This Advanced Credit and Debit Card Payments and Virtual Terminal
agreement (“ACP/VT Agreement”) is a contract between you
(the “Merchant”) and PayPal, Inc. (“PayPal”, “we”,
“us”, or “our”), and applies to your use of advanced credit and debit card payments
(“ACP”), and your use of Virtual Terminal (“VT”) when you’ve
integrated ACP (collectively, the “Products”). Each of the Products
includes the PayPal services listed in this ACP/VT Agreement and as described more fully on our website. You
must read, agree with and accept all of the terms and conditions contained in this ACP/VT Agreement. By
using any of the Products, you agree to comply with all of the terms and conditions in this ACP/VT
Agreement, so please read all of the terms and conditions carefully.
This ACP/VT Agreement applies in addition to the PayPal User Agreement and any other agreement to which you
have entered into with PayPal (collectively “PayPal Agreements”) to your
use of the PayPal services through the Products. If any inconsistency exists between the terms of the PayPal
User Agreement and this ACP/VT Agreement then, except for Express Checkout, the terms of this ACP/VT
Agreement shall control in connection with your use of the PayPal services through any Product. The terms of
the PayPal User Agreement shall control for any inconsistency for Express Checkout.
We may revise this ACP/VT Agreement and any applicable policies from time to time. The revised version will
be effective at the time we post it unless otherwise noted. If our changes reduce your rights or increase
your responsibilities, we will post a notice on the Policy
Updates page of our website and provide you with the same length of advance notice
as set forth in the PayPal User
Agreement. By continuing to use our services after any changes to this ACP/VT
Agreement, you agree to abide and be bound by those changes. If you do not agree with any changes to this
ACP/VT Agreement, you may terminate your use of the PayPal services through the Products before such changes
1. Credit Report Authorization.
You understand and agree that you are providing PayPal with your “written instructions” in
accordance with the Fair Credit Reporting Act, and you are authorizing and acknowledge that PayPal may
obtain your personal credit report from a credit bureau for the purpose of your use of these Products and
PayPal services. You further understand and agree that you are authorizing PayPal to obtain your credit
report on an ongoing basis for account review purposes.
2. Fees and Payment Terms.
a. Fees. The fees you pay for use of ACP and VT can be found on the Standard Transaction
Fees table and are the same as described for PayPal Payments Pro and Virtual
Terminal Fees; provided, however, there are no monthly fees for use of ACP or use of VT if you have
integrated with ACP. All fees are in United States (“U.S.”) Dollars unless otherwise stated. The fees associated with any
Express Checkout transaction submitted by you via any Product are set forth in the PayPal User Agreement. If
there are any applicable monthly fees for the Products they will be charged in advance. For fees charged per
transaction, the fee amount will be deducted from the transaction amount at the time of the
transaction. You are liable for all claims, expenses, fines, and liability PayPal incurs arising out
of your use of the Products. All fees are non-refundable.
b. Promotional Period. If you have signed up for the PayPal services pursuant to a
promotional period, you agree to pay any applicable monthly fee upon the expiration of a promotional period
offered by PayPal.
c. Failure to Use Express Checkout. If you fail to comply with the requirement to use
Express Checkout described in Section 8, you may be subject to up to a 1% fee increase to your then current
Transaction Fee rate. This fee may be included in your initial rate when you first sign up for the PayPal
services, or may be added at any time by PayPal with 30 days' prior written notice of the fee increase.
You agree to terminate your use of the PayPal services if you do not agree to this fee.
d. Risk Factors Fee. If PayPal determines that your PayPal account receives, or is likely to
receive, a disproportionately high number of customer complaints, Reversals, chargebacks, disputes, claims,
fees, fines, penalties or other liability (collectively “Risk Factors”), you may be subject to
up to a 5% fee increase above your then current Transaction Fee rate. This fee may be added to your initial
rate when you first sign up for the PayPal services, or may be added at any time by PayPal with 30 days'
prior notice of the fee increase. You agree to terminate your use of the PayPal services if you do not agree
to this Fee.
e. Processing Requirements. You agree to submit only any transactions for processing which
represent a bona fide, permissible transaction free of liens, claims, and encumbrances other than ordinary
sales taxes; as outlined in this ACP/VT Agreement and in the Card Company Rules, or which accurately
describes the product or services being sold or the charitable donations being made. You authorize
PayPal to submit transactions to and receive settlement from American Express and to disclose transaction
and merchant information to American Express to perform analytics and create reports, and for any other
lawful business purposes, including commercial marketing communications purposes and important transactional
or relationship communications. You also agree to ensure data quality and that any Data is processed
promptly, accurately and completely, and complies with the Card Companies’ technical
specifications. You agree not to process transactions or receive payments on behalf of any other party
or redirect payments to any other party. You agree not to bill or collect from any cardholder for any
purchase or payment on the card unless you have the right to do so under the Card Company Rules.
3. Data Security; Data Protection; Data Portability.
a. General. You are fully responsible for the security of data on your website or otherwise in
your possession or control. You agree to comply with all applicable laws and rules in connection with your
collection, security and dissemination of any personal, financial, Card, or transaction information (defined
as “Data”) on your website. You must report any Data breach or
incident to PayPal and the Card Companies immediately after discovery of the incident.
b. Merchant PCI Compliance. You agree that at all times you shall be compliant with the Payment
Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS),
and any Card Company data security requirements, as applicable. You agree to promptly provide us with
documentation evidencing your compliance with PCI DSS, PA DSS, or other Card Company data security
requirements, if requested by us. You also agree that you will use only PCI compliant service providers in
connection with the storage, or transmission of Card Data defined as a cardholder’s account number,
expiration date, and CVV2. You must not store CVV2 data at any time.
If you are accessing the Products through a platform service partner, you acknowledge that your platform
service partner may offer solutions that help you comply with certain of these Merchant PCI compliance
standards. While the platform service partner may help you comply or perform certain obligations on your
behalf, you remain liable for compliance with these Merchant PCI Compliance standards.
c. PayPal PCI Compliance. PayPal agrees that it shall comply with the applicable PCI DSS
requirements, as such may be amended from time to time, with respect to all cardholder data received by it
in connection with this ACP/VT Agreement. PayPal acknowledges that it is responsible for the security
of cardholder data it possesses or otherwise stores, processes or transmits on behalf of the Merchant, or to
the extent that they could impact the security of the Merchant's cardholder data environment.
d. Data Usage. Unless you receive the express consent of your customer, you may not retain,
track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless
you get the express written consent of PayPal and each Acquiring Bank and/or the Card Companies, as
applicable, you agree that you will not use nor disclose the Card Data for any purpose other than to support
payment for your goods and services. Card Data must be completely removed from your systems, and any other
place where you store Card Data, within 24 hours after you receive an authorization decision unless you have
received the express consent of your customer to retain the Card Data for the sole purpose of processing
recurring payments. To the extent that Card Data resides on your systems and other storage locations, it
should do so only for the express purpose of processing your transactions. All Data and other information
provided to you by PayPal in relationship to the PayPal services and all Card Data will remain the property
of PayPal, its Acquiring Bank or the Card Companies, as appropriate.
If you are using ACP and VT for payments received through a partner platform service provider, you may not be
receiving Card Data, but may receive other confidential information about another PayPal customer in order
to fulfill the transaction and you will continue to be bound by the terms of our User Agreement.
e. Password Security. You agree to restrict use and access to your password and log-on ID to your
employees and agents as may be reasonably necessary, and will ensure that each such employee or agent
complies with the terms of this ACP/VT Agreement. You will not give, transfer, assign, sell, resell or
otherwise dispose of the information and materials provided to you to utilize the PayPal services. You are
solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other
codes that are issued to you by PayPal, each Acquiring Bank or the Card Companies.
f. Audit. If PayPal believes that a security breach or compromise of Data has occurred,
PayPal may require you to have a third-party auditor that is approved by PayPal conduct a security audit of
your systems and facilities and issue a report to be provided to PayPal, the Acquiring Banks and the Card
Companies. In the event that you fail to initiate an audit within 10 business days of PayPal's request,
PayPal may conduct or obtain such an audit at your expense. In addition, the Card Companies may
conduct an audit at any time, for the purpose of determining compliance with the Card Company Rules.
g. Compliance with Data Protection Schedule. You (as a “Merchant”) and we agree to comply with
Schedule 1 below, which forms part of this ACP/VT Agreement. The terms of the Data Protection Schedule
prevail over any conflicting terms in this ACP/VT Agreement relating to data protection and privacy.
Data Portability. Upon any termination or expiration of this ACP/VT Agreement, PayPal agrees, upon your
written request, to provide your new acquiring bank or payment service provider (“Data Recipient”) with any
available credit card information including personal data relating to your Customers (“Card Information”). In
order to do so, you must provide PayPal with all requested information including proof that the Data Recipient
is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to
transfer the Card Information to the Data Recipient so long as the following applies: (a) you provide PayPal
with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI
compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements
from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such
Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the
transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws,
rules or regulations (including data protection laws).
4. Additional Terms for American Express Card Acceptance.
a. American Express may use the information obtained in your application at the time of setup to screen
and/or monitor you in connection with Card marketing and administrative purposes.
b. You may be converted from this ACP/VT Agreement to a direct card acceptance agreement with American
Express if you reach certain monthly sales volumes. Upon conversion, (i) you will be bound by
American Express' then-current Card Acceptance Agreement; and (ii) American Express will set your
pricing and other fees for American Express Card acceptance.
c. By accepting these terms, you agree to receive commercial marketing communications from American Express.
You may opt out by contacting PayPal at (888) 221-1161.
d. American Express shall be a third-party beneficiary of this ACP/VT Agreement for purposes of American
Express Card acceptance. As a third-party beneficiary, American Express shall have the right to
enforce directly against you the terms of this ACP/VT Agreement as related to American Express Card
acceptance. You acknowledge and agree that American Express shall have no responsibility of liability
with regard to PayPal’s obligations to you under this ACP/VT Agreement.
5. Dynamic Currency Conversion.
You may not perform dynamic currency conversion. This means that you may not list an item in one currency and
then accept payment in a different currency. If you are accepting payments in more than one currency, you
must separately list the price of each product or service in each currency.
6. Brand Parity.
By using the Products, PayPal permits you to directly accept Cards. With regard to your Card acceptance, you
agree to the following:
a. Where you accept Cards on your website, you will display each Card's logo with equal size and
prominence, and you shall not display a preference for, nor discriminate against, one Card over another,
including your refund policies for purchases.
b. You agree to comply with the logo usage standards located at: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/general/OnlineLogoCenter-outside.
c. You authorize PayPal to provide information regarding your business and individual Card transactions to
third-parties for the purpose of facilitating the acceptance and settlement of your Card transactions and in
connection with items, including chargebacks, refunds, disputes, adjustments, and other inquiries.
7. Card Not Present.
You acknowledge that PayPal routes and processes transactions, as appropriate, through the Products via the relevant Card Companies as remote (card not present) payments. If you accept a Card that is physically presented to you at the point of sale you acknowledge that the scope of your protection from chargebacks will be limited to the protection that is available for remote payments.
8. Required Use of Express Checkout, PayPal Credit
a. If you use ACP you must use Express Checkout in the following manner:
1. You must include a PayPal Express Checkout button either: (i) before
you request the shipping/billing address and other financial information from your customers or (ii) on the
same page that you collect such information if you only use one page for your checkout process.
2. You must offer PayPal as a payment option together with the other
payment options you offer. The PayPal acceptance mark must be displayed with equal prominence to the logos
for your other payment options. You shall not discriminate against PayPal, nor discourage its use, as a
payment option over any other payment option offered by you.
3. You must provide your customers with the option of not storing their
personal information, including their email address, shipping/billing address, and financial information.
b. If you use ACP you must offer PayPal Credit as a payment option on your hosted checkout page as
automatically enabled by PayPal. Any offers associated with PayPal Credit that you present outside of the
hosted checkout page must be displayed in the manner prescribed and instructed by PayPal and approved by
PayPal prior to posting.
9. Fraud Protection
a. General. PayPal’s Fraud Protection may be made available to you as a fraudulent
transaction management tool to help you screen potentially fraudulent transactions based on the settings you
may adopt. The tool allows you to set filter rules, i.e., to instruct PayPal which
transactions we will decline on your behalf based on abstract criteria.
We may provide suggestions or recommendations regarding what filters and settings to use that may be
appropriate for your business. These suggestions take into account your profile and past transaction
If you are provided access to Fraud Protection, then it is your responsibility to set the filter rules.
Please note: If you set these filter rules too restrictively, you might lose sales volume. We advise you to
monitor your filter rules and settings on an ongoing basis.
b. No Warranty or Limitation of Liability. We do not represent or warrant that Fraud Protection
is error-free or that it will identify all potentially fraudulent transaction activity. PayPal shall
not be liable for your losses (such as loss of profits) or damages. The sections of the PayPal User
Agreement on “Indemnification and Limitation of Liability” and “Disclaimer of Warranty and
Release” apply to your use of Fraud Protection.
c. Data Protection. You may only use Fraud Protection for the purpose of your management of fraud
risk and for no other purpose. You acknowledge that Fraud Protection does not provide Consumer
Reports under the Fair Credit Reporting Act, and you will not use it, or let any other person use
it, for the determination of eligibility for personal, family or household credit, loan,
employment, or other purpose that would make the results from Fraud Protection be deemed Consumer Reports
under the Fair Credit Reporting Act. You may not share use of Fraud Protection
with any other person, nor may you disclose to any person the categories provided in Fraud Protection or the
results generated from your use of Fraud Protection.
d. These terms supplement the PayPal User
Agreement that governs your use of PayPal’s services in general.
PayPal reserves the right to suspend, change or cancel PayPal’s Fraud Protection at any time as it may
determine in its sole discretion. PayPal reserves the right to add additional terms and conditions for
continued use of Fraud Protection.
10. No Warranty.
THE PRODUCTS AND THE PAYPAL SERVICES AND ALL ACCOMPANYING DOCUMENTATION ARE PROVIDED TO YOU ON AN “AS
IS” BASIS WITHOUT ANY WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY
WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. PAYPAL MAKES NO
WARRANTY THAT THE PAYPAL SERVICES WILL BE CONTINUOUS OR ERROR-FREE. PayPal does not guarantee, represent or
warrant that the PayPal services and related features that enable you to detect or minimize fraudulent
transactions will discover or prevent all non-valid or fraudulent transactions. PayPal is not responsible
for any non-valid or fraudulent transactions that are processed.
11. Reserves and other Protective Actions.
If, in our sole discretion, we believe there may be a high level of risk associated with you, your PayPal
account, your business model, or your transactions we may take certain actions in connection with your
Account and/or your use of the PayPal services.
a. Reserves. PayPal, in its sole discretion, may place a Reserve on funds held in your PayPal
account when PayPal believes there may be a high level of risk associated with your Account. If PayPal
places a Reserve on funds in your PayPal account, they will be shown as “pending” in your PayPal
Balance. If your PayPal account is subject to a Reserve, PayPal will provide you with notice specifying the
terms of the reserve. The terms may require that a certain percentage of the amounts received into your
PayPal account are held for a certain period of time, or that a certain amount of money is held in reserve.
PayPal may change the terms of the Reserve at any time by providing you with notice of the new terms.
b. Additional Actions. We may take other actions we determine are necessary to protect against
the risk associated with your PayPal account including requesting additional collateral from you such as a
letter of credit or a personal guarantee. PayPal may contact your customers, on your behalf, in the event
that PayPal is investigating potential fraud.
c. Information. In order to determine the risk associated with your PayPal account, PayPal may
request at any time, and you agree to provide, any information about your business, operations or financial
condition. We reserve the right to reassess your eligibility for any Product if your business is materially
different from the information you provided in your application.
a. By Merchant. You may terminate your use of the PayPal services at any time. Merchant may
terminate its acceptance of American Express at any time upon notice.
b. By PayPal. PayPal may terminate your use of the PayPal services if:
1. You fail to comply with the terms of, or are unable to pay or perform your
obligations under, this ACP/VT Agreement or any of the PayPal Agreements that apply to the PayPal services;
2. We decide, in our discretion, that you become ineligible for the PayPal
services because there is a high level of risk associated with your PayPal account or for any other reason,
or upon request by any Acquiring Bank or any of the Card Companies.
3. You violate any Card Company Rule as they may be amended by the Card Companies
from time to time.
c. Effect of Termination. If your use of any Product is terminated, your use of the PayPal
services associated with that Product will immediately end. You agree to complete all pending Card
transactions, immediately remove all logos for Cards, and stop accepting new transactions through the
Product. If your use of any Product is terminated, you will not be refunded the remainder of any applicable
Monthly Fees that you have paid for such Product.
13. PayPal is Your Agent for Receiving Payment.
You represent and warrant to PayPal that each transaction that you process through the ACP or VT services is
solely in payment for your provision of bona fide goods and/or services to your customers (each, a
“Payor”). You hereby designate PayPal, and PayPal hereby agrees to serve, as your limited agent
for the sole purpose of receiving such payments on your behalf from your Payors. You agree that upon PayPal
receiving payment from a Payor: (a) you shall be deemed to have received payment from such Payor, (b) such
Payor’s obligation to you in connection with such payment shall be satisfied in full, (c) any claim
you have for such payment against such Payor shall be extinguished and (d) you are obligated to deliver the
applicable goods and/or services to the Payor, in each case regardless of whether or when PayPal remits such
payment to you. PayPal will remit to you in accordance with this ACP/VT Agreement or apply as an offset to
any obligation you may have to PayPal, any such payments it receives on your behalf. Any receipt provided to
the Payor shall be binding on you and shall satisfy all applicable regulatory requirements. This paragraph
states the entirety of PayPal’s duties as your agent for receipt of payment, and no other duties shall
be implied by PayPal’s undertaking to act in that capacity.
a. Law and Forum for Disputes. Except as otherwise agreed by the parties or as described in the
PayPal User Agreement, you agree that any claim or dispute you may have against PayPal must be resolved by a
court located in either Santa Clara County, California, or Omaha, Nebraska. You agree to submit to the
personal jurisdiction of the courts located within Santa Clara County, California, or Omaha, Nebraska for
the purpose of litigating all such claims or disputes. This ACP/VT Agreement shall be governed in all
respects by the laws of the State of California, without regard to conflict of law provisions.
b. Indemnification. You agree to defend, indemnify and hold PayPal, its parent, officers,
directors and employees harmless from any claim or demand (including attorneys’ fees) made or incurred
by any third-party due to or arising (i) out of your breach of this ACP/VT Agreement; (ii) your use of the
Products or the PayPal services accessed through the Products; (iii) your fraudulent transaction or data
c. No Waiver. Our failure to act with respect to a breach by you or others does not waive
our right to act with respect to subsequent or similar breaches.
d. Compliance with Laws. You agree to comply with all applicable laws, rules, or
regulations, including the Card Company Rules.
e. Complete Agreement. This ACP/VT Agreement, along with the PayPal User Agreement and any
applicable policies and agreements on the Legal Agreements page on the PayPal website, sets
forth the entire understanding between you and PayPal with respect to the your use of the Products and the
PayPal services accessed through the Products. If any provision of this ACP/VT Agreement is held to be
invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced. In
addition, your acceptance of Card transactions via a Product is also subject to a Commercial Entity
Agreement you have with each of the Acquiring Banks.
“Acquiring Bank” means each of the financial institutions PayPal partners
with to process your Card payments, including your Direct Payments and VT Payments, and each of your Card
funded Express Checkout payments, and with whom you entered into a Commercial Entity Agreement.
“American Express” means American Express Travel Related Services Company,
Inc. and its affiliates.
“API” means PayPal’s
proprietary application programming interfaces used to interface with the PayPal systems in order to use
certain PayPal services.
“Card Companies” means a company or group of financial institutions that promulgate rules to govern Card Transactions via bankcard and payment networks including, but not limited to, MasterCard, Visa, Discover, American Express, Star, Nyce, Pulse, and Accel.
