Effective Date: The Payment Services Agreement is effective on 15 December 2018 for Merchants who signed up before 12 November 2018 or immediately for all new Merchants who signed up on or after 12 November 2018.
This Braintree Payment Services Agreement, and the agreements, policies, and documents incorporated herein, (this “Agreement”), is entered into by and between PayPal, Inc., a Delaware corporation whose address is 2211 North First Street, San Jose, CA 95131 (“Braintree,” “PayPal,” “we,” or “our”) and the entity or individual who enters into this Agreement (“Merchant” or “you”). This Agreement sets out the terms and conditions under which you may utilize the Braintree Payment Services.
This Agreement becomes a legally binding contract and is effective as of the earliest date you do any of the following (the “Effective Date”):
Please be advised that this Agreement contains provisions, including an Agreement to Arbitrate, that govern how claims you and Braintree have against each other are resolved, which will, with limited exception, require the parties to submit claims they may have against one another to binding and final arbitration. Under the Agreement to Arbitrate, the parties will (1) only be permitted to pursue claims against each other on an individual basis, not as a plaintiff or class member in any class or representative action or proceeding and (2) only be permitted to seek relief (including monetary, injunctive, and declaratory relief) on an individual basis.
In exchange for us providing you with the Braintree Payment Services, you agree to pay us the fees, including applicable transaction, multi-currency and Chargeback fees, as listed in the fee schedule, available at https://www.braintreepayments.com/braintree-pricing, and incorporated herein by this reference. We reserve the right to revise our fees at any time, subject to a thirty (30) day notice period to you prior to the new fees taking effect. Interest shall accrue at the lower rate of 1.5% per month, or the maximum amount permitted by law, on all overdue amounts. In the event that you have a good faith dispute as to the amounts due, you agree to pay the undisputed amounts. Interest shall not accrue on any disputed amounts so long as you pay such amounts within thirty (30) calendar days after resolution of the dispute.
Subject to the terms of this Agreement, Braintree will send to your Bank Account all amounts due to you from your Transactions, minus any fees, Reversals, Invalidated Payments, Chargebacks, Refunds or other amounts that you owe to Braintree under this Agreement. If the Payout is not sufficient to cover the amounts due, you agree that we may debit your Bank Account for the applicable amounts, and/or set-off the applicable amounts against future Payouts. Upon Braintree’s request, you agree to provide Braintree with all necessary bank account routing and related information and grant Braintree permission to debit amounts due from your Bank Account.
Merchant shall pay, indemnify, and hold Braintree harmless from (i) any sales, use, excise, import or export, value-added, or similar tax or duty, and any other tax or duty not based on Braintree’s income, and (ii) all government permit fees, customs fees and similar fees which Braintree may incur with respect to this Agreement. Such taxes, fees and duties paid by Merchant shall not be considered a part of, a deduction from, or an offset against, payments due to Braintree hereunder.
In connection with your use of the Braintree Payment Services, you must comply with the Braintree Acceptable Use Policy: https://www.braintreepayments.com/legal/acceptable-use-policy.
You agree that you will not:
Merchant has the full power and authority to execute, deliver and perform this Agreement. This Agreement is binding and enforceable against Merchant and no provision requiring Merchant’s performance is in conflict with its obligations under any agreement to which Merchant is a party.
Merchant is duly organized, authorized and in good standing under the laws of the state, region or country of its organization and is duly authorized to do business in all other states, regions or countries in which Merchant’s business operates.
You are liable for all claims, expenses, fines and liability we incur arising out of:
In the event of an Invalidated Payment or other liability, we may deduct the amounts due to Braintree from your Payouts.
You authorize Braintree, directly or through third parties, to make any inquiries or take any actions we consider necessary to validate your identity, evaluate your creditworthiness, and verify information that you have provided to us. You authorize Braintree to obtain financial and credit information, such as pulling your personal credit report, or the credit report for your directors, officers, and principals. By completing your application to become a Braintree customer, you are providing Braintree with written instructions and authorization in accordance with the Fair Credit Reporting Act to obtain such financial information or credit reports.
In the event that we are unsuccessful in receiving satisfactory information for us to verify your identity or determine that you are creditworthy, Braintree reserves the right to terminate this Agreement with immediate notice to you, cease to provide access to the Braintree Payment Services, and refuse or rescind any payment by your customers.
If we believe that your Transactions pose an unacceptable level of risk, that you have breached the terms of this Agreement, or that your account has been compromised, we may take various actions to avoid liability. The actions we may take include, but are not limited to, suspending or limiting your ability to use the Braintree Payment Services, refusing to process any Transaction, reversing a Transaction, holding your Payouts, and contacting your customers to verify Transactions and reduce potential fraud and disputes. If possible, we will provide you with advance notice of our actions and resolution steps. However, advance notice will not be provided if there is an immediate need to take actions such as a security threat, potential fraud, or illegal activity.
Braintree, in its sole discretion, may place a Reserve on a portion of your Payouts in the event that we believe that there is a high level of risk associated with your business. If we place a reserve on your Payouts, we will provide you with notice specifying the terms of the Reserve. The terms may require that a certain percentage of your Payouts are held for a certain period of time, that a fixed amount of your Payouts are withheld from payout to you, or such other restrictions that Braintree determines in its sole discretion. Braintree may change the terms of the Reserve at any time by providing you with notice of the new terms.
Braintree may hold a Reserve as long as it deems necessary, in its sole discretion, to mitigate any risks related to your Transactions. You agree that you will remain liable for all obligations related to your Transactions even after the release of any Reserve. In addition, we may require you to keep your Bank Account available for any open settlements, Chargebacks and other adjustments.
To secure your performance of this Agreement, you grant to Braintree a legal claim to the funds held in the Reserve. This is known in legal terms as a “lien” on and “security interest” in these amounts.
You agree to:
Merchant agrees to comply with applicable data privacy and security requirements under the Payment Card Industry Data Security Standard (“Association PCI DSS Requirements”) and any applicable Association data security requirements (including those made available by Visa, MasterCard, American Express and Discover) with regards to Merchant’s use, access, and storage of certain credit card non-public personal information. Additionally, Merchant agrees to comply with its obligations under any applicable law or regulation as may be in effect or as may be enacted, adopted or determined regarding the confidentiality, use, and disclosure of cardholder information. You must report any Customer Data breach or incident to Braintree and/or the Associations immediately after discovery of the incident. You also agree to ensure data quality and that any Customer Data is processed promptly, accurately and completely, and complies with the Associations’ technical specifications.
Braintree agrees to comply with the applicable Payment Card Industry Data Security Standard ("PCI DSS"). Braintree acknowledges that it is responsible for the security of cardholder data it possesses or otherwise stores, processes or transmits on behalf of the Merchant, or to the extent that Braintree could impact the security of the cardholder data environment.
All Customer Data shall be owned by Merchant and Merchant hereby grants Braintree a perpetual, irrevocable, sub-licensable, assignable, worldwide, royalty-free license to use, reproduce, electronically distribute, and display Customer Data for the following purposes: (i) providing and improving the Braintree Payment Services, including the collection, processing and useof Customer Data for the purposes of Braintree providing and improvingthe Fraud Protection Tools as part of the Braintree Payment Services; (ii) internal usage, including but not limited to, data analytics and metrics so long as such Customer Data has been anonymized and aggregated with other customer data; (iii) complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with local laws; and (iv) any other purpose for which consent has been provided by the Customer. Merchant undertakes to provide all notices and obtain all consents necessary for Braintree’s use of Customer Data set out above.
The data protection terms applicable to this Agreement are set out in Exhibit A (Data Protection Addendum) and are hereby incorporated by reference into this Agreement.
Braintree grants you a revocable, non-exclusive, non-transferable license to use Braintree’s APIs, developer’s toolkit, and other software applications (the “Software”) in accordance with the documentation accompanying the Software. This license grant includes all updates, upgrades, new versions and replacement software for your use in connection with the Braintree Payment Services. If you do not comply with the documentation and any other requirements provided by Braintree, then you will be liable for all resulting damages suffered by you, Braintree and third parties. Unless otherwise provided by applicable law, you agree not to alter, reproduce, adapt, distribute, display, publish, reverse engineer, translate, disassemble, decompile or otherwise attempt to create any source code that is derived from the Software. Upon expiration or termination of this Agreement, you will immediately cease all use of any Software.
Braintree grants you a revocable, non-exclusive, non-transferable license to use Braintree’s trademarks used to identify the Braintree Payment Service (the “Trademarks”) solely in conjunction with the use of the Braintree Payment Service. Merchant agrees that it will not at any time during or after this Agreement assert or claim any interest in or do anything that may adversely affect the validity of any Trademark or any other trademark, trade name or product designation belonging to or licensed to Braintree (including, without limitation registering or attempting to register any Trademark or any such other trademark, trade name or product designation). Upon expiration or termination of this Agreement, you will immediately cease all display, advertising and use of all of the Trademarks, including the logos and trademarks of the Associations.
Other than the express licenses granted by this Agreement, Braintree grants no right or license by implication, estoppel or otherwise to the Braintree Payment Service or any Intellectual Property Rights of Braintree. Each party shall retain all ownership rights, title, and interest in and to its own products and services (including in the case of Braintree, in the Braintree Payment Service) and all Intellectual Property Rights therein, subject only to the rights and licenses specifically granted herein.
Merchant hereby grants Braintree permissions to use Merchant’s name and logo in its marketing materials including, but not limited to use on Braintree’s website, in customer listings, in interviews and in press releases.
The parties acknowledge that in their performance of their duties hereunder either party may communicate to the other (or its designees) certain confidential and proprietary information, including without limitation information concerning the Braintree Payment Services and the know how, technology, techniques, or business or marketing plans related thereto (collectively, the “Confidential Information”) all of which are confidential and proprietary to, and trade secrets of, the disclosing party. Confidential Information does not include information that: (i) is public knowledge at the time of disclosure by the disclosing party; (ii) becomes public knowledge or known to the receiving party after disclosure by the disclosing party other than by breach of the receiving party’s obligations under this section or by breach of a third party’s confidentiality obligations; (iii) was known by the receiving party prior to disclosure by the disclosing party other than by breach of a third party’s confidentiality obligations; or (iv) is independently developed by the receiving party. As a condition to the receipt of the Confidential Information from the disclosing party, the receiving party shall: (i) not disclose in any manner, directly or indirectly, to any third party any portion of the disclosing party’s Confidential Information; (ii) not use the disclosing party’s Confidential Information in any fashion except to perform its duties hereunder or with the disclosing party’s express prior written consent; (iii) disclose the disclosing party’s Confidential Information, in whole or in part, only to employees and agents who need to have access thereto for the receiving party’s internal business purposes; (iv) take all necessary steps to ensure that its employees and agents are informed of and comply with the confidentiality restrictions contained in this Agreement; and (v) take all necessary precautions to protect the confidentiality of the Confidential Information received hereunder and exercise at least the same degree of care in safeguarding the Confidential Information as it would with its own confidential information, and in no event shall apply less than a reasonable standard of care to prevent disclosure.
Merchant agrees to indemnify, defend, and hold harmless Braintree, its parent, affiliates, officers, directors, agents, employees and suppliers from and against any lawsuit, claim, liability, loss, penalty or other expense (including attorneys’ fees and cost of defense) they may suffer or incur as a result of (i) your breach of this Agreement or any other agreement you enter into with Braintree or its suppliers in relation to your use of the Braintree Payment Services; (ii) your use of the Braintree Payment Services; (iii) your acts or omissions; and/or (iv) your violation of any applicable law, regulation, or Association Rules and requirements.
BRAINTREE SHALL NOT BE LIABLE TO YOU OR A THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE BRAINTREE PAYMENT SERVICES, WHETHER FORESEEABLE OR UNFORESEEABLE, AND WHETHER BASED ON BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, MISREPRESENTATION, NEGLIGENCE, STRICT LIABILITY IN TORT, OR OTHER CAUSE OF ACTION (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF DATA, GOODWILL, PROFITS, INVESTMENTS, USE OF MONEY, OR USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS), EVEN IF BRAINTREE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. UNDER NO CIRCUMSTANCES SHALL BRAINTREE’S TOTAL AGGREGATE LIABILITY TO MERCHANT OR ANY THIRD PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE DIRECT DAMAGES SUFFERED BY SUCH PARTY IN AN AMOUNT EQUAL TO THE AMOUNTS PAID OR PAYABLE BY MERCHANT TO BRAINTREE UNDER THIS AGREEMENT DURING THE FIRST TWELVE (12) MONTH PERIOD AFTER THE EFFECTIVE DATE OF THIS AGREEMENT.
THE BRAINTREE PAYMENT SERVICE IS PROVIDED “AS IS” WITHOUT ANY WARRANTY WHATSOEVER. BRAINTREE DISCLAIMS ALL WARRANTIES WHETHER EXPRESS, IMPLIED, OR STATUTORY, TO MERCHANT AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY BRAINTREE OR ITS EMPLOYEES OR REPRESENTATIVES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF BRAINTREE’S OBLIGATIONS.
The parties acknowledge that the Braintree Payment Service is a computer network based service which may be subject to outages and delay occurrences. As such, Braintree does not guarantee continuous or uninterrupted access to the Braintree Payment Services. Merchant further acknowledges that access to the Braintree website or to the Braintree Payment Services may be restricted for maintenance. Braintree will make reasonable efforts to ensure that Transactions are processed in a timely manner; however, Braintree will not be liable for any interruption, outage, or failure to provide the Braintree Payment Services.
The term of this Agreement shall commence on the Effective Date and shall continue on until terminated as set forth herein. You may terminate this Agreement, without cause, by providing Braintree with notice of your intent to terminate, or by ceasing to use the Braintree Payment Services.
Braintree may terminate this Agreement or suspend services to you if any of the following occurs: (1) we are required by the Associations, the acquiring bank, or an order from a regulatory body to cease providing services to you; (2) we believe that you have breached this Agreement, or are likely to do so; (3) if we determine that your use of the Braintree Payment Services carries an unacceptable amount of risk, including credit or fraud risk; or (4) any other legal, reputational, or risk-based reason exists, in Braintree’s sole discretion. In the event that Braintree must terminate this Agreement, Braintree shall provide you with written notice as soon as reasonably practicable.
After termination by either party as described above, Merchant shall no longer have access to, and shall cease all use of the Braintree Payment Services. Any termination of this Agreement does not relieve Merchant of any obligations to pay any fees, costs, penalties, Chargebacks or any other amounts owed by you to us as provided under this Agreement, whether accrued prior to or after termination.
The relationship of Braintree and Merchant is that of independent contractors. Neither Merchant nor any of its employees, consultants, contractors or agents are agents, employees, partners or joint ventures of Braintree, nor do they have any authority to bind Braintree by contract or otherwise to any obligation. None of such parties will represent anything to the contrary, either expressly, implicitly, by appearance or otherwise.
If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, void or unenforceable for any reason, the remaining provisions not so declared shall nevertheless continue in full force and effect, but shall be construed in a manner so as to effectuate the intent of this Agreement as a whole, notwithstanding such stricken provision or provisions.
No term or provision of this Agreement shall be deemed waived, and no breach excused, unless such waiver or consent shall be in writing and signed by the party claimed to have waived or consented. Any consent by any party to, or waiver of, a breach by the other party, whether express or implied, shall not constitute a consent to, waiver of, or excuse for any different or subsequent breach.
This Agreement will bind and inure to the benefit of each party’s permitted successors and assigns. Merchant may not assign this Agreement without the written consent of Braintree. Braintree may assign this Agreement in its sole discretion without the written consent of Merchant.
We may amend this Agreement at any time by posting a revised version of it on our website under the “Legal” section of our website. The revised version will be effective at the time we post it. In addition, if the revised version includes a substantial change, we will provide you with 30 days’ prior notice of any substantial change by posting notice under the “Policy Updates” section contained in the “Legal” section of our website. If you do not agree to the updated terms, you can terminate your Agreement by providing us with notice in the manner indicated below in Section 9.09. If you provide us with termination notice within 30 days of the date of update, then your current terms and conditions shall apply during this notice period.
