This Payflow Gateway Services Agreement ("Agreement") applies to your (the "Merchant’s") use of the Payflow Gateway Services (the "Payflow Services"). In this Agreement, "you" and "your" refer to Merchant and your designated agents, including your administrative contact, and "we,” "us" and "our" refer to PayPal. You must read, agree with, and accept all of the terms and conditions contained in this Agreement. By using the Payflow Services, you acknowledge that you have agreed to this Agreement. We may amend this Agreement at any time by posting a revised version on our website. The revised version will be effective at the time we post it. In addition, if the revised version includes a Substantial Change, we will provide you with 30 Days' prior notice of Substantial Change by posting notice on the "Policy Updates" page of our website. You agree to review periodically our website to be aware of any revisions. By continuing to use the Payflow Services after any revision to this Agreement or any change in Payflow Services, you agree to abide by and be bound by any such revisions or changes.
The Payflow Services include Payflow Link or Payflow Pro and the “Add On Services” defined as Recurring Billing Service, the Fraud Protection Services, and the ACH Payment Service. In order to use the Payflow Services you or your PayPal authorized reseller must complete the online registration process (“Registration”) and set up an Internet merchant account with a Financial Institution to process payments. When you register for the Payflow Services, you may have PayPal payments automatically enabled. The e-mail address you designate when registering for the Payflow Services will be initially used to create your PayPal account, however, to access any PayPal payments you must finish completing your PayPal account and agree to the online PayPal user agreement, found on the applicable PayPal website. Use of the Add On Services may require additional documentation. You agree that you shall (i) use the Payflow Services in accordance with the applicable user guides and other documentation; and (ii) not use or permit others to use information obtained with the Payflow Services for any purpose other than in conjunction with the Payflow Services and in a manner described in this Agreement and in the documentation for the Payflow Services.
"ACH" shall mean Automated Clearing House.
"API" shall mean application programming interface.
"Financial Institution" shall mean banks or financial institutions having business relationships with one or more Financial Processors that have agreed to evaluate and provide merchant accounts and payment authorization services to merchants.
"Financial Processor" shall mean an entity with which PayPal has established a relationship that performs the back-end authorization and processing of Transactions between your Financial Institution and the cardholder's bank.
"Manager Web Site" means the online account management tools for merchants for the Payflow Services.
"Payflow Services" mean the payment gateways under the brand names Payflow Link or Payflow Pro that include, without limitation, real-time, secure data transmission and processing for multiple business-to-customer payment methods including, credit cards, and purchase cards and access to electronic checks allow Referred Merchants to process credit and debit cards, PayPal payments, Bill Me Later® payments, delayed shipment billing, electronic checks, and the Add On Services.
"Payflow Software" shall mean the object code version of the client Software Development Kit ("SDK"), HTML code, APIs, related documentation, and other client software or code, including updates, to enable PayPal to provide the Payflow Services to you. Unless otherwise specified, Payflow Software shall not include any source code.
"Substantial Change" means a change to the terms of this Agreement that reduces your rights or increases your responsibilities.
"Transaction" shall mean information related to the purchase of goods and services from you by a third party. Specifically a Transaction is an authorization, delayed capture, sale, void, voice authorization, inquiry, verification, reference transaction, non-reference credit, or credit data transmission between PayPal and its back end processors.
4.1 Services. Subject to the terms in this Agreement, PayPal agrees to provide (i) the Payflow Services for which you have enrolled and the PayPal authorized reseller has paid the applicable fees on your behalf, and (ii) access to standardized reports regarding your Transactions processed using the Payflow Services and certain reporting tools to assist you in accounting activities.
4.2 Information Conduit. You acknowledge that PayPal is not a financial or credit reporting institution. PayPal is responsible only for providing Data transmission to effect or direct certain payment authorizations for you and is not responsible for the results of any credit inquiry, the operation of web sites of Internet service providers (“ISP”), Financial Institutions, Financial Processors, the availability or performance of the Internet, or for any damages or costs you suffer or incur as a result of any instructions given, actions taken or omissions made by you, your Financial Processor(s), your Financial Institution, or any ISP. The Payflow Services present data and information collected from the you and data sources other than PayPal and PayPal makes no representations or warranties regarding the availability, accuracy, timeliness or completeness of such data and information or any output or results of the Payflow Services based in whole or in part on such data and information. You are solely responsible for the accuracy and completeness of all Data you supply.
