"Customer" means your customers who use the PayPal services in the United States and for the purposes of this Schedule, are data subjects.
"Customer Data" means the Personal Data that the Customer provides to you and you pass on to PayPal through the use by you of the PayPal services.
"Data Protection Laws" means any data protection laws, regulations, and regulatory requirements applicable to PayPal’s provisions of the PayPal services, including without limitation, the California Consumer Privacy Act of 2018 (CCPA), including any implementing regulations issued by the California Attorney General.
"Personal Data" means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"process", "processes", and "processed" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.
“Security Incident" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by PayPal.
“Service Provider” shall have the meaning set forth in the CCPA.
1.2 Schedule Composition. This Schedule 1 is comprised of (i) sections 1 to 2, being the main body of the schedule; and (ii) Attachment 1.
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 PayPal as a Service Provider.
2.1.1 PayPal is your Service Provider with respect to Customer Data, including the Personal Data of Customers and other natural persons, households, and entities only for the purposes specified in the Agreement. You agree to provide to PayPal only the Customer Data that is necessary for PayPal to provide the payment processing services. The parties acknowledge and agree that PayPal is permitted to use, reproduce and process Customer Data and payment transaction data for the following limited purposes:
2.1.2 PayPal shall comply with the requirements of the Data Protection Laws with respect to the use of Personal Data under this Agreement and shall not knowingly do anything or knowingly permit anything to be done with respect to the Personal Data which might lead to a breach by you of the Data Protection Laws.
2.1.3 With regard to any Customer Data to be processed by PayPal in connection with this Agreement, you will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.1.4 The Parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the payment processing services being rendered by PayPal and not in exchange for you providing Personal Data in connection with the payment processing services.
2.1.5 Unless otherwise required or authorized by law and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA or applicable Data Protection Laws, PayPal is prohibited from collecting, retaining, using, selling or disclosing Personal Information except as necessary for the purpose of performing the payment processing services specified in the Agreement between the parties.
2.2 Customer Requests. PayPal shall, to the extent legally permitted, promptly notify you in the event PayPal receives a request from a Customer for access to, or correction, amendment, or deletion of, that Customer’s Personal Data. PayPal shall not respond to any such Customer request without your prior written consent except to confirm that the request relates to you and you hereby consent to such communication with your Customer by PayPal. PayPal shall provide you with commercially reasonable cooperation and assistance in relation to the handling of a Customer’s request for access to that Customer’s Personal Data, provided that such cooperation and assistance is legally permitted and to the extent you do not have access to such Customer Data through your use of the payment processing services. PayPal and you acknowledge and agree that PayPal is authorized under applicable law to retain and process such Customer Data pursuant to applicable law, including, without limitation, any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA (including without limitation, those exceptions, limitations, exemptions and/or exclusions set forth in California Civil Code § 1798.145).
2.3 PayPal Personnel. PayPal shall ensure that its personnel engaged in the processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Such confidentiality obligations shall survive the termination of the applicable personnel’s engagement. PayPal undertakes to provide its personnel with training as necessary from time to time with respect to PayPal's obligations in this Addendum so that PayPal personnel are aware of, and comply with, such obligations. Access by PayPal's personnel to Customer Data is limited to those personnel performing payment processing services in accordance with the Agreement.
2.4 Technical and Organizational Measures. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Addendum to keep Customer Data secure and to protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the payment processing services. You understand and agree that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the payment processing services. In the event of any detrimental change, PayPal shall provide a notification together with any necessary documentation to you by email or publication on a website easily accessible by you.
2.5 Security Incidents. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data and if there is a reasonable likelihood of materially harm to a material part of the PayPal systems relating to the payment processing services provided to you, PayPal will, in accordance with Data Protection Laws: (a) notify you of the Security Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
2.5.1 Details of Security Incident. Notifications made under this Section will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.
2.5.2 Communication. PayPal will deliver its notification of any Security Incident to one or more of your administrators by any means via email. You are solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.6 Deletion. Upon termination or expiration of the Agreement, PayPal will delete or return to you all Customer Data processed on behalf of you, and PayPal shall delete existing copies of such Customer Data except where authorized by Data Protection Laws or necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
2.7 Certification. The Parties will at all times comply with applicable Data Protection Laws. PayPal hereby certifies that it understands and agrees to the terms of this Data Protection Schedule in this Agreement.
2.8 Merchant Notices. You undertake to provide all notices and obtain all consents necessary for PayPal’s use of Personal Data set out above.
Technical and Organizational Measures
The following technical and organizational measures will be implemented: