Skip to main content
You are viewing content for . View content for other locations.
×

Braintree Payments Homepage

Payment Services Agreement - European Union

Jump to section


Updated Payment Services Agreement

Please note: This version of this Agreement marked “Updated Payment Services Agreement” will take effect and supersede the current Payment Services Agreement on 13 January 2018 or immediately for all new Merchants. This Braintree Payment Services Agreement and the agreements, policies and documents incorporated herein (this "Agreement") is entered into by and between PayPal ("Braintree," “we” or “our”), and the entity or individual who enters into this Agreement (“Merchant" or “you”), and is made effective as of the date that you click on the “create account” button in the signup page on the Braintree website and accept this Agreement or on the date that you begin using the Braintree Services (“Effective Date”). In addition to the terms of this Agreement, you agree to be bound by the terms of our Privacy Policy and Acceptable Use Policy, as well as your applicable Bank Agreement, which are incorporated herein by reference. This Agreement sets out the terms and conditions under which Merchant may utilize the Braintree Payment Service.

This Agreement is provided to you in English. We recommend that you download or print a copy of this Agreement for your records, which is available, as amended from time to time, on the “Legal” tab on the Braintree website (www.braintreepayments.com).

When you apply to become a Braintree customer, we collect information about you and your business, and confirm your identity to satisfy our anti-money laundering requirements and other regulatory obligations (referred to as “know your customer” requirements). By completing your application to become a Braintree customer, you authorise us to obtain financial and credit information (including from third parties) relating to you, your directors, officers and principals. We use this information (and other information available to us) to evaluate you, your directors, officers and principals against our evaluation criteria. Braintree reserves the right to terminate this Agreement with immediate notice to you at any time before the “know your customer” process is completed, or not completed satisfactorily. Braintree reserves the right to refuse or rescind any payment to your customers if such process does not complete satisfactorily and/or to disburse funds to you after this mandatory process is completed.

Agreement

Section 1 — Braintree Payment Services

1.01 “Payment Processing Services”

The payment processing services offered by Braintree include services that provide Merchants with the ability to accept credit and debit card payments on a website or mobile application. These services include the Gateway Services (as defined below), bank-sponsored merchant account, fraud protection tools, recurring billing functionality, payment card storage, foreign currency acceptance, white glove customer support, and other software, APIs and services and technology as described on the Braintree website.

1.02 “Gateway Services”

The gateway services offered by Braintree include services that provide Merchants with the software and connectivity required to allow real-time secure data transmission for processing of credit and debit card payments on a website or mobile application. The Gateway Services include Forwarding Services and Grant API Services which are provided subject to additional terms set out on the Braintree website under “PayPal Products and Services” and incorporated into this Agreement by reference. The Gateway Services also include certain payment technology services provided by third parties that are used to facilitate your processing of credit and debit card payments (“Payment Technology Services”). In order to use these services, you agree to the applicable Payment Technology Services terms as set forth on the Braintree website which are incorporated into this Agreement by reference. You acknowledge and agree that the Payment Technology Services are provided solely by the relevant third party (and not Braintree) as set forth in the applicable Payment Technology Services terms, and that Braintree will under no circumstances be responsible or liable for any damages, losses or costs whatsoever suffered or incurred by you resulting from any Payment Technology Services.

Exhibit A includes a description of the main characteristics of the Braintree Payment Services.

Section 2 — Fees and Taxes

2.01 Fees

All of the fees applicable to your use of the Braintree Payment Services, including applicable transaction, multi-currency and Chargeback fees are listed and accessible on our pricing page, available on our website All applicable fees are due and payable immediately upon settlement of the applicable Payout Amount. Subject to notice, we reserve the right to revise our fees at any time.

Interest on any and all amounts due by you, but not yet paid to Braintree, shall accrue at a rate of 1.0% per month ("Late Fee"). In the event of a dispute made in good faith as to the amount of fees, Merchant agrees to remit payment on any undisputed amount(s); and, the Late Fee shall not accrue as to any disputed amounts unless not paid within thirty (30) calendar days after said dispute has been resolved by both parties.

2.02 Blended or Interchange Plus Pricing

You may choose between two pricing models for receiving card payments via Braintree’s payment processing services. You may opt for the Blended pricing model or for the Interchange Plus model by the methods and procedures that Braintree makes available to you. If you do not make an election, you will stay on your existing fee structure. When you select a pricing model, it may take up to five business days for it to take effect. It will only apply to future transactions, not to past transactions.2.03 Currency conversion

2.03 Currency Conversion

If your transaction involves a currency conversion it will be converted at an exchange rate we set for the relevant currency exchange. The exchange rate is sourced from a sponsoring financial institution which is based on the rates available in the wholesale currency markets or, if required by law or regulation, at the relevant governmental reference rate(s) on the conversion date or the prior Business Day. Where a currency conversion is offered at the point of sale by Merchant, not by Braintree, and Merchant offers the exchange rate and charges, Braintree has no liability for that currency conversion.

2.04 Payment of Fees; Right to Set-off

Braintree will on a daily basis, pay to your Bank Account the aggregate of all Payout Amounts net of the applicable fees and other amounts due to Braintree. If the Payout Amount is not sufficient to cover the applicable fees or other amounts due to Braintree on any given day, you agree that we may debit your Bank account for the applicable amounts and/or set-off the applicable amounts against future Payouts.

Merchant acknowledges and agrees that a Transaction may become subject to a Chargeback even after settlement, or otherwise be invalidated. In the event of a Chargeback or invalidated payment, you are liable for:

(a) the full amount of the original Transaction; and (b) any Chargeback fees according to this Agreement. Upon Braintree’s request, you agree to provide Braintree with all necessary bank account, routing and related information and grant Braintree any required permission to debit the applicable amounts from your Bank Account. Braintree reserves the right to charge a fee for providing additional information or for providing the transaction history and other information about our fees in a different way.

2.05 Taxes

Unless otherwise stated, all fees are quoted exclusive of any applicable value added tax (VAT). For the sake of clarity, the Braintree Services are in scope of the exemption from VAT of Art. 135 (1)(d) of the EU VAT Directive 2006/112/EC. It is your responsibility to determine what, if any, taxes apply to the payments you make or receive, and it is your responsibility to collect, report and remit the correct tax to the appropriate tax authority. PayPal is not responsible for determining whether taxes apply to your transaction, or for collecting, reporting or remitting any taxes arising from any transaction.

2.06 Interchange Fees

Interchange Fees are set by Visa and MasterCard. If you receive card payments under the Interchange Plus pricing model, Braintree shall always charge you the Interchange Fee as set by Visa and MasterCard and as passed on by Braintree’s Acquirer. For more information on Interchange Fees, please see MasterCard’s and Visa’s websites.

Section 3 — Restricted Activities, Representations and Warranties

3.01 Restricted activities

In connection with your use of the Braintree Payment Services, or in the course of your interactions with Braintree, you will comply at all times with the Braintree Acceptable Use Policy accessible at the following address: https://www.braintreepayments.com/legal/acceptable-use-policy You agree that you will not:

  1. Breach this Agreement, your Bank Agreement or any other agreement that you have entered into with us in connection with the Braintree Payment Services;
  2. Breach any law, statute, regulation;
  3. Breach any rule, guideline or bylaw of any of the Association Rules, as amendment by the Associations from time to time,;
  4. Use the Braintree Payment Services in a manner that could result in a violation of anti-money laundering, counter terrorist financing and similar legal and regulatory obligations (including, without limitation, where we cannot verify your identity or other required information about your business) applicable to you or Braintree.
  5. Fail to provide us with any information that we request about you or your business activities, or provide us with false, inaccurate or misleading information;
  6. Refuse to cooperate in an investigation or provide confirmation of your identity or any information you provide to us;
  7. Reveal your access credentials to anyone else or use anyone else's access credentials for the Braintree Payment Services. We are not responsible for losses incurred by you including, without limitation, the use of your access to the Braintree Payment Services, by any person other than you, arising as the result of misuse of passwords; or
  8. Integrate or use any of the Braintree Payment Services without fully complying with all requirements communicated to you by Braintree.
  9. Utilize recurring billing functionality without properly obtaining your customers’ consent to be billed in such a manner;
  10. Submit any Transaction for processing through the Braintree Payment Services which does not represent a bona fide, permissible Transaction as outlined in this Agreement and in the Association Rules, or which inaccurately describes the product or services being sold or the charitable donations being made;
  11. Process Transactions or receive payments on behalf of any other party, or (unless required by law) re-direct payments to any other party;
  12. Display with unequal size or prominence, show preference for, or discriminate again one card brand or type over another, including your refund policies for purchases; and
  13. Bill or collect from any cardholder for any purchase or payment on the card unless you have the right to do so under the Association Rules. 

3.02 Representations and warranties by Merchant

Merchant has the full power and authority to execute, deliver and perform this Agreement. This Agreement is valid, binding and enforceable against Merchant in accordance with its terms and no provision requiring Merchant's performance is in conflict with its obligations under any constitutional document, charter or any other agreement (of whatever form or subject) to which Merchant is a party or by which it is bound. Merchant is duly organized, authorized and in good standing under the laws of the state, region or country of its organization and is duly authorized to do business in all other states, regions or countries in which Merchant's business make such authorization necessary or required.

Section 4 — Liability for Invalidated Payments and other Liabilities

You must compensate and indemnify us for any claims, losses, expenses or liability we incur arising out of:

  1. a transaction or dispute between you and your customer(s);
  2. an invalid transaction, refund transaction, over-payment, Chargeback and any other expenses, collectively “Invalidated Payments”;
  3. any error, negligence, willful misconduct or fraud by you or your employees; or
  4. any losses suffered by us as a result of your failure to comply with your obligations under this Agreement.

In the event of an Invalidated Payment and other liability, we may deduct the amount of the Invalidated Payment from your Payout Amounts.

Section 5 — Actions We May Take

5.01 Actions by Braintree

If we have reason to believe that there is a higher than normal risk associated with your Transactions, in particular if we believe you have breached the terms of this Agreement, we may take various actions to avoid Reversals, Chargebacks, fees, fines, penalties and any other liability. The actions we may take include but are not limited to the following:

  1. We may, at any time and without liability, limit or suspend your right to use the Braintree Payment Services if we believe that you are in breach of your obligations under this Agreement, including without limitation Section 3.01 “Restricted Activities”. If possible, we will give you advance notice of any limitation or suspension, but we may take such actions without advance notice under certain circumstances, including if we believe that your use of the Braintree Payment Services represents a security threat or involves fraud or any other illegal activities;
  2. Refuse any Transaction at any time, provided that, upon request and where possible, we will provide the reasons for the refusal and steps for resolution of the problem;
  3. Reverse any Transaction (including, if appropriate, to the sender’s credit card), that violates, or we reasonably suspect may violate, this Agreement, including but not limited to our Acceptable Use Policy or section 3.01;
  4. Hold your funds or suspend/ limit your account, to the extent and for so long as reasonably needed to protect against the risk of liability or as required to mitigate any regulatory risk in relation to your Transactions.

5.02 Reserves

Braintree, in its sole discretion, may place a Reserve on all or a portion of your Payout Amounts. If Braintree imposes a Reserve, we will provide you with a notice specifying the terms of the Reserve. The terms may require (a) that a certain percentage of your Payout Amounts are held for a certain period of time, (b) that a fixed amount of your Payout Amounts is withheld from payout to you, or (c) such other restrictions that Braintree determines are necessary to protect against the risk to us associated with our business relationship. Braintree may change the terms of the Reserve at any time by providing you with notice of the new terms. Payout Amounts subject to a Reserve are not immediately available for payout to you or for making Refund Transactions. Other restrictions described in (c) above may include: limiting Payout Amounts immediately available to you, changing the speed or method of payouts to you, setting off any amounts owed by you against your Payout Amounts and/or requiring that you, or a person associated with you, enter into other forms of security arrangements with us (for example, by providing a guarantee or requiring you to deposit funds with us as security for your obligations to us or third parties). You also agree to undertake, at your own expense, any further action (including, without limitation, executing any necessary documents and registering any form of document reasonably required by us to allow us to perfect any form of security interest or otherwise) required to establish a Reserve or other form of security in a manner reasonably determined by us.