4.3 Security and Stability. You acknowledge that it is in the best interests of both parties that PayPal maintains a secure and stable environment; to that end, PayPal may change the method of access to the Payflow Services at any time. You also agree that, in the event of degradation or instability of the Payflow Services or an emergency, PayPal may temporarily suspend your access to the Payflow Services, any API, and/or any PayPal content under this Agreement in order to minimize threats to and protect the operational stability and security of the Payflow Services. Each party represents, warrants and covenants that it shall at all times comply with applicable Payment Card Industry Data Security Standards, (“PCI DSS”) as such may be amended from time to time, with respect to all card data received by it in connection with this Agreement. PayPal does not guarantee the security of the Payflow Services or Transaction data, and PayPal will not be responsible in the event of any infiltration of its security systems, if PayPal has used commercially reasonable efforts to prevent any such infiltration. Your customers’ card data is handled by PayPal if: (a) you use Payflow Link, or (b) you use Payflow Pro and you choose to activate the “transparent redirect” feature and integrate the feature pursuant to PayPal’s instructions. PayPal adheres to Payment Card Industry Data Security Standards (“PCI DSS”).
4.4 Technical Support for Payflow Services. You shall obtain your primary customer support from your PayPal authorized reseller and may contact PayPal for secondary technical support.
5.1 Fees. You agree to pay the PayPal authorized reseller the applicable fees for the Payflow Services. All fees are due immediately and are non-refundable, except as otherwise expressly noted herein.
5.2 Taxes. The fees are exclusive of tax. You are responsible for all taxes, duties, levies or tariffs or charges of any kind imposed by any federal, state, or local governmental entity on the fees for the Payflow Services, excluding taxes based on PayPal’s net income.
6.1 Term; Renewal. This Agreement will commence on the date you accept the terms of this Agreement (the "Effective Date") and continues until terminated as set out herein.
6.2 Termination. You may terminate the Payflow Services through your PayPal authorized reseller at any time by providing 30 days prior written notice to your PayPal authorized reseller. PayPal may terminate this Agreement, effective immediately, (i) in the event of insolvency, receivership or voluntary or involuntary bankruptcy, or an assignment for the benefit of your creditors, or in the event that a substantial part of your property is or becomes subject to any levy, seizure, assignment or sale for or by any creditor or governmental agency without being released or satisfied within thirty days thereafter; (ii) if you fail to comply with applicable laws or regulations; (iii) for any of the reasons listed in Section 6.3 below; or (iv) you fail to materially comply with this Agreement.
6.3 Suspension. PayPal may suspend your access to the Payflow Services effective immediately if: (i) certain third party licenses or access to third party components of the Payflow Services are terminated; (ii) if you cause or fail to fix a security breach relating to the Payflow Services; (iii) PayPal reasonably believes your breach compromises the security of the Payflow Services; (iv) PayPal reasonably believes fraudulent Transactions are being submitted on your account knowingly or negligently; (v) your Financial Processor or Financial Institution requires such suspension; (vi) you fail to pay any fees when due; or (vii) you fail to upgrade to the most current Payflow Software version, security updates and/or patches;
6.4 Effect of Termination. PayPal will cease providing the Payflow Services as of the expiration of the billing cycle in which the termination is effective. Upon termination, your rights to use the Payflow Services, and any other rights granted hereunder, shall immediately cease, and you shall destroy any copy of the PayPal Documentation or other materials licensed to you hereunder and referenced herein. Termination of this Agreement will not relieve either Party from any liability arising prior to the termination of this Agreement. If your PayPal authorized reseller ceases to be an authorized reseller, you may continue to access the Payflow Services as mutually agreed between Merchant and PayPal. To the extent permitted by applicable law, you agree that upon termination, we may delete all information relating to your use of the Service.
7.2 Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule shall prevail over any conflicting terms in this Agreement relating to data protection and privacy.