This Agreement sets forth the entire agreement and understanding of the parties hereto in respect to the subject matter contained herein, and supersedes all prior agreements, promises, covenants, arrangements, communications, representations or warranties, whether oral or written, by any officer, partner, employee or representative of any party hereto. This Agreement shall be binding upon and shall inure only to the benefit of the parties hereto and their respective successors and permitted assigns. Nothing in this Agreement, express or implied, is intended to confer or shall be deemed to confer upon any persons or entities not parties to this Agreement, any rights or remedies under or by reason of this Agreement.
Sections 2 (Fees and Tax), 4 (Liability for Chargebacks, Invalidated Payments and other Liabilities), 5 (Actions We May Take), 6.08 (Confidential Information), 7 (Indemnification, Limitation of Liability, Disclaimer of Warranties), 8 (Term and Termination, Data Portability), 9 (General Provisions), Exhibit “A” (Data Protection Addendum) and Exhibit “B” (Definitions), as well as any other terms which by their nature should survive, will survive the termination of this Agreement.
You consent to receive autodialed or prerecorded calls and text messages from Braintree at any telephone number that you have provided us or that we have otherwise obtained to (i) notify you regarding your account; (ii) collect a debt; (iii) resolve a dispute; (iv) contact you about exclusive offers; or (v) as otherwise necessary to service your account or enforce the Agreement. Standard telephone minute and text charges may apply.
We may share your telephone numbers with our service providers (such as billing or collections companies) who we have contracted with to assist us in pursuing our rights or performing our obligations under the Agreement, our policies, or any other agreement we may have with you. You agree these service providers may also contact you using autodialed or prerecorded calls and text messages, only as authorized by us to carry out the purposes we have identified above, and not for their own purposes.
Braintree may, without further notice or warning and in its discretion, monitor or record telephone conversations you or anyone acting on your behalf has with Braintree or its agents for quality control and training purposes or for its own protection.
If you have a question or complaint relating to the Braintree Payment Services or your Transactions, please contact the Braintree customer support as defined in the “Contact” tab of the Braintree website. The general terms and conditions for the Braintree Payment Services will be available at all times on www.braintreepayments.com in the “Legal” tab, and/or be made available during signup process as an electronic copy per e-mail. You may request at any time free of charge electronic copy of your contractual documents.
a. Contracting Entity. “PayPal,” “Braintree,” “we,” and “our” in this Agreement refer to PayPal, Inc., a Delaware corporation in the United States whose address is 2211 North First Street, San Jose, CA 95131.
b. Notice to Merchant. Merchant agrees that Braintree may provide notices and disclosures to Merchant by posting them on Braintree’s website, emailing them to Merchant, or sending them to Merchant through postal mail. Notices sent to Merchant by postal mail are considered received by Merchant within three (3) Business Days of the date Braintree sends the notice unless it is returned to Braintree. Disclosures and notices posted on Braintree’s website or emailed shall be considered to be received by you within 24 hours of the time it is posted to our website or emailed to you unless we receive notice that the email was not delivered. Furthermore, you understand and agree that if Braintree sends you an email but you do not receive it because your primary email address on file is incorrect, out of date, blocked by your service provider, or you are otherwise unable to receive electronic communications, Braintree will be deemed to have provided the communication to you. In addition, Braintree may send Merchant emails, including, but not limited to, those relating to product updates, new features and offers and Merchant hereby consents to such email notification. You also agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with a paper copy.
c. Notices to Braintree. Notice to Braintree shall be considered valid only if sent by postal mail to PayPal, Inc., Attention: Legal Department, 2211 North First Street, San Jose, California 95131.
d. Choice of law and jurisdiction. The laws of the State of Delaware, without regard to principles of conflict of laws, will govern this Agreement and any claim or dispute that has arisen or may arise between the parties, except as otherwise stated in this Agreement.
PLEASE READ THIS SECTION CAREFULLY. IT AFFECTS YOUR RIGHTS AND WILL IMPACT HOW CLAIMS YOU AND BRAINTREE HAVE AGAINST EACH OTHER ARE RESOLVED.
You and Braintree agree that any and all disputes or claims that have arisen or may arise between you and Braintree shall be resolved exclusively through final and binding arbitration, rather than in court, except that you may assert claims in small claims court, if your claims qualify and so long as the matter remains in such court and advances only on an individual (non-class, non-representative) basis. The Federal Arbitration Act governs the interpretation and enforcement of this provision.
THE PARTIES ALSO AGREE THAT YOU AND BRAINTREE MAY BRING CLAIMS AGAINST THE OTHER ONLY ON AN INDIVIDUAL BASIS AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE ACTION OR PROCEEDING. UNLESS BOTH YOU AND BRAINTREE AGREE OTHERWISE, THE ARBITRATOR(S) MAY NOT CONSOLIDATE OR JOIN MORE THAN ONE PERSON’S OR PARTY’S CLAIMS AND MAY NOT OTHERWISE PRESIDE OVER ANY FORM OF A CONSOLIDATED, REPRESENTATIVE, OR CLASS PROCEEDING. ALSO, THE ARBITRATOR(S) MAY AWARD RELIEF (INCLUDING MONETARY, INJUNCTIVE, AND DECLARATORY RELIEF) ONLY IN FAVOR OF THE INDIVIDUAL PARTY SEEKING RELIEF AND ONLY TO THE EXTENT NECESSARY TO PROVIDE RELIEF NECESSITATED BY THAT PARTY’S INDIVIDUAL CLAIM(S). ANY RELIEF AWARDED CANNOT AFFECT OTHER BRAINTREE MERCHANTS.
The arbitration will be conducted by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules, as modified by this Agreement to Arbitrate. The AAA’s rules are available at www.adr.org. Payment of all filing, administration, and arbitrator fees will be governed by the AAA’s rules. All issues are for the arbitrator to decide, except that issues relating to arbitrability, or the scope or enforceability of this Agreement to Arbitrate, shall be for a court of competent jurisdiction to decide. If a court decides that any part of this Section 9.10 is invalid or unenforceable, the other parts of this Section 9.10 shall still apply.
The arbitration shall be held in the county in which you reside or at another mutually agreed location. If the value of the relief sought is $10,000 or less, you or Braintree may elect to have the arbitration conducted by telephone or based solely on written submissions, which election shall be binding on you and Braintree subject to the discretion of the arbitrator(s) to require an in-person hearing, if the circumstances warrant. In cases where an in-person hearing is held, you and/or Braintree may attend by telephone, unless required otherwise by the arbitrator(s).
The arbitrator(s) will decide the substance of all claims in accordance with the laws of the State of Delaware, including recognized principles of equity, and will honor all claims of privilege recognized by law. The arbitrator(s) shall not be bound by rulings in prior arbitrations involving different merchants, but is/are bound by rulings in prior arbitrations involving the same merchant to the extent required by applicable law. The arbitration award shall be final and binding and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.
This Data Protection Addendum (“Addendum”) is entered into between Merchant and PayPal, Inc., a Delaware corporation whose address is 2211 North First Street, San Jose, CA 95131 ("Braintree" or “PayPal”) (collectively the “Parties”). This Addendum shall form part of the Payment Services Agreement between Merchant and Braintree (the “Agreement”) in accordance with the “Effect of this Addendum” section below.
Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.
EFFECT OF THIS ADDENDUM
This Addendum amends and forms part of the Agreement, and is effective as of the Effective Date of the Agreement.
1.1 The following terms have the following meanings when used in this Addendum:
1.2 Addendum. This Addendum comprises (i) sections 1 to 4, being the main body of the Addendum; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3.
2.1.1 as reasonably necessary to provide the Services to Merchant;
2.1.2 to conduct anti-money laundering, know your customer and fraud checks on the Merchant;
2.1.3 to market to the employees and contractors of Merchant; and
2.1.4 any other purpose that it notifies (or Merchant agrees to notify on its behalf) to the employees and contractors of Merchant in accordance with Data Protection Laws.
2.2 Braintree shall comply with the requirements of the Data Protection Laws applicable to controllers in respect of the use of Merchant Data under this Agreement (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the processing of Merchant Data and by maintaining a record of all processing activities carried out in respect of Merchant Data) and shall not knowingly do anything or permit anything to be done with respect to the Merchant Data which might lead to a breach by the Merchant of the Data Protection Laws.
2.3 With regard to any Customer Data to be processed by Braintree in connection with this Agreement, Merchant will be a controller and Braintree will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.4. Braintree shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Addendum is Merchant's complete and final written instruction to Braintree in relation to Customer Data. Additional instructions outside the scope of this Addendum (if any) require prior written agreement between Braintree and Merchant, including agreement of any additional fees payable by Merchant to Braintree for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause Braintree to be in breach of Data Protection Laws. Merchant hereby instructs Braintree to process Customer Data for the following purposes:
2.4.1 as reasonably necessary to provide the Services to Merchant;
2.4.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
2.5 In relation to Customer Data processed by Braintree under this Agreement, Braintree shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation that Braintree shall cooperate and provide Merchant with such reasonable assistance as Merchant requires in relation to:
2.5.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and
2.5.2 responding to binding requests for the disclosure of information as required by local laws, provided always that where the request is from a non-EEA law enforcement agency Braintree will (a) inform Merchant of the request, the data concerned, response time, the identity of the requesting body and the legal basis for the request; (b) wait for Merchant’s instructions provided the instruction and the opinion are received within a reasonable period of time, which shall be assessed in light of the time period afforded by the law enforcement agency to Braintree; (c) where Braintree is prohibited from informing Merchant about the law enforcement agency’s request, take reasonable steps to have this prohibition waived and to make available relevant information about the request as soon as possible to Merchant (these efforts will be documented); and (d) where the prohibition cannot be waived, compile a list, in compliance with its national law and on an annual basis, of the number of such requests received, the type of Customer Data requested and the identity of the law enforcement agency concerned and make it available to the Customer’s data protection authority annually on request (in which circumstances Braintree will be acting as a controller).
2.6 Scope and Details of Customer Data processed by Braintree. The objective of processing Customer Data by Braintree is the performance of the Services pursuant to the Agreement. Braintree shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 3 (Data Processing of Customer Data).
2.7 The Parties will at all times comply with Data Protection Laws.
2.8 Merchant undertakes to provide all notices and obtain all consents necessary for Braintree’s use of Merchant Data and Customer Data set out above.
This section 3 applies only to the extent that Braintree acts as a processor or Sub-processor to Merchant. It does not apply where Braintree acts as a controller.
3.1 Correction, Blocking and Deletion. To the extent Merchant, in its use of the Services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, Braintree shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent Braintree is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from Braintree’s provision of such assistance.
3.2 Data Subject Requests. Braintree shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Braintree shall not respond to any such Customer request without Merchant’s prior written consent except to confirm that the request relates to Merchant to which Merchant hereby agrees. Braintree shall provide Merchant with commercially reasonable cooperation and assistance in relation to handling of a Customer's request for access to that person’s personal data, to the extent legally permitted and to the extent Merchant does not have access to such Customer Data through its use of the Services. If legally permitted, Merchant shall be responsible for any costs arising from Braintree’s provision of such assistance.
3.3 Confidentiality. Braintree shall ensure that its personnel engaged in the processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Braintree shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
3.4 Training. Braintree undertakes to provide training as necessary from time to time to the Braintree personnel with respect to Braintree's obligations in this Addendum to ensure that the Braintree personnel are aware of and comply with such obligations.
3.5 Limitation of Access. Braintree shall ensure that access by Braintree's personnel to Customer Data is limited to those personnel performing Services in accordance with the Agreement. 3.6 Data Protection Officer. Members of the PayPal Group have appointed a data protection officer where such appointment is required by Data Protection Laws. The appointed person may be reached at PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
3.7 Sub-processors. Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the Services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the Services. When engaging any Sub-processor, Braintree will execute a written contract with the Sub-processor which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Addendum.
3.7.1 List of Current Sub-processors and Notification of New Sub-processors. Braintree shall make available to Merchant a current list of Sub-processors for the respective Services with the identities of those Sub-processors (“Sub-processor List”). The Sub-processor List is included in Attachment 1 to this Addendum. Where a Sub-processor is proposed to be changed Braintree shall provide prior notice by email to Merchant before implementing such change.
3.7.2 Objection Right for new Sub-processors. If Merchant has a reasonable basis to object to Braintree’s use of a new Sub-processor, Merchant shall notify Braintree promptly in writing within two (2) months after receipt of Braintree’s notice. In the event Merchant objects to a new Sub-processor(s) and that objection is not unreasonable Braintree will use reasonable efforts to make available to Merchant a change in the affected Services or recommend a commercially reasonable change to Merchant’s configuration or use of the affected Services to avoid processing of personal data by the objected-to new Sub-processor without unreasonably burdening Merchant. If Braintree is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Merchant may terminate the Agreement in respect only of those Services which cannot be provided by Braintree without the use of the objected-to new Sub-processor, by providing no less than sixty (60) days' written notice to Braintree. Merchant shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
3.9 Security. Braintree shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 2 to this Addendum to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the Services. Since Braintree provides the Services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to Braintree’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, Braintree is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the Services. In the event of any detrimental change Braintree shall provide a notification together with any necessary documentation to Merchant by email or publication on a website easily accessible by Merchant.
3.10 Security Incident Notification. If Braintree becomes aware of a Security Incident in connection with the processing of Customer Data, Braintree will: (a) notify Merchant of the Security Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
3.11 Details of Security Incident. Notifications made under section 3.10 (Security Incident Notification) will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.
3.12 Communication. Braintree will deliver its notification of any Security Incident to one or more of Merchant's administrators by any means Braintree selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
3.13 Deletion. Upon termination or expiry of the Agreement, Braintree will delete or return to Merchant all Customer Data processed on behalf of the Merchant, and Braintree shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
3.14 Data Portability. Upon any termination or expiry of this Agreement, Braintree agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide Braintree with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. Braintree agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides Braintree with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing Braintree a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by Braintree; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).
This Addendum shall take effect between, and become legally binding on the Parties on the date determined by “Effect of this Addendum” section above.
Kount Inc: 917 South Lusk, 3rd Floor, Boise, ID 83706
Amazon Web Services, Inc.: 410 Terry Avenue, North Seattle, WA 98109-5210
CardinalCommerce Corporation: 8100 Tyler Blvd., Mentor, OH 44060
The following technical and organizational measures will be implemented:
Data Processing of Customer Data
Categories of data subjects
Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to Braintree through the use by the Customer of the Braintree Payment Services.
Subject-matter of the processing
The payment processing services offered by Braintree which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.
The payment processing services include the optional use of Fraud Protection Tools by Merchant to detect fraudulent transactions.
Nature and purpose of the processing
Braintree processes Customer Data that is sent by the Merchant to Braintree for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.
Braintree processes Customer Data that is collected by Braintree or sent from Merchant to Braintree for the purposes of Braintree making the Fraud Protection Tools available to Merchant. Braintree collects, processes and uses Customer Data on behalf of Merchant in order to analyze the Customer Data and use it to identify fraudulent transactions on Merchants’ websites or mobile applicationsas further described in the Payment Services Agreement.
Type of personal data
Customer Data – Merchant shall inform Braintree of the type of Customer Data Braintree is required to process under this Agreement. Should there be any changes to the type of Customer Data Braintree is required to process then Merchant shall notify Braintree immediately. Braintree processes the following Customer Data, as may be provided by the Merchant to Braintree from time to time:
Date of birth……………………………………………
Government ID number……………………………………………
Bank account number and bank routing number……………………………………………
Financial account number……………………………………………
Card or payment instrument type……………………………………………
Card Primary Account Number (PAN) or Device-specific Primary Account Number (DPAN)
Card Verification Value (CVV)……………………………………………
Card expiration date……………………………………………
Business tax ID……………………………………………
*As further detailed in the Fraud Protection Tools documentation made available by Braintree from time to time.
Special categories of data (if relevant)
The transfer and processing of special categories of data is not anticipated.
Duration of Processing
The term of the Agreement.