Braintree may hold a Reserve as long as it deems necessary, in its sole discretion, to mitigate any risks related to your Transactions. You agree that you will remain liable for all obligations related to your Transactions even after the release of any Reserve. In addition, we may require you to keep your Bank Account available for any open settlements, Chargebacks and other adjustments.

5.03 Security Interest

To secure your performance of this Agreement, you grant to Braintree a legal claim to any Payout Amounts held in Reserve. This is known in legal terms as a “lien” on and “security interest” in these Payout Amounts.

5.04 American Express and Direct Acceptance

American Express may use the information obtained in your application at the time of setup to screen and/or monitor you in connection with card marketing and administrative purposes.

You acknowledge that if you process greater than or equal to the equivalent of $500,000 USD in American Express transactions annually, American Express may require you to enter into a direct contractual relationship with them. In this situation, American Express will set pricing for American Express transactions, and you will pay fees for American Express transactions directly to American Express. By accepting these terms you agree to receive commercial marketing communication from American Express. You may opt out by notifying Braintree via email support@braintreepayments.com . If you opt out of commercial marketing communications, you will still receive important transactional or relationship messages from American Express.

American Express shall be a third party beneficiary of this Agreement for purposes of American Express Card acceptance.  As a third party beneficiary, American Express shall have the right to enforce directly against you the terms of this Agreement as related to American Express Card acceptance.  You acknowledge and agree that American Express shall have no responsibility of liability with regard to Braintree’s obligations to you under this Agreement.

American Express may conduct an audit of you at any time, for the purpose of determining compliance with the American Express Rules.

You authorize Braintree to submit transactions to, and receive settlement from, American Express, and to disclose transaction and merchant information to American Express to perform analytics and create reports, and for any other lawful business purposes, including commercial marketing communications purposes and important transactional or relationship communications.   Merchant may terminate its acceptance of American Express at any time upon notice. 

5.05 UnionPay – Merchant Obligations.

You agree for Braintree to disclose information obtained in your application at the time of setup to UnionPay International Co., Ltd (“UPI”) so that it can manage payment services for Merchants accepting payments utilizing the payment network of UnionPay.

Merchant, or a third party acting on its behalf, shall not use transaction receipts, UnionPay logos or marks for purposes outside of the scope of the Agreement.

Merchant shall not consign or transfer the business of UnionPay card acceptance to a third party without Braintree’s written consent.

Merchant shall not submit third party receipts to Braintree for settlement.

The following actions are not permitted by Merchant and Merchant shall assume full responsibility and liability for, including but not limited to, alteration of the amount on transaction receipts, split transactions, cash out, acceptance of credit cards listed in the card recovery bulletin, excessive usage above the authorized limit, insufficient signature and expiry date checking, refund in case, late presentment, submitting false transactions to Braintree.

Merchant agrees to keep transaction receipts and original records related to transactions for at least one year. Merchant shall bear financial losses incurred due to inappropriate retention or loss of transaction receipts.

In the event that Merchant breaches the requirements listed under this Section 5.05 and/or the Acceptable Use Policy Braintree has the right to terminate Merchant’s use of UnionPay card acceptance.

Merchant shall allow UPI to use its risk information for normal business practices.

Braintree and UPI shall have the right of inquiry and recourse regarding transactions including after the termination of the use of UnionPay card acceptance or termination of the Agreement.

5.06 iDeal – Merchant Obligations.

Supplemental terms related to your use of iDEAL are detailed under Exhibit C.

Section 6 — Data, Intellectual Property, Publicity

6.01 Data Security Compliance

Merchant agrees to comply with data privacy and security requirements under the Payment Card Industry (“PCI”) Data Security Standard (“DSS”) ("Association PCI- DSS Requirements") with regards to Merchant's use, access, and storage of certain credit card non-public personal information ("Cardholder Information") on behalf of Braintree. Visa, MasterCard, Discover, American Express, Diners Club card, JCB, UPI (China UnionPay) , any debit network, and the other financial service card organizations shall be collectively known herein as "Associations." Additionally, Merchant agrees to comply with its obligations under any applicable law or regulation as may be in effect or as may be enacted, adopted or determined regarding the confidentiality, use, and disclosure of Cardholder Information. Braintree may, at its discretion, conduct an on-site audit and review of Merchant's data privacy and security procedures upon either (a) five (5) Business Days’ notice for any reason or (b) immediately upon any unauthorized access to, use or disclosure of any Cardholder Information entrusted to Merchant.

Braintree may, with written notice to Merchant, require that Merchant comply with any further requirements of the European Central Bank or the Associations for strong authentication for all or certain specified credit card transactions.

Braintree agrees to comply with the Association PCI-DSS Requirements of Visa and MasterCard. Merchant can verify Braintree's compliance with the PCI DSS by viewing the Global List of PCI DSS Validated Compliant Service Providers on Visa's website at http://www.visa.com/splisting/searchGrsp.do. Merchant may request a copy of Braintree’s attestation of compliance for PCI DSS from Braintree no more frequently than on an annual basis.  Braintree acknowledges that it is responsible for the security of customer cardholder data it possesses or otherwise stores, processes or transmits on behalf of the Merchant, or to the extent that it could impact the security of the customer cardholder data environment.

6.02 Data Accuracy

Merchant warrants to Braintree that all data and entries delivered to Braintree by Merchant will (a) be correct in form, (b) contain true and accurate information, (c) be fully authorized by the customer, and (d) be timely under the terms and provisions of this Agreement.

6.02 Data Protection

Exhibit B details the Data Protection terms together with EU Standard Contractual Clauses.

6.04 Intellectual Property

"Intellectual Property" means all of the following owned by a party: (a) trademarks and service marks (registered and unregistered) and trade names, and goodwill associated therewith; (b) patents, patentable inventions, computer programs, and software; (c) databases; (d) trade secrets and the right to limit the use or disclosure thereof; (e) copyrights in all works, including software programs; and (f) domain names. The rights owned by a party in its Intellectual Property shall be defined, collectively, as "Intellectual Property Rights." Other than the express licenses granted by this Agreement, Braintree grants no right or license to Merchant by implication, estoppel or otherwise to the Braintree Payment Service or any Intellectual Property Rights of Braintree. Each party shall retain all ownership rights, title, and interest in and to its own products and services (including in the case of Braintree, in the Braintree Payment Service) and all intellectual property rights therein, subject only to the rights and licenses specifically granted herein.

6.05 License Grant

If you are using our software such as an API, developer's toolkit or other software application (the “Software”) that you have downloaded to your computer, device, or other platform, then Braintree grants you a revocable, non-exclusive, non-transferable license to use Braintree's software in accordance with the documentation. This license grant includes the software and all updates, upgrades, new versions and replacement software for your use in connection with the Braintree Payment Service. You may not rent, lease or otherwise transfer your rights in the software to a third party. You must comply with the implementation and use requirements contained in all Braintree documentation accompanying the software. If you do not comply with Braintree’s instructions, implementation and use requirements you will be liable for all resulting damages suffered by you, Braintree and third parties. Unless otherwise provided by applicable law, you agree not to alter, reproduce, adapt, distribute, display, publish, reverse engineer, translate, disassemble, decompile or otherwise attempt to create any source code that is derived from the software. Upon expiration or termination of this Agreement, you will immediately cease all use of any Software.

6.06 Trademarks

License to Braintree Trademarks. Subject to the terms and conditions of this Agreement, Braintree grants you a revocable, non-exclusive, non-transferable license to use Braintree's trademarks to identify the Braintree Payment Service (the "Trademarks") during the term of this Agreement solely in conjunction with the use of the Braintree Payment Service. Braintree grants no rights in the Trademarks or in any other trademark, trade name, service mark, business name or goodwill of Braintree except as licensed hereunder or by separate written agreement of the parties. Merchant agrees that it will not at any time during or after this Agreement assert or claim any interest in or do anything that may adversely affect the validity of any Trademark or any other trademark, trade name or product designation belonging to or licensed to Braintree (including, without limitation registering or attempting to register any Trademark or any such other trademark, trade name or product designation). Upon expiration or termination of this Agreement, Merchant will immediately cease all display, advertising and use of all of the Trademarks including the logos and trademarks of the Association.

6.07 Publicity

Merchant hereby grants Braintree permissions to use Merchant's name and logo in its marketing materials including, but not limited to use on Braintree's website, in customer listings, in interviews and in press releases.

6.08 Confidential Information

The parties acknowledge that in their performance of their duties hereunder either party may communicate to the other (or its designees) certain confidential and proprietary information, including without limitation information concerning the Payment Processing Services and the know how, technology, techniques, or business or marketing plans related thereto (collectively, the “Confidential Information”) all of which are confidential and proprietary to, and trade secrets of, the disclosing party. Confidential Information does not include information that: (i) is public knowledge at the time of disclosure by the disclosing party; (ii) becomes public knowledge or known to the receiving party after disclosure by the disclosing party other than by breach of the receiving party’s obligations under this section or by breach of a third party’s confidentiality obligations; (iii) was known by the receiving party prior to disclosure by the disclosing party other than by breach of a third party’s confidentiality obligations; or (iv) is independently developed by the receiving party. As a condition to the receipt of the Confidential Information from the disclosing party, the receiving party shall: (i) not disclose in any manner, directly or indirectly, to any third party any portion of the disclosing party’s Confidential Information; (ii) not use the disclosing party’s Confidential Information in any fashion except to perform its duties hereunder or with the disclosing party’s express prior written consent; (iii) disclose the disclosing party’s Confidential Information, in whole or in part, only to employees and agents who need to have access thereto for the receiving party’s internal business purposes; (iv) take all necessary steps to ensure that its employees and agents are informed of and comply with the confidentiality restrictions contained in this Agreement; and (v) take all necessary precautions to protect the confidentiality of the Confidential Information received hereunder and exercise at least the same degree of care in safeguarding the Confidential Information as it would with its own confidential information, and in no event shall apply less than a reasonable standard of care to prevent disclosure. The receiving party shall promptly notify the disclosing party of any unauthorised disclosure or use of the Confidential Information. The receiving party shall cooperate and assist the disclosing party in preventing or remedying any such unauthorised use or disclosure.

Section 7 — Indemnification, Limitation of Liability, Disclaimer of Warranties

7.01 Indemnification

Merchant agrees to defend, indemnify, and hold harmless PayPal, Braintree, our affiliates and subsidiaries, the people who work for us or who are authorised to act on our behalf from any claim or demand (including legal fees) made or incurred by any third party due to or arising out of (i) your breach of this Agreement, your Bank Agreement or any other agreement you enter into with Braintree or its suppliers (ii) your use of the Braintree Payment Services (iii) your acts or omissions and/or (iv) your breach of any law, regulation, Association Rules or the rights of a third party.

7.02 LIMITATION OF LIABILITY

NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY OR TO ANY OTHER THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE BRAINTREE PAYMENT SERVICE, WHETHER FORESEEABLE OR UNFORESEEABLE, AND WHETHER BASED ON BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, MISREPRESENTATION, NEGLIGENCE, STRICT LIABILITY IN TORT, OR OTHER CAUSE OF ACTION (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF DATA, GOODWILL, PROFITS, INVESTMENTS, USE OF MONEY, OR USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS), EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

UNDER NO CIRCUMSTANCES SHALL BRAINTREE'S TOTAL AGGREGATE LIABILITY TO MERCHANT OR ANY THIRD PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE AMOUNTS PAID BY MERCHANT TO BRAINTREE UNDER THIS AGREEMENT DURING THE FIRST TWELVE MONTH PERIOD AFTER THE EFFECTIVE DATE OF THIS AGREEMENT.