8.1 Confidential Information Defined. A party’s “Confidential Information” is defined as any information of the disclosing party, which (i) if disclosed in a tangible form is marked using a legend such as “Confidential” or “Proprietary” or if not so marked, should be reasonably understood by the receiving party from the context of disclosure or from the information itself, to be confidential, or (ii) if disclosed orally or visually is declared to be confidential or, if not so declared, should be reasonably understood by the receiving party from the context of disclosure or from the information itself to be confidential. Confidential Information shall include, the terms of this Agreement; the integration requirements; information accessed via the Payflow APIs; information relating to the PayPal’s systems, technology, processes, and financial information; your user ID; information relating to your business, security and technology; and all user data and customer information (including user IDs and passwords) regardless of whether marked “Confidential.”
8.2 Mutual Obligations. Each party shall hold the other party’s Confidential Information in confidence and shall not disclose such Confidential Information to third parties nor use the other party’s Confidential Information for any purpose other than as required to perform its obligations under this Agreement. Such restrictions shall not apply to Confidential Information that (i) is already known by the recipient, (ii) becomes publicly known through no act or fault of the recipient, (iii) is received by recipient from a third party without a restriction on disclosure or use, or (iv) is independently developed by recipient without reference to the Confidential Information or (v) where Confidential Information is required to be disclosed by a court, government agency, law enforcement agency, regulatory requirement, or similar disclosure requirement. The parties’ respective obligations to maintain the confidentiality of information disclosed hereunder shall survive the expiration or early termination of this Agreement or until such time as such information becomes public information through no fault of the receiving party. Upon termination or expiration of this Agreement, the receiving party shall immediately return to the disclosing party all manifestations of the Confidential Information or shall destroy all such Confidential Information as the disclosing party may designate; provided that such action may be delayed for so long as, and to the extent that, such Confidential Information relates to outstanding payment obligations or is subject to audit, reporting, or retention requirements under this Agreement or applicable law.
9.1 Intellectual Property. You acknowledge that PayPal and its licensors retain all intellectual property rights (including all patent, trademark, copyright, trade dress, trade secrets, database rights and all other intellectual property rights) and title in and to all of their Confidential Information; other proprietary information, products and services; and the ideas, concepts, techniques, inventions, processes, software or works of authorship developed, embodied in, or practiced in connection with the Payflow Services and provided by PayPal hereunder, including without limitation all modifications, enhancements, derivative works, configurations, translations, upgrades, and interfaces thereto (all of the foregoing “PayPal Intellectual Property”). PayPal Intellectual Property does not include your preexisting hardware, software, data, or networks. Except as otherwise expressly provided herein, nothing in this Agreement shall create any right of ownership or license in, and to the other Party’s intellectual property rights and each Party shall continue to independently own and maintain its intellectual property rights. There are no implied licenses under this Agreement and any rights not expressly granted to you under this Agreement are reserved by PayPal or its suppliers. You shall not reverse engineer, decompile, modify in any manner, or create derivative works from the Payflow Services, API License, (defined below) or any PayPal Intellectual Property.
9.2 License. PayPal hereby grants you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to use PayPal’s Intellectual Property solely as required and necessary to use the Payflow Services in accordance with the terms and conditions of this Agreement and any user guides provided by PayPal to you (the “IP License” and with respect to the APIs, the “API License”).
9.3 Payflow APIs. PayPal shall make available to you its API integration and user guides and SDKs (collectively “PayPal Documentation”). You shall comply with the PayPal Documentation in connection with the integration and use of APIs. You shall keep all user ID, passwords and other access codes pertaining to the Payflow Services and API License confidential and secure from all unauthorized persons. You will immediately terminate the access rights of any user who ceases to act in an authorized capacity on your behalf for any reason, including because of a change in employment status or in the event of theft, loss or authorized disclosure or misuse of that user ID. You agree to notify PayPal immediately upon learning of any unauthorized use of your user name or password. You shall be solely responsible for (i) updating your passwords for access to the Payflow Services periodically, and (ii) creating passwords that are reasonably “strong” under the circumstances. The user ID is the property of PayPal and may be immediately revoked or terminated by PayPal if you share the same with any third party, or otherwise breach this API License. In connection with your use of Payflow’s API’s, you are prohibited from doing any of the following: (i) selling, transferring, sublicensing, or disclosing your user ID to any third party (other than third party service providers); (ii) selling, transferring, sublicensing, and/or assigning any interest in PayPal’s Confidential Information accessed by the APIs; (iii) collecting any customer’s personally identifiable information that is accessed through the APIs without that customer’s express permission; (iv) providing timeshare, service bureau, application service provider or similar services to any other third party; and (v) interfacing or connecting the Payflow Services, or the API License with any other computer software or system without the prior written approval of PayPal. PayPal shall have no responsibility or liability for the performance of the Payflow Services and Payflow Software, in the event that the Payflow Services or Payflow Software are not used in accordance with this Agreement or any instructions for use provided by PayPal.
10.1 Authority. Each party represents and warrants that (a) it has full power and authority to enter into and perform this Agreement; and (b) its execution and performance of this Agreement does not violate, conflict with, or result in a material default under any other contract or agreement to which it is a party, or by which it is bound.
10.2 Compliance with Laws. You represent and warrant that you shall comply with all applicable privacy, consumer and other laws and regulations with respect to (i) provision, use and disclosure of the Data; (ii) dealings with the users providing the Data; and (iii) use of the Payflow Services.
THE PAYFLOW SERVICES AND PAYFLOW SOFTWARE INCLUDING THE API LICENSE ARE PROVIDED HEREUNDER ON AN “AS IS” BASIS WITHOUT WARRANTY OF ANY KIND AND EXCEPT AS EXPRESSLY STATED HEREIN, PAYPAL DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARDS TO THE PAYFLOW SERVICES AND PAYFLOW SOFTWARE. PAYPAL DOES NOT REPRESENT OR WARRANT THAT THE PAYFLOW SERVICES AND PAYFLOW SOFTWARE SHALL OPERATE SECURELY OR WITHOUT INTERRUPTION.
Merchant will defend, indemnify and hold harmless PayPal, its affiliates, and its officers, directors, employees, and agents from any loss, damage, liability, claim, demand or cost (including reasonable attorneys’ fees) (“Claim”) made or incurred by any third party due to or arising out of (i) your breach of this Agreement; (ii) (ii) the sale or use of any product or services sold by you; (iii) your use of the Payflow Services; or (iv) your negligence or misconduct
IN NO EVENT WILL PAYPAL'S LIABILITY ARISING OUT OF THIS AGREEMENT EXCEED THE FEES PAID TO PAYPAL BY MERCHANT OR BY PAYPAL’S AUTHORIZED RESELLER ON BEHALF OF MERCHANT HEREUNDER DURING THE 12 MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT THAT GAVE RISE TO THE CLAIM FOR DAMAGES. IN NO EVENT WILL PAYPAL OR ITS LICENSORS HAVE ANY LIABILITY TO MERCHANT OR ANY OTHER PARTY FOR ANY LOST OPPORTUNITY OR PROFITS, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR SPECIAL DAMAGES ARISING OUT OF THIS AGREEMENT, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY (INCLUDING NEGLIGENCE), AND WHETHER OR NOT PAYPAL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. The limitations set forth above shall be enforceable to the maximum extent allowed by applicable law.
14.1 Force Majeure. Neither Party shall be responsible for any failure to perform its obligations under this Agreement if such failure is caused by acts of God, war, strikes, revolutions, lack or failure of transportation facilities, laws or governmental regulations or other causes that are beyond the reasonable control of such Party. Obligations hereunder, however, shall in not be excused but shall be suspended only until the cessation of any cause of such failure.
14.2 Entire Agreement and Modification. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any prior oral, written, or online agreements. The PayPal authorized reseller is not authorized to alter or amend the terms of this Agreement. Except as otherwise provided for herein, any waiver, modification, or amendment of any provision of this Agreement will be effective only if in writing and signed by the parties herein.
14.3 Severability. If any provision of this Agreement shall be held illegal or unenforceable, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.
14.4 Assignment; No Waiver. This Agreement binds and is for the benefit of the successors and permitted assigns of each Party. You may not assign this Agreement or any rights under it, in whole or in part, without PayPal’s prior written consent. Any attempt to assign this Agreement other than as permitted above will be null and void. Failure by either Party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.
14.5 Governing Law and Jury Trial Waiver. This Agreement shall be governed by and construed in accordance with the laws of the State of California, U.S.A., except for its conflicts of laws principles. The Parties consent to the exclusive jurisdiction of, and venue in, the state and federal courts in Santa Clara County, California. PAYPAL AND MERCHANT IRREVOCABLY WAIVE ANY AND ALL RIGHTS THEY MAY HAVE TO A TRIAL BY JURY IN ANY JUDICIAL PROCEEDING INVOLVING ANY CLAIM RELATING TO OR ARISING UNDER THIS AGREEMENT.
14.6 Survival. Sections, which by their nature survive, shall survive any termination or expiration of this Agreement in accordance with their terms.
14.7 Export Restrictions. You agree that you shall not import, export, or re-export directly or indirectly, any commodity, including your products incorporating or using any PayPal products in violation of the laws and regulations of any applicable jurisdiction.
14.8 Notices. Except as otherwise expressly stated in this Agreement, all notices to PayPal shall be in writing and delivered, via courier or certified or registered mail, to General Counsel, 2211 North First Street, San Jose, CA 95131 or any other address provided by PayPal. All notices to you shall be delivered to your e-mail address as provided by you in your account information. Unless you choose to opt-out of receiving marketing notices, you authorize PayPal to notify you as our customer, via commercial e-mails, telephone calls and other means of communication, of information that we deem is of potential interest to you, including without limitation communications describing upgrades, new products and services or other information pertaining to the Payflow Services or other PayPal offerings relating to Internet security. Notwithstanding the above, you shall not have the right to opt-out of service or support notices relating to the Payflow Services, including without limitation, notices of service modifications, security, performance issues, or technical difficulties.
14.9 Headings. The section headings appearing in the Agreement are inserted only as a matter of convenience and in no way define, limit, construe or describe the scope or extent of such section or in any way affect such section.
14.10 Relationship of the Parties. The Parties are independent contractors and will have no power or authority to assume or create any obligation or responsibility on behalf of each other. This Agreement will not be construed to create or imply any partnership, agency, or joint venture.
14.11 Non-Disparagement; Publicity. During the term of the Agreement, neither party will disparage the other party or the other party's trademarks, web sites, products or services, or display any such items in a derogatory or negative manner on any web site or in any public forum or press release. All media releases, public announcements or public disclosures (including, but not limited to, promotional or marketing material) by either Party relating to this Agreement are prohibited without the prior written consent of both Parties.
14.12 Expenses. Except as otherwise specified herein or as otherwise mutually agreed upon by the Parties, each Party will bear its own costs of performing under this Agreement.
14.13 Government Use. If you are a branch or agency of the United States Government, the following provision applies. The software and any related documentation are comprised of "commercial computer software" and "commercial computer software documentation" as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and are provided to the Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227.7202-1 (JUN 1995) and 227.7202-3 (JUN 1995).
If at any time you process directly with American Express, you acknowledge and agree to comply with the terms of this Section as applicable.
In no event shall PayPal be liable for Transaction processing and other services performed by American Express.
If at any time you purchase the Recurring Billing Services, you agree to comply with the following terms and conditions.
FRAUD PROTECTION SERVICES.
DATA PROTECTION SCHEDULE
This Data Proection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION
1.1 The following terms have the following meanings when used in this Schedule:
"Card Information" is defined in Section 2.15 of this Schedule.
"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.
"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.
"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.
"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.
"Data Recipient" is defined in Section 2.15 of this Schedule.
"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.
"personal data" has the meaning given to it in the Data Protection Laws.
"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.
"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.
1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:
2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;
2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:
2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and
2.3.2 responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.
2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).
2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.
2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.
2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.
2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.
2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.
2.10 Sub-processors. Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.
2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d) deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
Data Processing of Customer Data
Categories of data subjects
Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.
Subject-matter of the processing
The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.
Nature and purpose of the processing
PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.
Type of personal data
Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:
|Payflow Link||Payflow Pro|
|Date of birth||X||X|
|Government ID number||X||X|
|Bank account number and bank routing number||X||X|
|Financial account number||X||X|
|Card or payment instrument type||X||X|
|Card Primary Account Number (PAN) or Device-specific Primary Account||X||X|
|Card Verification Value (CVV)||X||X|
|Card expiration date||X||X|
|Business tax ID||X||X|
Special categories of data (if relevant)
The transfer of special categories of data is not anticipated.
Duration of Processing
The term of the Agreement.