“Card Company Rules” means the rules and regulations governing acceptance
of Cards. Rules are available for Visa, MasterCard, American
Express, and Discover online (and for Star, Nyce, Pulse, and Accel upon request), each as updated from time to time.
“Cards” means payment cards branded with the logos of Visa, MasterCard, American Express, Discover, Star, Nyce, Pulse, and Accel.
“CVV2 Data” means the three or four digit number printed to the right of
the Card number in the signature panel on the back of the Card. On American Express Cards, it is printed on
the front of the Card above the Card number.
“Data” has the meaning provided in Section 3(a).
“Direct Payment” means a payment processed by PayPal through the Direct
Payment API that is funded directly by a Card and not through a PayPal account.
“Express Checkout” means the PayPal service where PayPal is a payment
option on a merchant’s website at checkout, with payments being processed by PayPal through the
Express Checkout API and funded directly from a User’s PayPal account.
“Fixed Fee” means the portion of the Transaction Fees that is a fixed
monetary amount and not a percentage of the payment amount.
“Fraud Protection” means the optional service associated with ACP, that
allows you to access additional risk management features to help protect you from fraud and chargebacks, as
described in more detail on the PayPal website.
“Monthly Sales Volume” means the total payment volume processed by you
through any Product using any payment method.
“PayPal Agreements” has the meaning provided in the second
paragraph of this ACP/VT Agreement.
“PayPal Credit” means the open-end, consumer credit account issued by
Synchrony Bank. It is available to U.S. consumers who are of legal age in their state of residence and is
subject to credit approval.
“PayPal User Agreement” means the online agreement you entered into with PayPal
when you opened your PayPal account, as it may have been amended from time to time. The PayPal User
Agreement currently in effect can be accessed via the Legal Agreements link in the footer of nearly every
page on the PayPal website.
“Products” has the meaning provided in the first paragraph of this ACP/VT
“ACP/VT Agreement” has the meaning provided in the first paragraph of this
“Recurring Payments” means the optional feature associated with ACP and VT
that, with the consent of your customer, enables you to set up payments that recur at specified intervals
and frequencies, as described in more detail on the PayPal website.
“Transaction Fees” means the fees provided in Section 2(b) of this ACP/VT
Agreement. Note, if you use certain optional PayPal services, certain additional fees may apply to your
transactions on a per transaction basis, as outlined in Section 2(c); however, these are not included in
“Virtual Terminal” or “VT” means the PayPal service that
enables you to receive a Card payment by manually entering Card Data given to you by a customer.
“VT Payment” means a payment processed by PayPal through the Virtual
Terminal flows that is funded directly by a Card and not through a PayPal account.
DATA PROTECTION SCHEDULE
This Data Protection Schedule applies only to the extent that PayPal acts as a Service Provider to you.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION; SCHEDULE COMPOSITION
1.1 Definitions and Interpretation. The following terms have the following meanings when used in this Schedule:
“Customer” means your customers who use the PayPal services in the United States and, for the purposes of this Schedule, are data subjects.
“Customer Data” means the Personal Data that the Customer provides to you and you pass on to PayPal through the use by you of the PayPal services.
“Data Protection Laws” means any data protection laws, regulations, and regulatory requirements applicable to PayPal’s provisions of the PayPal services, including without limitation, the California Consumer Privacy Act of 2018 (CCPA), including any implementing regulations issued by the California Attorney General.
“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"process", "processes", and "processed" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.
“Security Incident" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by PayPal.
“Service Provider” shall have the meaning set forth in the CCPA.
1.2 Schedule Composition. This Schedule 1 is comprised of (i) sections 1 to 2, being the main body of the schedule and(ii) Attachment 1.
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 PayPal as a Service Provider.