FOR THE AVOIDANCE OF ANY DOUBT, NOTHING IN THIS AGREEMENT SHALL LIMIT THE LIABILITY OF EITHER PARTY FOR GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR TORT NOR SHALL IT LIMIT MERCHANT’S LIABILITY ARISING UNDER AGREEMENTS WITH BRAINTREE’S BANKING PARTNERS OR THE ASSOCIATION RULES MENTIONED IN THOSE AGREEMENTS, OR TO ANY LIABILITY IMPOSED BY THE ASSOCIATIONS.

7.03 Disclaimer of Warranties

THE BRAINTREE PAYMENT SERVICE IS PROVIDED "AS IS" WITHOUT ANY WARRANTY WHATSOEVER. BRAINTREE DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, TO MERCHANT AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY BRAINTREE OR ITS EMPLOYEES OR REPRESENTATIVES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF BRAINTREE'S OBLIGATIONS.

During the term of this Agreement, Braintree shall use its commercially reasonable efforts to provide the Braintree Payment Service without interruption. However, the parties acknowledge that the Braintree Payment Service is a computer network based service which may be subject to outages and delay occurrences. As such, Braintree does not guarantee continuous or uninterrupted access to the Braintree Payment Services. Braintree shall not be liable for any delay in the failure in our provision of the Braintree Payment Services under this Agreement. Merchant acknowledges that Merchant’s access to the Braintree website may be occasionally restricted to allow for repairs, maintenance or the introduction of new facilities or services. Braintree will make reasonable efforts to ensure that Transactions are processed in a timely manner. Braintree will not be liable in any manner for any interruptions, outages, or other delay occurrences relating to the Braintree Payment Service.

Section 8 — Term and Termination, Data Portability

8.01 Term and Termination

The term of this Agreement shall commence on the Effective Date and shall continue on until terminated as set forth herein. Notwithstanding any other provisions in this Agreement,

  1. you may terminate this Agreement, without cause, by providing Braintree with one (1) day written notice.
  2. Braintree may terminate this Agreement, without cause, by providing you with two (2) months prior notice. This will not affect Braintree’s right to (i) suspend our services according to Section 5.01 or, (ii) terminate at any time this Agreement without recourse to the courts (“de plein droit” in case of an important cause pursuant to which you breach your duties cited in this Agreement rendering infeasible or considerably aggravate the continuation of our business relationship with you. In case the important cause consists in a breach of this Agreement, we will terminate only after unsuccessful lapse of a reasonable prior notice to remedy the breach.

8.02 Data Portability.

Upon any termination of this Agreement, Braintree agrees, upon written request from Merchant, to provide Merchant’s new acquirer or payment service provider (“Data Recipient”), as applicable, with any available credit card information relating to Merchant's Customers, subject to the following conditions: (i) Merchant must provide Braintree with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (level 1 PCI compliant) by giving Braintree a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by Braintree; (ii) the transfer of such information is compliant with the latest version of the Association PCI-DSS Requirements; and (iii) the transfer of such information is allowed under the applicable card association rules, and any applicable laws, rules or regulations.

Section 9 — General Provisions

9.01 Independent Contractors

The relationship of Braintree and Merchant is that of independent contractors. Neither Merchant nor its employees, consultants, contractors or agents are agents, employees, partners or joint ventures of Braintree, nor do they have any authority to bind Braintree by contract or otherwise to any obligation. They will not represent to the contrary, either expressly, implicitly, by appearance or otherwise.

9.02 Severability

If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, void or unenforceable for any reason, the remaining provisions not so declared shall nevertheless continue in full force and effect, but shall be construed in a manner so as to effectuate the intent of this Agreement as a whole, notwithstanding such stricken provision or provisions.

9.03 Waiver

No term or provision of this Agreement shall be deemed waived and no breach excused, unless such waiver or consent shall be in writing and signed by the party claimed to have waived or consented. Any consent by any party to, or waiver of, a breach by the other party, whether express or implied, shall not constitute a consent to, waiver of, or excuse for any different or subsequent breach.

9.04 Assignment

This Agreement will bind and inure to the benefit of each party's permitted successors and assigns. Merchant may not assign this Agreement without the written consent of Braintree. Braintree may assign this Agreement in its sole discretion without the written consent of Merchant.

9.05 Amendments

To be valid, any amendment or waiver of this Agreement must be in writing, but an email suffices as writing for a waiver by Braintree. Changes to this Agreement will be offered to you in text-form, e.g. by way of sending you an e-mail, with a minimum of 2 months prior notice before the suggested effective date of such change. You will be deemed to have consented to these changes unless you explicitly dissent before the effective date. In case you do not agree to the changes, you may terminate this Agreement without any extra cost at any time before the effective date of the change. In such an e-mail, we shall specifically inform you about your right to dissent, the effective date, and your option to terminate this Agreement. We also publish the amended version of this Agreement on the Braintree website(s) at www.braintreepayments.com. In cases where we add extra functionality to the existing services or any other change which we believe in our reasonable opinion to neither reduce your rights nor increase your responsibilities, we may make an announcement with only 1 month prior notice. You shall have 3 weeks to express your dissent in such a case.

9.06 Entire Agreement; Binding Effect

This Agreement, including all schedules, exhibits and attachments thereto, sets forth the entire agreement and understanding of the parties hereto in respect to the subject matter contained herein, and supersedes all prior agreements, promises, covenants, arrangements, communications, representations or warranties, whether oral or written, by any officer, partner, employee or representative of any party hereto. This Agreement shall be binding upon and shall inure only to the benefit of the parties hereto and their respective successors and assigns. Nothing in this Agreement, express or implied, is intended to confer or shall be deemed to confer upon any persons or entities not parties to this Agreement, any rights or remedies under or by reason of this Agreement. This Section 9.06 does not prevent the parties from entering into further agreements for additional payment services provided for by PayPal.

In the event that there are conflicting terms between this Agreement and Exhibit B - Data Protection (Customer Data), Attachment 1, Standard Contractual Clauses then the terms of the Standard Contractual Clauses shall prevail.

9.07 Survival

Merchant remains liable under this Agreement in respect to all charges and other amounts incurred through the use of the Braintree Payment Services at any time, irrespective of termination of this Agreement.

All representations, covenants and warranties shall survive the execution of this Agreement, and all terms that by their nature are continuing shall survive the termination or expiration of this Agreement.

9.08 Contact for enquiries, communication and availability of contractual documents

If you have a question or complaint relating to the Braintree Payment Services or your Transactions, please contact the Braintree customer support as defined in the “contact” tab of the Braintree website.

All information relating to the services described in this Agreement and all customer service support and other communication during the contractual relationship will be provided in the English language only.

The general terms and conditions for the Braintree Payment Services will be available at all times on www.braintreepayments.com in the “Legal” tab, and/or be made available during signup process as an electronic copy per e-mail. You may request at any time free of charge electronic copy of your contractual documents.

9.09 Notices

  1. Notice to Merchant. Merchant agrees that Braintree may provide notice to Merchant by posting it on Braintree’s website and emailing it to Merchant, or sending it to Merchant through postal mail. Notices sent to Merchant by mail are considered received by Merchant within 3 Business Days of the date Braintree sends the notice unless it is returned to Braintree. Notices posted on Braintree’s website or emailed shall be considered to be received by you within 24 hours of the time it is posted to our website or emailed to you, unless we receive notice that the email was not delivered. Furthermore, you understand and agree that if Braintree sends you an email but you do not receive it because your primary email address on file is incorrect, out of date, blocked by your service provider, or you are otherwise unable to receive electronic communications, Braintree will be deemed to have provided the communication to you. In addition, Braintree may send Merchant emails, including, but not limited to as it relates to product updates, new features and offers and Merchant hereby consents to such email notification.
  2. Notice to Braintree. Notice to Braintree must be sent by postal mail to PayPal (Europe) S.à r.l. et Cie, S.C.A. Attention: Legal Department, 22-24 Boulevard Royal L-2449, Luxembourg.

9.10 Governing Law and Jurisdiction.

The Parties choose Luxembourg law as the governing law of this Agreement. The competent courts of Luxembourg City shall have non-exclusive jurisdiction over all disputes arising out of or in connection with this Agreement.

EXHIBIT A

Part 1 — The Braintree Payment Service

Braintree provides Merchants with the ability to accept credit and debit card payments on a website or mobile application. The Braintree Payment Services include payout of funds to a bank account defined by you, fraud protection tools, recurring billing functionality, payment card storage, foreign currency acceptance, white glove customer support, and other software, APIs and other services and technology as described on the Braintree website. Braintree also provides Merchants with the software and connectivity required to allow real-time secure data transmission and processing of credit and debit card payments.

How to receive payments

You can create and submit one-time or recurring transactions in your Braintree Dashboard or by API access for your customers and store the customer and card payment details with Braintree.

1.01 Getting started.

At the time of your sign up as a Braintree customer, Braintree needs to collect information about you and your business, and confirm your identity in accordance with its anti-money laundering and other regulatory obligations before you have full access to the Braintree Payment Services and disbursement of funds is possible. Braintree will notify you immediately when this mandatory process is completed. Braintree may let you create transactions before this process is complete. Any transactions you create before such time are subject to satisfactory completion of such process and subject to reversal in case the process is not complete within 30 Business Days.

1.02 Receiving payments, Bank Account and Payouts

Any proceeds from settled card transactions initiated by you will be received by Braintree from the sponsoring acquiring bank and settled to your Bank Account or directed to your Bank Account at our request by the sponsoring acquiring bank.

Subject to the terms of this Agreement, Braintree will pay to your Bank Account all amounts due to you and recorded by the sponsoring acquiring bank as Transactions, minus any fees, Reversals, Chargebacks, refunds or other amounts that you owe to Braintree under this Agreement.

Merchant acknowledges and agrees that a Transaction may become subject to a Chargeback even after settlement, or be invalidated for any other reason. Any of Merchant’s Payout Amounts are subject to any such event and the Merchant is required to pay to Braintree:

  1. the full amount of the original Transaction
  2. any fees and cost incurred by Braintree in this respect
  3. any Chargeback fees according to this Agreement.

You must designate at least one bank account for the deposit and settlement of funds associated with Braintree’s processing of the Transactions. Your Bank Account must be part of the SWIFT network and be able to receive the currency received from us.

With prior notice, you can change your Bank Account by way of contacting Braintree’s customer service. You authorize Braintree to initiate electronic credit and debit entries and adjustments to the Bank Account and you shall execute any documentation necessary to give effect to such authorization under the applicable legal framework of your Bank Account. Braintree will not be liable for any delays in receipt of funds or errors in the Bank Account entries caused by third parties, including but not limited to delays or errors by the payment brands or your bank.

1.03 Errors

If we are responsible for a processing error, we will rectify the error. If the error resulted in you receiving less money than you were entitled to, Braintree will credit your Bank Account for the difference. If the error results in you receiving more money than you were entitled to, Braintree may debit the extra funds from your Payout Amount or send you an invoice. Notwithstanding any other term of this Agreement, Braintree will not be held liable for the non-rectification of a payment transaction if you have failed to notify Braintree of such an incorrectly executed payment transaction without undue delay on becoming aware of such incorrectly executed payment transaction, or in any event no later than within 13 months after the debit date.

1.04 Execution and cut-off times

If Braintree is managing your settlement, you agree that we will make commercially reasonable efforts to settle to your Bank Account, at the latest, by the end of the next Business Day following the date we have received the funds from your acquiring bank

Our obligation to execute payment orders within the time period set out above in this section only applies to payments executed in the currency of Pounds Sterling, Euro or the currency of the EEA State that has not adopted Euro as its currency, and to Bank Accounts within the European Union.

Braintree is under no obligation to execute your payment order if you do not have sufficient funds or in any of the cases described in Section 5.01. Braintree reserves the right not to effect a payment made by you until it receives cleared funds.

1.05 Refunds

You may issue refunds in relation to a Transaction (“Refund Transaction”) in the Braintree Dashboard or through your API access. Unless specifically approved otherwise by Braintree, Refund Transactions encompass the original amount and currency of the Transaction plus shipping cost.

1.06 Security of your access, unauthorized transactions

You agree to:

  1. not allow anyone else to have or use your password details and comply with all reasonable instructions we may issue regarding how you can keep your payment instrument safe
  2. Keep your personal details up to date. We may be unable to respond to you if you contact us from an address, telephone number or email account that is not registered with us.
  3. Take all reasonable steps to protect the security of the personal electronic device through which you access the Braintree Payment Services (including, without limitation, using pin and/or password protected personally configured device functionality to access the Services and not sharing your device with other people).
  4. You will be solely responsible to obtain accurate credit card information and authorization from your customers.

1.07 Statements / overviews

You may check at any time in your Braintree Dashboard your processed Transactions, as well as your Refunds, Chargebacks and amounts settled to your Bank Account, and their respective status, and credit / debit date. Such statements will also display fees and their breakdown. If you have agreed to a monthly settlement of fees, your fees will be shown in your monthly settlement statement and a detailed spreadsheet will be made available in the “statements” section of the control panel. In case you need a permanent file, we also offer your transaction overview for download.

The way in which we provide the transaction information will allow you to store and reproduce the information unchanged from the Braintree Dashboard, for example by printing a copy. Braintree will ensure that the details of each transaction will be made available to you to view online for at least 13 months from when it is first made available. You agree to review your transactions though the Braintree Dashboard instead of receiving periodic statements by mail or email.

In addition to viewing the Transactions from the Braintree Payment Services, the Braintree Dashboard may also offer you the ability to see your PayPal payments. This functionality requires that you connect your existing PayPal business account through the Braintree Dashboard.Please note that the functionality is for your convenience only and is not part of the Braintree Payment Services. You should refer to your PayPal account and information on www.paypal.com for full view and functionalities relating to your PayPal payments.

1.08 surcharging

Braintree does not encourage surcharging because it is a commercial practice that can penalize the consumer and create unnecessary confusion, friction and abandonment at checkout. You agree that you will only surcharge for the use of Braintree Services in compliance with any law applicable to you and not in excess of the surcharges that you apply for the use of other payment methods. You further agree you are fully responsible for liabilities that arise out of your chose to surcharge and Braintree has no liability to you or any third party. You acknowledge that you could be committing a criminal offence if you fail to disclose any form of surcharge to a consumer.

EXHIBIT A

Part 2 — Regulatory notice

3.01 Regulatory notice

For merchants with seat in the European Union, Liechtenstein, Vatican City, Isle of Man, Guernsey, Jersey and San Marino or Norway, Braintree is provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., (R.C.S. Luxembourg B 118 349) (“PayPal”). PayPal is duly licensed as a Luxembourg credit institution in the sense of Article 2 of the law of 5 April 1993 on the financial sector as amended (the “Law”) and is under the prudential supervision of the Luxembourg supervisory authority, the Commission de Surveillance du Secteur Financier (the “CSSF”).The CSSF has its registered office in L-1150 Luxembourg. Because the funds processed by Braintree for you do not legally qualify as a deposit or an investment service, you are not protected by the Luxembourg deposit guarantee schemes provided by the Association pour la Garantie des Dépôts Luxembourg

We will attempt to resolve any complaint relating to the provision of the Braintree services or to the Payment Services Agreement via our customer service center. In addition, you may make a complaint to the following:

  1. European Consumer Centre (ECC-Net). You may obtain further information regarding the ECC-Net and how to contact them at ( http://ec.europa.eu/consumers/redress_cons/ ). Only for Micro-enterprises.
  2. UK Financial Ombudsman Service (FOS). For UK resident Users only - the FOS is a free, independent service, which might be able to settle a complaint between you and us. You may obtain further information regarding the FOS and contact the FOS at http://www.financial-ombudsman.org.uk. Only for Micro-enterprises with seat in UK.
  3. Commission de Surveillance du Secteur Financier (CSSF). The CSSF is the authority responsible for the prudential supervision of companies in the financial sector in Luxembourg. You can contact the CSSF at 110 Route d’Arlon L-2991 Luxembourg. You may obtain further information regarding the CSSF and how to contact them at: http://www.cssf.lu.

EXHIBIT A

Part 3 — Definitions

“Agreement”: means this Braintree Payment Services Agreement, including all exhibits and other agreements and documents incorporated herein.

"Associations": has the definition ascribed to such term in Section 6.01.

"Association PCI-DSS Requirements": has the definition ascribed to such term in Section 6.01.

“Association Rule”: has the definition ascribed to such term in Section 6.01.

“Bank Account”: means the bank account that you specify, according to Exhibit A, 1.02, to receive your Payout Amounts.

“Braintree Dashboard” is the web view where you can access, view and create your Braintree Transactions (“Control Panel”).

“Braintree Payment Service”: means the Payment Processing Services and/or Gateway Services provided by Braintree to its users.

“Business Day” means a day where banks are generally open in Luxembourg. "Cardholder Information": has the definition ascribed to such term in Section 6.01.

"Chargeback" means a challenge to a payment that a buyer files directly with his or her credit card issuer or company.

“Gateway Services”: has the definition ascribed to such term in Section 1.02.

“Intellectual Property”: has the definition ascribed to such term in Section 6.03.

“Intellectual Property Rights”: has the definition ascribed to such term in Section 6.03.

“Invalidated Payment”: has the definition ascribed to such term in Section 4.

“Merchant” or “you”: means the entity and/or individual who enters into this Agreement.

“PayPal” or “Braintree”: means PayPal (Europe) S.à r. l. et Cie, S.C.A., a limited liability partnership registered as number R.C.S. Luxembourg B 118 349 having a registered office at 22-24 Boulevard Royal, L-2449, Luxembourg.

“Payment Processing Services”: has the definition ascribed to such term in Section 1.01. “Payout Amount”: means any amount due and recorded by the acquiring bank as a Transaction (less the sum of all Refund Transactions, Chargebacks, Reversals and any applicable charges or fees).

“Reversal”: means any payment that Braintree may in exceptional cases have to reverse to your customer because the payment: (a) violates the Acceptable Use Policy, or which we reasonably suspect of violating the Acceptable Use Policy; and/or (b) has been categorized by Braintree’s risk models as involving a as a risky payment required to be reversed to mitigate the risk associated with the payment. The term “Reversed” shall be construed accordingly.

“Refund Transaction” is any refund issued by you through the Braintree Dashboard or through your API access.

“Reserve” means an amount or percentage of your Payout Amounts that we hold in order to protect against the risk of Reversals, Chargebacks, or any other risk, exposure and/or liability related to your use of the Braintree Payment Services.

“Restricted Activities” any breaches of our Acceptable Use Policy and any activity specified in Section 4.01

“SEPA” means Single European Payments Area. “Trademarks”: has the definition ascribed to such term in Section 6.05.

“Transaction”: means any proceeds from settled card transactions initiated by you that are received by Braintree from your acquiring bank. A Transaction shall be deemed to be complete when we have control of the funds related to the applicable transaction.

“Transaction Data”: has the definition ascribed to such term in Section 6.02.

“UnionPay” means China UnionPay

“UPI” means China UnionPay International

EXHIBIT B

Section 2 — Data Protection (Customer Data)

Click here for a PDF version of this section 2, Exhibit A (EU Model Clauses) signed by PayPal.

Data Protection Terms and EU Standard Contractual Clauses are set out in the EU Personal Data Standard Contractual Clauses Addendum and are hereby incorporated by reference into this Agreement.

BRAINTREE PAYMENT SERVICES AGREEMENT

EU PERSONAL DATA STANDARD CONTRACTUAL CLAUSES ADDENDUM

This EU Personal Data Standard Contractual Clauses Addendum (“Addendum”) is entered into between the entity identified as the “merchant” on the signature page to the Payment Services Agreement or whose details have been input as part of the online registration process (“Merchant ”) and PayPal (Europe) S.á.r.l. et Cie, S.C.A. (“Braintree”) (collectively the “Parties”). This Addendum shall form part of the Payment Services Agreement between Merchant and PayPal (the “Agreement”) in accordance with the Execution of this Addendum section below.

PayPal, Inc., a Delaware corporation with offices located at 2211 North First Street, San Jose, CA 95131 (“PayPal”) is a party to the EU Standard Contractual Clauses as set out below.

Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.

WHEREAS:

  • (A) Braintree is established and located in the European Economic Area.
  • (B) Braintree’s parent company PayPal and its subcontractors are located in the USA and certain other countries outside the European Economic Area.
  • (C) The European Economic Area and Switzerland restrict the transfer of Personal Data to certain other jurisdictions, including the USA.
  • (D) In order to assist Merchants established in the European Economic Area or Switzerland to transfer Personal Data to Braintree and Braintree’s parent company PayPal and its subcontractors in the provision of the Services, Braintree agrees to enter into this Addendum on the terms set out herein and PayPal agrees to enter into the EU Standard Contractual Clauses on the terms set out herein.

EXECUTION OF THIS ADDENDUM

This Addendum amends and forms part of your Payments Services Agreement. The Addendum has been electronically pre-executed for and on behalf of Braintree and the EU Standard Contractual Clauses at Attachment 1 has been electronically pre-executed for and on behalf of PayPal through the application of Braintree’s e-signature to the Addendum and PayPal’s e-signature to the EU Standard Contractual Clauses. Both documents will only come into effect as set out below.

Automatic execution option

Provided that Merchant is a party to an executed and effective Payment Services Agreement with Braintree, this Addendum shall take effect, as between Braintree and that Merchant only, and the EU Standard Contractual Clauses shall take effect, as between PayPal and that Merchant only:

for Merchants who have entered into a Payments Services Agreement on or after 18 April 2016,

automatically on execution of the Payment Services Agreement (and the name, address and contact details that Merchant provided when entering into the Payment Services Agreement shall be deemed to be inserted into the data exporter section on page 23 of the Addendum and Merchant to have signed as Merchant on page 22 and as data exporter on pages 31 and 33 of the Addendum); and

for Merchants who entered into a Payments Services Agreement before 18 April 2016

in accordance with Section 9.05 (Amendments) of the Payments Services Agreement (and the name, address and contact details that Merchant provided when entering into the Payment Services Agreement shall be deemed to be inserted into the data exporter section on page 23 of the Addendum and Merchant to have signed as Merchant on page 22 and as data exporter on pages 31 and 33 of the Addendum), or (if earlier)

on the date that Merchant completes the physical execution actions set out below:

Physical execution option (Merchant may require this option for the purposes of obtaining prior approval of transfers from Merchant’s local data protection authority)

Notwithstanding the foregoing, provided Merchant is a party to an executed and effective Payment Services Agreement with Braintree, this Addendum shall take effect, as between Braintree and that Merchant only, and the EU Standard Contractual Clauses shall take effect, as between PayPal and that Merchant only upon completion of the following steps:

(i) Merchant to complete the information relating to the Data Exporter and execute the signature page at pages 22 and 23;

(ii) Merchant to complete and execute the signature pages at pages 31 and 33; and

(iii) Merchant to submit the completed and fully executed Addendum to Braintree at dataprivacy@braintreepayments.com

1 DEFINITIONS AND INTERPRETATION

1.1 The following terms have the following meanings when used in this Addendum:

Customer means a customer of Merchant who uses the Braintree Payment Services

Customer Data means the Personal Data that Merchant’s Customer provides to Braintree through the use of the Braintree Payment Services

Data Controller means the entity which determines the purposes and means of the Processing of Personal Data

Data Exporter means Merchant

Data Importer means PayPal

Data Processor means the entity which processes Personal Data on behalf of the Data Controller

Data Protection Requirements means all laws and regulation, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data

Data Subject means the individual to whom Personal Data relates

EU Standard Contractual Clauses means the agreement executed by and between Merchant and PayPal and attached hereto as Attachment 1 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Merchant Data means any Personal Data relating to Merchant or its employees, officers or contractors provided to or obtained by Braintree in the provision of the Braintree Payment Services

Personal Data means any information relating to an identified or identifiable person

Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

Sub-processor means any Data Processor engaged by PayPal and/or its Affiliates in the Processing of Personal Data

1.2 Addendum. This Addendum comprises: (i) paragraphs 1 to 5, being the main body of the Addendum; and (ii) Attachment 1 (EU Standard Contractual Clauses).

1.3 Conflict. If and to the extent that there is any inconsistency between this Addendum and the EU Standard Contractual Clauses in Attachment 1, the EU Standard Contractual Clauses shall prevail.

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE BRAINTREE PAYMENT SERVICES

2.1 Braintree is the Data Controller in respect of Merchant Data and may use it for the following purposes:

2.1.1 as reasonably necessary to provide the services to Merchant and its Customer;

2.1.2 to conduct anti-money laundering, know your customer and fraud checks on the Merchant;

2.1.3 to market to the employees and contractors of Merchant; and

2.1.4 any other purpose that it notifies (or Merchant agrees to notify on its behalf) to the employees and contractors of Merchant in accordance with Data Protection Requirements.

2.2 Braintree is Merchant’s Data Processor in respect of Customer Data. Braintree shall only Process Customer Data on behalf of and in accordance with Merchant’s instructions. Merchant hereby instructs Braintree to Process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the services Merchant and its Customer;

2.2.2 after anonymising the Customer Data, to use that anonymised Customer Data for any purpose whatsoever; and

2.2.3 as required to comply with applicable binding legal requirements by responding to binding requests for the disclosure of information as required by local laws, provided always that where the request is from a non-EEA law enforcement agency Braintree will (a) inform Merchant of the request, the data concerned, response time, the identity of the requesting body and the legal basis for the request; (b) wait for Merchant’s instructions provided the instruction and the opinion are received within a reasonable period of time, which shall be assessed in light of the time period afforded by the law enforcement agency to Braintree; (c) where Braintree is prohibited from informing Merchant about the law enforcement agency’s request, take reasonable steps to have this prohibition waived and to make available relevant information about the request as soon as possible to Merchant (these efforts will be documented); and (d) where the prohibition cannot be waived, compile a list, in compliance with its national law and on an annual basis, of the number of such requests received, the type of Customer Data requested and the identity of the law enforcement agency concerned and make it available to the Customer’s data protection authority annually on request (in which circumstances Braintree will be acting as a Data Controller).

2.3 Scope and Purpose; Categories of Personal Data and Data Subjects. The objective of Processing Customer Data by Braintree is the performance of the Services pursuant to the Agreement. The types of Customer Data and categories of Data Subjects Processed under this Addendum are further specified in Attachment 1, Appendix 1 (Details of the Processing) to this Addendum.

2.4 Merchant undertakes to provide all notices and obtain all consents necessary for Braintree’s use of Merchant Data and Customer Data set out above.

2.5 The Parties will at all times comply with Data Protection Requirements.

3 DATA PROCESSOR TERMS

This section 3 applies only to the extent that Braintree acts as Data Processor or Sub-processor to Merchant. It does not apply where Braintree acts as Data Controller.

Data subject rights

3.1 Correction, Blocking and Deletion. To the extent Merchant, in its use of the Services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Requirements, Braintree shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent Braintree is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from Braintree’s provision of such assistance.

3.2 Data Subject Requests. Braintree shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Braintree shall not respond to any such Customer Data Subject request without Merchant’s prior written consent except to confirm that the request relates to Merchant to which Merchant hereby agrees. Braintree shall provide Merchant with commercially reasonable cooperation and assistance in relation to handling of a Customer Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Merchant does not have access to such Customer Data through its use of the Services. If legally permitted, Merchant shall be responsible for any costs arising from Braintree’s provision of such assistance.

Braintree personnel

3.3 Confidentiality. Braintree shall ensure that its personnel engaged in the Processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Braintree shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

3.4 Reliability. Braintree shall take commercially reasonable steps to ensure the reliability of any Braintree personnel engaged in the Processing of Customer Data.

3.5 Limitation of Access. Braintree shall ensure that Braintree’s access to Customer Data is limited to those personnel performing Services in accordance with the Agreement.

3.6 Data Protection Officer. Members of the PayPal Group have appointed a data protection officer where such appointment is required by Data Protection Requirements. The appointed person may be reached at dataprivacy@braintreepayments.com.

3.7 Sub-processors. Merchant acknowledges and expressly agrees that PayPal’s affiliates may be retained as Sub-processors; and (b) Braintree, PayPal and PayPal’s affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

3.7.1 List of Current Sub-processors and Notification of New Sub-processors. Braintree shall make available to Merchant a current list of Sub-processors for the respective Services with the identities of those Sub-processors (“Sub-processor List”). The Sub-processor list is included in Attachment 2 to this Addendum. Where a Sub-processor is proposed to be changed Braintree shall provide 2 months’ prior notice by email to Merchant before implementing such change

3.7.2 Objection Right for new Sub-processors. If Merchant has a reasonable basis to object to Braintree’s use of a new Sub-processor, Merchant shall notify Braintree promptly in writing within 2 months after receipt of Braintree’s notice. In the event Merchant objects to a new Sub-processor(s) and that objection is not unreasonable Braintree will use reasonable efforts to make available to Merchant a change in the affected Services or recommend a commercially reasonable change to Merchant’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Merchant. If Braintree is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Merchant may terminate the Agreement in respect only of those Braintree Payment Services which cannot be provided by Braintree without the use of the objected-to new Sub-processor, by providing written notice to Braintree. Merchant shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Braintree Payment Services.

3.8 Audits and Certifications. where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, Braintree shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of Braintree or PayPal) information regarding Braintree’s compliance with the obligations set forth in this Addendum in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact Braintree in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Merchant shall reimburse Braintree for any time expended for any such on-site audit at Braintree’s then-current professional services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and Braintree shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Braintree. Merchant shall promptly notify Braintree with information regarding any non-compliance discovered during the course of an audit.

3.9 Security: Braintree shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1, Appendix 2 of the Addendum to keep Customer Data secure and protect it against unauthorised or unlawful processing and accidental loss, destruction or damage. Since Braintree provides the Braintree Payment Service to all customers uniformly via a hosted, web-based application, all appropriate and then-current technical and organisational measures apply to Braintree’s entire customer base hosted out of the same data centre and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, Braintree is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained. In the event of any detrimental change Braintree shall provide a notification together with any necessary documentation to Merchant by email or publication on a website easily accessible by Merchant.

3.10 Braintree shall promptly inform Merchant as soon as it becomes aware of serious disruptions of the processing operations, reasonable suspected or actual data protection violations or any security breach in connection with the processing of Customer Personal Data which, in each case, may significantly harm the interest of the Data Subjects concerned.

4 EU STANDARD CONTRACTUAL CLAUSES RELATED TERMS

4.1 Application. The EU Standard Contractual Clauses are set out in Attachment 1 (the “EU Standard Contractual Clauses”). The EU Standard Contractual Clauses apply only to Customer Data that is transferred by Merchants established in the European Economic Area (“EEA”) or Switzerland to Braintree.

4.2 Instructions. This Addendum and the Agreement are Data Exporter’s complete and final instructions to Data Importer for the Processing of Customer Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the EU Standard Contractual Clauses, the Data Exporter gives the following instructions: (a) to process Customer Data in accordance with the Agreement; and (b) to process Customer Data initiated by Merchants in their use of the Braintree Payment Services during the Term. These instructions also describe the duration, object, scope and purpose of the processing.

4.3 Sub-processors. Pursuant to Clause 5(h) of the EU Standard Contractual Clauses, the Data Exporter acknowledges and expressly agrees that the provisions of paragraph 3.7 of this Addendum shall also apply to the Data Importer as if it were Braintree.

4.3.1 The parties agree that the copies of the sub-processor agreements that must be sent by the Data Importer to the Data Exporter pursuant to Clause 5(j) of the EU Standard Contractual Clauses may have all commercial information, or clauses unrelated to the EU Standard Contractual Clauses or their equivalent, removed by the Data Importer beforehand; and, that such copies will be provided by Data Importer only upon reasonable request by Data Exporter.

4.4 Audits and Certifications. The Parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the EU Standard Contractual Clauses shall be fulfilled in the following manner: the provisions of paragraph 3.8 of this Addendum shall also apply to the Data Importer as if it were Braintree.

4.5 Certification of Deletion. The Parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s request.

4.6 Liability. The Parties agree that all liabilities between them (and in respect of PayPal, such liabilities shall be aggregated with those of Braintree so that collectively their cumulative joint liability is capped at the level set out in the Agreement) under this Addendum and the EU Standard Contractual Clauses will be subject to the terms of the Agreement (including as to limitation of liability), except that such limitations of liability will not apply to any liability that PayPal may have to Data Subjects under the third party rights provisions of the EU Standard Contractual Clauses.

4.7 Exclusion of third party rights. Subject to paragraph 4.6, PayPal shall be granted third party rights in relation to obligations expressed to be for the benefit of the Data Importer or PayPal in this Addendum and Data Subjects are granted third party rights under the EU Standard Clauses. All other third party rights are excluded.

5 LEGAL EFFECT

This Addendum shall take effect between, and become legally binding on the Parties and the EU Standard Contractual Clauses shall take effect between, and become legally binding between PayPal and Merchant, on the date determined by “Execution of this Addendum” section above.

Merchant

For and on behalf of (insert Merchant legal name)…………………………………

Signature……………………………………………

Name of signatory…………………………………….

Title of signatory……………………………………

Date………………………………………………..

Braintree

For and on behalf of PayPal (Europe) S.á.r.l. et Cie, S.C.A.

Signature…………………………………………….

Name of signatory……………………………………..

Title of signatory…………………………………….

Date…………………………………………………

ATTACHMENT 1

STANDARD CONTRACTUAL CLAUSES

Controller to Processor export of personal data (from EEA countries)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: ………………………………………..

Address: …………………………………………….

Tel.: ……………………………………………….

fax: ………………………………………………..

e-mail: ……………………………………………..

Other information needed to identify the organisation: …………………………… (the data exporter)

And

Name of the data importing organisation: Paypal, Inc

Address: 2211 North First Street, San Jose, CA 95131

E-mail: dataprivacy@braintreepayments.com

Other information needed to identify the organisation: …………………………… (the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.


Clause 1

Definitions

For the purposes of the Clauses:

  • (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • (b) 'the data exporter' means the controller who transfers the personal data;
  • (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  • (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
  • (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • (e) that it will ensure compliance with the security measures;
  • (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • (j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  • (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  • (d) that it will promptly notify the data exporter about:
    • (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    • (ii) any accidental or unauthorised access, and
    • (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  • (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  • (h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  • (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  • (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    • (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    • (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full): …………………………………………….

Position: …………………………………………….

Address: …………………………………………….

Other information necessary in order for the contract to be binding (if any):

Signature…………………………………………….(stamp of organisation)

On behalf of the data importer (Paypal, Inc):

Name (written out in full): …………………………………………….

Position: …………………………………………….

Address: 2211 North First Street, San Jose, CA 95131

Signature…………………………………………….(stamp of organisation)


APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is: Merchant

An entity that uses the Data importer’s services in respect of its Customers

Data importer

The data importer is: Paypal, Inc

A payment serivces provider which in relation to the Braintree services provides a payment gateway so that Merchant can provide Customer credit card and other details to banks and other payment service providers to process payments from Customers

Data subjects

The personal data transferred concern the following categories of data subjects:

The data exporter’s Customers

Categories of data

The personal data transferred concern the following categories of data:

Customer name, amount to be charged, card number, CSV, post code, country code, address, email address, fax, phone, website, expiry date, shipping details, tax status

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Not applicable, unless Merchant configures the service to capture such data.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

The receipt and storage of Personal Data in the performance of the Services during the Term of the Agreement.

DATA EXPORTER

Name: …………………………………………….

Authorised Signature …………………………………………….

DATA IMPORTER

Name: …………………………………………….

Authorised Signature …………………………………………….


APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The following measures will be implemented:

  1. Measures taken to prevent any unauthorised person from accessing the facilities used for data processing (e.g. secured access, badges);
  2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorised persons(e.g. data kept in locked premises);
  3. Measures taken to prevent the unauthorised introduction of any data into the information system, as well as any unauthorised knowledge, amendment or deletion of the recorded data (e.g. restricted access to the IT infrastructure);
  4. Measures taken to prevent data processing systems from being used by unauthorised person using data transmission facilities ( e.g. firewalls);
  5. Measures taken to guarantee that authorised persons when using an automated data processing system may access only data that are within their competence (e.g. specific users accounts);
  6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities (e.g. VPN, encryption of data);
  7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorised person ;
  8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorised manner when data are disclosed and data media transported;
  9. Measures taken to safeguard data by creating backup copies (encryption of data back-ups).

ATTACHMENT 2

Sub-processor List

EXHIBIT C

iDEAL Payments Service

This Exhibit C supplements the Braintree Payment Services Agreement EU in relation to Your use of the iDEAL Payment Product provided by Braintree for Your app / website (as listed under your application).

The iDEAL Payment Product enables You to accept SEPA credit transfer from third parties, as specified in more detail herein.

We provide only payment services, i.e. We will only disburse any payments to You if and to the extent We have received the respective payments from the Payor. We do not guarantee the identity of any Payor or ensure that a buyer will complete a transaction. Please note that there is a risk of dealing with underage persons or people acting under false pretenses. Any losses following such events are solely Your risk and You are liable to Braintree for any fees, expenses or losses incurred by Braintree due to any failed direct iDEAL payments or Reversals.

1. Interpretation and definitions

The provision of the iDEAL Payment Product shall be governed by this Exhibit C as well as the Braintree Payment Services Agreement EU and the Braintree Acceptable Use Policy as supplemented or modified by this Exhibit C.

iDEAL payments have a different functionality than credit or debit card payments. Therefore, unless otherwise specified therein, the terms of the Braintree Payment Services Agreement EU and the Braintree Acceptable Use Policy shall apply mutatis mutandis to the iDEAL Payment Product.

In case of inconsistencies between the Braintree Payment Services Agreement EU and the Braintree Acceptable Use Policy, and for purposes of the iDEAL Payment Product only, this Exhibit C shall prevail.

In addition to the definitions from the Braintree Payment Services Agreement EU that are applicable mutatis mutandis, the following modifications and new terms shall apply to the iDEAL Payment Product:

  • “Certificate Agreement” means the certificate agreement between Braintree and the iDEAL scheme owner Currence iDEAL B.V. which allows Braintree to provide the iDEAL Payment Product to You.

  • “Currence Third Parties” means third parties which participate in iDEAL Payment Solution and list of which can be found at https://www.currence.nl/en/products/ideal/licences-ideal/ as updated from time to time.

  • “Fees” means the fees as set out under Section 4 of this Exhibit C.

  • “High Risk Profile Sales” means the sale of anonymous financial products that are not traceable or difficult to trace, such as telephone credits (pay-as-you-go), gambling credits or prepaid credit cards.

  • “iDEAL Payment Product” or “Product” means the iDEAL payment services that are provided by Braintree under this Exhibit C.

  • “iDEAL Payment Solution” shall have the meaning as defined in Section 2 of this Exhibit C.

  • “Initial Information” shall have the meaning as defined in Section 3(c) of this Exhibit C

  • “Invalidated Payment”, when used in the context of the iDEAL Payment Product, shall also include Reversals as defined in this Exhibit C.

  • “Issuer Bank” means a bank that has entered into a certification agreement with Currence iDEAL B.V. which authorizes the bank to allow their customers to make iDEAL payments from a bank account held with the bank.

  • “Payor” means Your customer / the buyer of the goods and/or services for which payment is made using the Product, and/or as the context requires, the holder of the bank account whose account is charged using the Product.

  • “Payout Amount”, when used in the context of the iDEAL Payment Product, means the amounts of all Transactions recorded by the iDEAL Payment Solution that have already been received by Braintree from the Payors but have not yet been disbursed to Merchant by Braintree, less the sum of all amounts due to Braintree.

  • “Reversal”, when used in the context of the iDEAL Payment Product, means a payment that Braintree may and/or is obliged to refund to the Payor because the payment (a) violates the Acceptable Use Policy; (b) is reasonably suspected by Braintree of violating the Acceptable Use Policy; or (c) has been categorized by Braintree as involving a transaction risk and is required to be reversed to mitigate the risk associated with the payment or (d) where the Merchant has failed to confirm payment within the requirement timeframe as notified to the Merchant.

  • “Reversal Fee” means the Reversal Fee set out in Section 4 (referred to as Invalidated Payment) which Merchant shall pay to Braintree for every case of Reversal.

  • “Transaction”, when used in the context of the iDEAL Payment Product, means the iDEAL payment process initiated by Payor upon the conclusion of an agreement with Merchant on the purchase of goods and/or services by which Braintree (i) forwards Payor to the online banking interface offered by an Issuer Bank selected by Payor, (ii) allows Payor to login to his bank account with the Issuer Bank and make from his bank account a SEPA credit transfer for the respective Transaction Amount, (iii) provides Merchant with a payment confirmation or, as the case may be, a notification that payment was not successful, (iv) accepts the Transaction Amount and (v) disburses the Payout Amount to Merchant. Transactions will be deemed complete when Braintree receives the Transaction Amount and accepted such funds.

  • “Transaction Amount” means the amount owed by a Payor to Merchant under an agreement for the purchase of goods or services.

  • “Transaction Expiry Period” means the amount of time given to the Payor to complete a Transaction.

  • “Transaction Information” means any information collected by Braintree in relation to Transaction for the purposes of enabling the iDEAL Payment Product as agreed in the Braintree Payment Services Agreement EU.

2. Features of the iDEAL Payment Product

a. The iDEAL Payment Product includes the following features:

**Payment processing. Upon initiation of a Transaction by Payor, Braintree shall (i) forward Payor to the online banking offered by the Issuer Bank selected by Payor, (ii) allow Payor to login to his bank account with the Issuer Bank and make from his bank account a SEPA credit transfer for the respective Transaction Amount, (iii) provide Merchant with a payment confirmation or, as the case may be, a notification that payment was not successful (as applicable), (iv) accept the Transaction Amount and (v) disburse the Payout Amount to Merchant.

iDEAL Payment Solution. Braintree shall provide the Merchant with an application programming interface (API) solution that allows the Merchant to enable its Payors to initiate Transactions (the “iDEAL Payment Solution”). In addition, Braintree shall provide Merchant with access to all payments processed via the Braintree Dashboard.

The iDEAL Payment Product is only available if the Payor’s bank account with an Issuer Bank from which the Transaction Amount shall be charged was established in one of the countries listed in Schedule 1.

b. Transaction

By allowing Payor to initiate a Transaction, Merchant authorizes Braintree to receive the Transaction Amount in Braintree’s own name.

The Transaction Expiry Period shall be set to 30 minutes unless the Merchant requests a period which is less than 30 minutes in which case the Transaction Expiry Period shall be as requested by the Merchant. Best practice on Transaction Expiry Period is detailed under the Braintree Merchant Developer Documentation.

c. Settlement; Reversals

Braintree shall, on a weekly basis or as otherwise agreed between Braintree and the Merchant, pay to the Merchant’s bank account the aggregate of all Payout Amounts (net of Reversals, Refunds, and any other amounts due to Braintree). The time of settlement for the Payout Amount is based on the date Braintree has received the cleared funds in Braintree’s bank account from the Payor’s Issuer Bank.

Merchant acknowledges that, even after the respective settlement, any Payout Amounts may become subject to a Reversal or may be invalidated for any other reason. The terms of the Braintree Payment Services Agreement EU regarding Reversals shall apply mutatis mutandis.

For each case of Reversal or Refund, Merchant shall pay the Reversal or Refund Fee set out in Section 4. In addition, Merchant shall reimburse Braintree for any cost incurred by Braintree with regard to the Reversal.

d. Invoicing and Fees.

You agree to pay to Braintree the Fees (Section 4) as consideration for the use of the iDEAL Payment Product. Braintree will invoice any Fees to Merchant. Such invoices become due seven days after receipt by Merchant. Merchant agrees to pay the invoices as they become due without set-offs or deduction.

e. Development of the iDEAL Payment Product.

Braintree may, at any time, modify, update, improve or otherwise change the current iDEAL Payment Product including the iDEAL Payment Solution at its own discretion. If such change requires an amendment of this Exhibit C, such amendment shall be agreed upon between Braintree and Merchant pursuant to the respective provisions in the Braintree Payment Services Agreement EU. In order to constantly improve the iDEAL Payment Product, Braintree welcomes feedback from Merchants. However, Braintree is not bound to act in accordance with any such feedback. In providing Braintree with feedback on the iDEAL Payment Product, Merchant agrees to waive any intellectual property rights in such feedback as well as any claims for remuneration (if any).

3. Specific Merchant obligations in relation to the iDEAL Payment Product

a. Merchant Website/App.

Merchant shall - integrate in the payment pages of its website or app a drop-down menu which displays, in an equally conspicuous way, all Issuer Banks that allow their customers to make iDEAL payments. Braintree will provide Merchant with an updated list of all relevant Issuer Banks that must be included in the drop-down menu; that list can be found at www.developers.braintreepayments.com; - display an order confirmation on its website or in its app to which the Payor is redirected after having successfully made an iDEAL payment;

b. Transaction.

Merchant shall - implement the iDEAL Payment Product in accordance with the technical specifications set forth in the Braintree Merchant Developer Documentation which can be accessed at https://developers.braintreepayments.com/ and which may be updated from time to time by Braintree providing Merchant with an updated version of the Braintree Merchant Developer Documentation; - only allow Payor to initiate Transactions - for which the respective Transaction Amount is due, payable and undisputedverify the status of a Transaction with Braintree before supplying the goods or services purchased; if Merchant fails to do so, it may not receive any payment should the Transaction not have the status “successful”; - deliver the goods or services for which a Transaction has been successfully made within seven (7) days after having received a payment confirmation for that Transaction or make its customer aware of an alternative delivery date at the time of placing the order - in case of a Reversal, promptly comply with all requests from Braintree; - notify Braintree in writing and obtain Braintree’s prior written approval, if it wishes to sell goods or services other than the goods and services mentioned to Braintree during the application process for becoming a Braintree customer and/or the application process for using the iDEAL Payment Product. Merchant guarantees that the sale of the goods or services and the usage of the iDEAL Payment Product for obtaining the relevant Transaction Amount does not violate any applicable statutes, laws, rules or other regulations.

Merchant may not interfere with the authentication process initiated and operated by the Issuer Bank to authenticate the Payor.

c. Initial Information

Prior to using the iDEAL Payment Product Merchant shall provide Braintree with the following information: * Legal name and trading name(s) of the Merchant * Full address including postcode of the Merchant’s place of domicile/registered office * Full postal address including postcode of the Merchant (if different) * General e-mail address of the Merchant (and/or the signer’s email) * Company registration number with the Chamber of Commerce or equivalent official body in another country if the Merchant is not based in the Netherlands * Domain names of the Merchant * Forenames and surnames of the legal representatives of the Merchant * Full addresses including postcode of the legal representatives * Telephone numbers and e-mail addresses of the legal representatives * Identity details of the legal representative(s): nationality, identification document number (driving license or passport) and date and place of issue of identification document. * Name of bank * Business account number * Business account name

d. Data sharing

Merchant herby consents and agrees that Braintree may share Initial Information as well as Transaction Information, including information in this Exhibit C, with Currence iDEAL B.V. or any other Currence Third Party.

e. Email Link Service.

If Merchant wishes to use an email link service for the sale of goods or services in connection with the iDEAL Payment Product, it must request Braintree’s prior written approval to do so and comply with the following requirements: * The email which is sent, containing the link, must be a solicited email which is agreed in advance between Merchant and Payor and must be sent within the agreed period of time, or must be sent with a certain frequency, or must be expected, as part of the reminder process, because an invoice has not been paid on time. * The email which is sent must be clearly recognizable for the Payor as emanating from the Merchant. * The email which is sent must direct the Payor, using a reference or a link, to what is known as the landing page of Merchant, or of a third party acting on behalf of Merchant for this purpose and made known as such to Payor. * The landing page must provide Payor with a summary of the goods or services ordered and, in the next page after the landing page, the Payor must be able to select a payment method. * The option of making the payment (by following the link in the email sent by Merchant for the order) on Merchant’s landing page must expire at the end of the expiry period of the order stated by Merchant, or as soon as a successful transaction is completed by the Payor. * The link (URL) in an email for initiating an iDEAL payment must not contain any personal or transaction related details * The email containing a link for initiating an iDEAL payment must result in a landing page being displayed which is secured with SSL or comparable certification, enabling the Payor to verify the identity of the Merchant or service provider. * Depending on the status of the Transaction, the landing page must indicate either that the offer of payment via the email link is still valid, or that this option has expired, or that the Transaction has been successful.

f. Fraud Protection.

Merchant acknowledges and agrees that it is fully responsible for the security of data on its website, app, or otherwise within its possession or control. For the avoidance of doubt, the "Association PCI- DSS Requirements" (as defined in the Payment Services Agreement EU) shall only apply to card payments, not to iDEAL payments.

If and to the extent that Merchant offers High Risk Profile Sales via its website or app, Merchant shall prior to a Transaction determine the identity of each Payor and ensure that Payor is identical with the purchaser of the goods or services for which payment is made. In addition, Merchant shall carefully monitor the Transaction and notify Braintree immediately if there is any indication of money-laundering, terrorist financing, fraudulent, criminal or other illegal behaviour.

g. Compliance and Audit.

Merchant shall - comply with all Merchant obligations set forth in the Braintree Merchant Developer Documentation; - comply with all relevant laws and regulations for its activities; - be fully responsible for complying with all of its obligations relating to the iDEAL Payment Product, irrespective of any third party involvement; - use all reasonable methods to resolve disputes with the Payor and provide an effective complaints procedure, in which Merchant can be easily contacted by e-mail and one other means of direct contact (such as a telephone number, chat box or other medium), and make the information about the complaints procedure easily available to Payors and easy for Payors to find;

Braintree may request Merchant to provide appropriate evidence that Merchant complies with the obligations in this Section 3 and reserves the right to at all times monitor and audit Merchant’s websites and systems in that respect.

If Braintree discovers an indication that Merchant is in violation of its obligations under the Braintree Payment Services Agreement EU, including this Exhibit C, or unlawfully or by a misleading representation of affairs extracting money from a Payor or a contracting party to a certificate or license agreement with Currence iDEAL B.V., Braintree may immediately terminate this Exhibit C or suspend its services and cease offering the iDEAL Payment Product to Merchant. In case of a suspension, Braintree will explain the reasons for the suspension of its service and set out measures to be taken by Merchant to remedy the breach. Braintree’s suspension of the Merchant’s access or use of the Product will remain in effect until such time as Braintree is satisfied that the Merchant has remedied the relevant breach(es).

If Braintree discovers a security breach or any other circumstance threatening to compromise the security of the iDEAL Payment Product and such circumstance falls within Your responsibilities under the agreements with Braintree, Braintree may require You to have an independent third party auditor, approved by Braintree, conduct a security audit of Your systems and facilities and issue a report at Your expense. Upon completion of the audit, You must provide a copy of the auditor’s report to Braintree and Braintree may provide copies of it to Currence iDEAL B.V. You hereby authorize Braintree to conduct or obtain such an audit at Your expense in case You do not initiate a security audit within 10 business days of Braintree’s request.

4. Fees

The Merchant shall pay the following fees for the use of the iDEAL Payment Product as provided for by Braintree: EUR 0.35 per Transaction EUR 0.35 per Reversal and Refund Transaction

5. Term and Termination

This Exhibit C becomes effective on the Effective Date and shall continue until terminated in accordance with Section 8 of the Braintree Payment Services Agreement EU. In addition to the termination rights mentioned in Section 8 of the Braintree Payment Services Agreement and Section 3 of this Exhibit C, Braintree may also terminate this Exhibit C at any time (i) if the Certificate Agreement is terminated, (ii) if Braintree believes the Merchant has or may violate the relevant laws and regulations for its activities, or (iii) for any other important reason which makes it impossible, infeasible or considerably aggravate for Braintree to continue providing Merchant with the iDEAL Payment Product. For the avoidance of doubt, both You and Braintree may terminate (subject to Section 8 of the Braintree Payment Services Agreement EU) this Exhibit C independently and separately from the Braintree Payment Services Agreement EU or any other Exhibit thereunder. A termination of this Exhibit C does not affect the validity of any other agreements between Braintree and Merchant, in particular the Braintree Payment Services Agreement EU with regard to the processing of credit and debit card payments.

SCHEDULE 1 – LIST OF COUNTRIES

Netherlands


Current Payment Services Agreement

This version of the Agreement is effective until 12 January 2018

This Agreement becomes a legally binding contract entered into by you:

  • By clicking on the "create account" button in the signup page on the Braintree website at www.braintreepayments.com,
  • by signing below (if in hard copy), or
  • by using the Braintree Payment Services.

This Agreement is provided to you in English. We recommend that you download or print a copy of this Agreement for your records, which you can do by clicking on the link on this page.

This Agreement, as it may be amended or supplemented from time to time, (all future changes to this Agreement are hereby incorporated by reference into this Agreement) together with all other terms and required disclosures relating to your use of the Braintree Payment Services, will be available to you on the Braintree website(s) (located on the “Legal” link on our website).

When you apply to become a Braintree customer, we collect information about you and your business, and confirm your identity to satisfy our anti-money laundering requirements and other regulatory obligations (referred to as “know your customer” requirements). By completing your application to become a Braintree customer, you authorise us to obtain financial and credit information (including from third parties) relating to you, your directors, officers and principals. We use this information (and other information available to us) to evaluate you, your directors, officers and principals against our evaluation criteria. Braintree reserves the right to terminate this Agreement with immediate notice to you at any time before the “know your customer” process is completed, or not completed satisfactorily. Braintree reserves the right to refuse or rescind any payment to your customers if such process does not complete satisfactorily and/or to disburse funds to you after this mandatory process is completed.

Agreement

Section 1 — Braintree Payment Services

1.01 “Braintree Payment Services” means the Payment Processing Services and/or Gateway Services provided by Braintree to its users.

  1. "Payment Processing Services": The payment processing services offered by Braintree include services that provide Merchants with the ability to accept credit and debit card payments on a website or mobile application. These services include the Gateway Services (as defined below), bank-sponsored merchant account, fraud protection tools, recurring billing functionality, payment card storage, foreign currency acceptance, white glove customer support, and other software, APIs and services and technology as described on the Braintree website.
  2. "Gateway Services": The gateway services offered by Braintree include services that provide Merchants with the software and connectivity required to allow real-time secure data transmission for processing of credit and debit card payments on a website or mobile application.

Exhibit A includes a description of the main characteristics of the Braintree Payment Services.

Section 2 — Fees and Taxes

2.01 Fees

The fees applicable to the Braintree Payment Services are set forth on our website.

All of the fees applicable to your use of the Braintree Payment Services, including applicable transaction fees and Chargeback Fees, have been disclosed to you in the onboarding flow, and can always be accessed on our website for each merchant country. All applicable fees are due and payable immediately upon settlement of the applicable Payout Amount.

Interest on any and all amounts due by you, but not yet paid to Braintree, shall accrue at a rate of 1.0% per month ("Late Fee"). In the event of a dispute made in good faith as to the amount of fees, Merchant agrees to remit payment on any undisputed amount(s); and, the Late Fee shall not accrue as to any disputed amounts unless not paid within thirty (30) calendar days after said dispute has been resolved by both parties.

2.02 Blended or Interchange Plus Pricing

You may choose between two pricing models for receiving card payments via Braintree’s payment processing services. You may opt for the Blended pricing model or for the Interchange Plus model by the methods and procedures that Braintree makes available to you. If you do not make an election, you will stay on your existing fee structure.

When you select a pricing model, it may take up to five business days for it to take effect. It will only apply to future transactions, not to past transactions.

2.03 Payment of Fees; Right to Set-off

Braintree will, on a daily basis, pay to your Bank Account the aggregate of all Payout Amounts net of the applicable fees and other amounts due to Braintree. If the Payout Amount is not sufficient to cover the applicable fees or other amounts due to Braintree on any given day, any difference will be carried forward to the next day and applied against that day’s Payout Amount.

Upon Braintree’s request, Merchant shall provide Braintree with all necessary bank account, routing and related information and grant Braintree any required permission to debit the fees from your Bank Account.

You agree that Braintree may take the following actions to recover any fees or other amounts payable by you to Braintree, in its sole discretion and without the requirement of delivering prior notice:

  1. debit your Bank Account for the applicable amounts; and/or
  2. set-off the applicable amounts against Payout Amounts from incoming Transactions

2.04 Taxes

Unless otherwise stated, all charges, fees and other payments to be made by you under the Agreement are exclusive of VAT and any other relevant taxes (if any), and, in addition to paying such sums, you will be responsible for paying any such VAT and other relevant taxes.

In the event that Braintree incurs (a) any sales, use, excise, import or export, value-added, or similar tax or duty, and any other tax or duty based on Merchant’s relationship with Braintree and not based on Braintree's income; and (b) any government permit fees, customs fees and similar fees based on Merchant’s relationship with Braintree, Merchant agrees to reimburse Braintree for any such amounts. Such taxes, fees and duties paid by Merchant shall not be considered a part of, a deduction from, or an offset against, payments due to Braintree hereunder.

2.05 Interchange Fees

Interchange Fees are set by Visa and Mastercard. If you receive card payments under the Interchange Plus pricing model, Braintree shall always charge you the Interchange Fee as set by Visa and Mastercard and as passed on by Braintree’s Acquirer. For more information on Interchange Fees, please see Mastercard's and Visa’s websites.

Section 3 — Restricted Activities, Representations and Warranties

3.01 Restricted activities

In connection with your use of the Braintree Payment Services, or in the course of your interactions with Braintree, you will comply at all times with the Braintree Acceptable Use Policy accessible at the following address: https://www.braintreepayments.com/legal/acceptable-use-policy.

You agree that you will not:

  1. Breach this Agreement, your applicable bank agreement that you entered into when you signed up for the Braintree Processing Services, or any other agreement that you have entered into with us in connection with the Braintree Payment Services;
  2. Breach any law, statute, regulation, or contract;
  3. Use the Braintree Payment Services in a manner that could result in a violation of anti-money laundering, counter terrorist financing and similar legal and regulatory obligations (including, without limitation, where we cannot verify your identity or other required information about your business) applicable to you or Braintree.
  4. Fail to provide us with any information that we request about you or your business activities, or provide us with false, inaccurate or misleading information;
  5. Refuse to cooperate in an investigation or provide confirmation of your identity or any information you provide to us;
  6. Reveal your access credentials to anyone else or use anyone else's access credentials for the Braintree Payment Services. We are not responsible for losses incurred by you including, without limitation, the use of your access to the Braintree Payment Services, by any person other than you, arising as the result of misuse of passwords; or
  7. Integrate or use any of the Braintree Payment Services without fully complying with all requirements communicated to you by Braintree.

3.02 Representations and warranties by Merchant

  1. Merchant has the full power and authority to execute, deliver and perform this Agreement. This Agreement is valid, binding and enforceable against Merchant in accordance with its terms and no provision requiring Merchant's performance is in conflict with its obligations under any constitutional document, charter or any other agreement (of whatever form or subject) to which Merchant is a party or by which it is bound.
  2. Merchant is duly organized, authorized and in good standing under the laws of the state, region or country of its organization and is duly authorized to do business in all other states, regions or countries in which Merchant's business make such authorization necessary or required.