2.1.1 PayPal is your Service Provider with respect to Customer Data, including the Personal Data of Customers and other natural persons, households, and entities only for the purposes specified in the Agreement. You agree to provide to PayPal only the Customer Data that is necessary for PayPal to provide the payment processing services. The parties acknowledge and agree that PayPal is permitted to use, reproduce and process Customer Data and payment transaction data for the following limited purposes:
- as reasonably necessary to provide and improve the payment processing services to you and your customers, including fraud protection tools;
- to monitor, prevent, and detect fraudulent payment transactions, and to prevent harm to you, PayPal, and to third parties;
- to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
- to analyze, develop and improve PayPal’s products and services;
- internal usage, including but not limited to, data analytics and metrics;
- to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Personal Data is not identifiable, including calculating your averages by region or industry;
- complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
- any other purpose that PayPal notifies you and in accordance with Data Protection Laws.
2.1.2 PayPal shall comply with the requirements of the Data Protection Laws with respect to the use of Personal Data under this Agreement and shall not knowingly do anything or knowingly permit anything to be done with respect to the Personal Data which might lead to a breach by you of the Data Protection Laws.
2.1.3 With regard to any Customer Data to be processed by PayPal in connection with this Agreement, you will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.1.4 The Parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the payment processing services being rendered by PayPal and not in exchange for you providing Personal Data in connection with the payment processing services.
2.1.5 Unless otherwise required or authorized by law and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA or applicable Data Protection Laws, PayPal is prohibited from collecting, retaining, using, selling or disclosing Personal Information except as necessary for the purpose of performing the payment processing services specified in the Agreement between the parties.
2.2 Customer Requests. PayPal shall, to the extent legally permitted, promptly notify you in the event PayPal receives a request from a Customer for access to, or correction, amendment, or deletion of, that Customer’s Personal Data. PayPal shall not respond to any such Customer request without your prior written consent except to confirm that the request relates to you and you hereby consent to such communication with your Customer by PayPal. PayPal shall provide you with commercially reasonable cooperation and assistance in relation to the handling of a Customer’s request for access to that Customer’s Personal Data, provided that such cooperation and assistance is legally permitted and to the extent you do not have access to such Customer Data through your use of the payment processing services. PayPal and you acknowledge and agree that PayPal is authorized under applicable law to retain and process such Customer Data pursuant to applicable law, including, without limitation, any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA (including without limitation, those exceptions, limitations, exemptions and/or exclusions set forth in California Civil Code § 1798.145).
2.3 PayPal Personnel. PayPal shall ensure that its personnel engaged in the processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Such confidentiality obligations shall survive the termination of the applicable personnel’s engagement. PayPal undertakes to provide its personnel with training as necessary from time to time with respect to PayPal's obligations in this Addendum so that PayPal personnel are aware of, and comply with, such obligations. Access by PayPal's personnel to Customer Data is limited to those personnel performing payment processing services in accordance with the Agreement.
2.4 Technical and Organizational Measures. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Addendum to keep Customer Data secure and to protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the payment processing services. You understand and agree that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the payment processing services. In the event of any detrimental change, PayPal shall provide a notification together with any necessary documentation to you by email or publication on a website easily accessible by you.
2.5 Security Incidents. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data and if there is a reasonable likelihood of materially harm to a material part of the PayPal systems relating to the payment processing services provided to you, PayPal will, in accordance with Data Protection Laws: (a) notify you of the Security Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
2.5.1 Details of Security Incident. Notifications made under this Section will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.
2.5.2 Communication. PayPal will deliver its notification of any Security Incident to one or more of your administrators via email. You are solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.6 Deletion. Upon termination or expiration of the Agreement, PayPal will delete or return to you all Customer Data processed on behalf of you, and PayPal shall delete existing copies of such Customer Data except where authorized by Data Protection Laws or necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
2.7 Certification. The Parties will at all times comply with applicable Data Protection Laws. PayPal hereby certifies that it understands and agrees to the terms of this Data Protection Schedule in this Agreement.
2.8 Merchant Notices. You undertake to provide all notices and obtain all consents necessary for PayPal’s use of Personal Data set out above.
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
- Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
- Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
- Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
- Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
- Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
- Measures taken to guarantee the checking and recording of the identity of third-parties to whom the data can be transmitted by transmission facilities;
- Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
- Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
- Measures taken to safeguard data by creating backup copies.