Section 4 — Liability for Invalidated Payments and other Liabilities

You must compensate and indemnify us for any claims, losses, expenses or liability we incur arising out of:

  1. a transaction or dispute between you and your customer(s);
  2. an invalid transaction, refund transaction, over-payment, Chargeback and any other expenses, collectively “Invalidated Payments”;
  3. any error, negligence, willful misconduct or fraud by you or your employees; or
  4. any losses suffered by us as a result of your failure to comply with your obligations under this Agreement.

In the event of an Invalidated Payment and other liability, we may deduct the amount of the Invalidated Payment from your Payout Amounts.

Section 5 — Actions We May Take

5.01 Actions by Braintree

If we have reason to believe that there is a higher than normal risk associated with your Transactions, in particular if we believe you have breached the terms of this Agreement, we may take various actions to avoid Reversals, Chargebacks, fees, fines, penalties and any other liability. The actions we may take include but are not limited to the following:

  1. We may, at any time and without liability, limit or suspend your right to use the Braintree Payment Services if we believe that you are in breach of your obligations under this Agreement, including without limitation Section 3.01 “Restricted Activities”. If possible, we will give you advance notice of any limitation or suspension, but we may take such actions without advance notice under certain circumstances, including if we believe that your use of the Braintree Payment Services represents a security threat or involves fraud or any other illegal activities;
  2. Refuse any Transaction at any time, provided that, upon request and where possible, we will provide the reasons for the refusal and steps for resolution of the problem;
  3. Reverse any Transaction (including, if appropriate, to the sender’s credit card), that violates, or we reasonably suspect may violate, this Agreement, including but not limited to our Acceptable Use Policy or section 3.01;
  4. Hold your funds or suspend/ limit your account, to the extent and for so long as reasonably needed to protect against the risk of liability or as required to mitigate any regulatory risk in relation to your Transactions.

5.02 Reserves

Braintree, in its sole discretion, may place a Reserve on all or a portion of your Payout Amounts. If Braintree imposes a Reserve, we will provide you with a notice specifying the terms of the Reserve. The terms may require (a) that a certain percentage of your Payout Amounts are held for a certain period of time, (b) that a fixed amount of your Payout Amounts is withheld from payout to you, or (c) such other restrictions that Braintree determines are necessary to protect against the risk to us associated with our business relationship. Braintree may change the terms of the Reserve at any time by providing you with notice of the new terms. Payout Amounts subject to a Reserve are not immediately available for payout to you or for making Refund Transactions. Other restrictions described in (c) above may include: limiting Payout Amounts immediately available to you, changing the speed or method of payouts to you, setting off any amounts owed by you against your Payout Amounts and/or requiring that you, or a person associated with you, enter into other forms of security arrangements with us (for example, by providing a guarantee or requiring you to deposit funds with us as security for your obligations to us or third parties). You also agree to undertake, at your own expense, any further action (including, without limitation, executing any necessary documents and registering any form of document reasonably required by us to allow us to perfect any form of security interest or otherwise) required to establish a Reserve or other form of security in a manner reasonably determined by us.

Braintree may hold a Reserve as long as it deems necessary, in its sole discretion, to mitigate any risks related to your Transactions. You agree that you will remain liable for all obligations related to your Transactions even after the release of any Reserve. In addition, we may require you to keep your Bank Account available for any open settlements, Chargebacks and other adjustments.

5.03 Security Interest

To secure your performance of this Agreement, you grant to Braintree a legal claim to any Payout Amounts held in Reserve. This is known in legal terms as a “lien” on and “security interest” in these Payout Amounts.

5.04 Direct Acceptance with American Express

You acknowledge that if you process greater than or equal to the equivalent of $500,000 USD in American Express transactions annually, American Express may require you to enter into a direct contractual relationship with them. In this situation, American Express will set pricing for American Express transactions, and you will pay fees for American Express transactions directly to American Express.

Section 6 — Data, Intellectual Property, Publicity

6.01 Data Security Compliance

Merchant agrees to comply with data privacy and security requirements under the Payment Card Industry Data Security Standard ("Association PCI- DSS Requirements") with regards to Merchant's use, access, and storage of certain credit card non-public personal information ("Cardholder Information") on behalf of Braintree. Visa, Mastercard, Discover, American Express, any ATM or debit network, and the other financial service card organizations shall be collectively known herein as "Associations." Additionally, Merchant agrees to comply with its obligations under any applicable law or regulation as may be in effect or as may be enacted, adopted or determined regarding the confidentiality, use, and disclosure of Cardholder Information. Braintree may, at its discretion, conduct an on-site audit and review of Merchant's data privacy and security procedures upon either (a) five (5) Business Days’ notice for any reason or (b) immediately upon any unauthorized access to, use or disclosure of any Cardholder Information entrusted to Merchant.

Braintree may, with written notice to Merchant, require that Merchant comply with any further requirements of the European Central Bank or the Associations for strong authentication for all or certain specified credit card transactions.

6.02 Data Accuracy

Merchant warrants to Braintree that all data and entries delivered to Braintree by Merchant will (a) be correct in form, (b) contain true and accurate information, (c) be fully authorized by the customer, and (d) be timely under the terms and provisions of this Agreement.

6.03 Intellectual Property

"Intellectual Property" means all of the following owned by a party: (a) trademarks and service marks (registered and unregistered) and trade names, and goodwill associated therewith; (b) patents, patentable inventions, computer programs, and software; (c) databases; (d) trade secrets and the right to limit the use or disclosure thereof; (e) copyrights in all works, including software programs; and (f) domain names. The rights owned by a party in its Intellectual Property shall be defined, collectively, as "Intellectual Property Rights." Other than the express licenses granted by this Agreement, Braintree grants no right or license to Merchant by implication, estoppel or otherwise to the Braintree Payment Service or any Intellectual Property Rights of Braintree. Each party shall retain all ownership rights, title, and interest in and to its own products and services (including in the case of Braintree, in the Braintree Payment Service) and all intellectual property rights therein, subject only to the rights and licenses specifically granted herein.

6.04 License Grant

If you are using our software such as an API, developer's toolkit or other software application (the “Software”) that you have downloaded to your computer, device, or other platform, then Braintree grants you a revocable, non-exclusive, non-transferable license to use Braintree's software in accordance with the documentation. This license grant includes the software and all updates, upgrades, new versions and replacement software for your use in connection with the Braintree Payment Service. You may not rent, lease or otherwise transfer your rights in the software to a third party. You must comply with the implementation and use requirements contained in all Braintree documentation accompanying the software. If you do not comply with Braintree’s instructions, implementation and use requirements you will be liable for all resulting damages suffered by you, Braintree and third parties. Unless otherwise provided by applicable law, you agree not to alter, reproduce, adapt, distribute, display, publish, reverse engineer, translate, disassemble, decompile or otherwise attempt to create any source code that is derived from the software. Upon expiration or termination of this Agreement, you will immediately cease all use of any Software.

6.05 Trademarks

License to Braintree Trademarks. Subject to the terms and conditions of this Agreement, Braintree grants you a revocable, non-exclusive, non-transferable license to use Braintree's trademarks to identify the Braintree Payment Service (the "Trademarks") during the term of this Agreement solely in conjunction with the use of the Braintree Payment Service. Braintree grants no rights in the Trademarks or in any other trademark, trade name, service mark, business name or goodwill of Braintree except as licensed hereunder or by separate written agreement of the parties. Merchant agrees that it will not at any time during or after this Agreement assert or claim any interest in or do anything that may adversely affect the validity of any Trademark or any other trademark, trade name or product designation belonging to or licensed to Braintree (including, without limitation registering or attempting to register any Trademark or any such other trademark, trade name or product designation). Upon expiration or termination of this Agreement, Merchant will immediately cease all display, advertising and use of all of the Trademarks.

6.06 Publicity

Merchant hereby grants Braintree permissions to use Merchant's name and logo in its marketing materials including, but not limited to use on Braintree's website, in customer listings, in interviews and in press releases.

Section 7 — Indemnification, Limitation of Liability, Disclaimer of Warranties

7.01 Indemnification

Merchant agrees to defend, indemnify, and hold harmless PayPal, Braintree, our affiliates and subsidiaries, the people who work for us or who are authorised to act on our behalf from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your breach of this Agreement or your applicable bank agreement that you entered into when you signed up for the Braintree Processing Services, your improper use of the Braintree Processing Services, and/or your violation of any law or the rights of a third party.

7.02 LIMITATION OF LIABILITY

NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY OR TO ANY OTHER THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE BRAINTREE PAYMENT SERVICE, WHETHER FORESEEABLE OR UNFORESEEABLE, AND WHETHER BASED ON BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, MISREPRESENTATION, NEGLIGENCE, STRICT LIABILITY IN TORT, OR OTHER CAUSE OF ACTION (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF DATA, GOODWILL, PROFITS, INVESTMENTS, USE OF MONEY, OR USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS), EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. UNDER NO CIRCUMSTANCES SHALL BRAINTREE'S TOTAL AGGREGATE LIABILITY TO MERCHANT OR ANY THIRD PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE AMOUNTS PAID BY MERCHANT TO BRAINTRE UNDER THIS AGREEMENT DURING THE FIRST TWELVE MONTH PERIOD AFTER THE EFFECTIVE DATE OF THIS AGREEMENT. FOR THE AVOIDANCE OF ANY DOUBT, NOTHING IN THIS AGREEMENT SHALL LIMIT THE LIABILITY OF EITHER PARTY FOR GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR TORT.

7.02 Disclaimer of Warranties

THE BRAINTREE PAYMENT SERVICE IS PROVIDED "AS IS" WITHOUT ANY WARRANTY WHATSOEVER. BRAINTREE DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, TO MERCHANT AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY BRAINTREE OR ITS EMPLOYEES OR REPRESENTATIVES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF BRAINTREE'S OBLIGATIONS.

During the term of this Agreement, Braintree shall use its commercially reasonable efforts to provide the Braintree Payment Service without interruption. However, the parties acknowledge that the Braintree Payment Service is a computer network based service which may be subject to outages and delay occurrences. As such, Braintree does not guarantee continuous, or uninterrupted access to the Braintree Payment Services. Braintree shall not be liable for any delay in the failure in our provision of the Braintree Payment Services under this Agreement. Merchant acknowledges that Merchant’s access to the Braintree website may be occasionally restricted to allow for repairs, maintenance or the introduction of new facilities or services. Braintree will make reasonable efforts to ensure that Transactions are processed in a timely manner. Braintree will not be liable in any manner for any interruptions, outages, or other delay occurrences relating to the Braintree Payment Service.

Section 8 — Term and Termination, Data Portability

The initial term of this Agreement shall commence upon successful registration on the Braintree website and activation by Braintree for productive use (“Activation Date”).

This Agreement shall continue on until terminated as set forth herein. Notwithstanding any other provisions in this Agreement,

  1. you may terminate this Agreement, without cause, by providing Braintree with one (1) day written notice.
  2. Braintree may terminate this Agreement, without cause, by providing you with two (2) months prior notice. This will not affect Braintree’s right to (i) suspend our services according to Section 5.01 or, (ii) terminate at any time this Agreement without recourse to the courts (“de plein droit” in case of an important cause pursuant to which you breach your duties cited in this Agreement rendering infeasible or considerably aggravate the continuation of our business relationship with you. In case the important cause consists in a breach of this Agreement, we will terminate only after unsuccessful lapse of a reasonable prior notice to remedy the breach.

Data Portability. Upon any termination of this Agreement, Braintree agrees, upon written request from Merchant, to provide Merchant’s new acquirer or payment service provider (“Data Recipient”), as applicable, with any available credit card information relating to Merchant's Customers, subject to the following conditions: (i) Merchant must provide Braintree with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (level 1 PCI compliant) by giving Braintree a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by Braintree; (ii) the transfer of such information is compliant with the latest version of the Association PCI-DSS Requirements; and (iii) the transfer of such information is allowed under the applicable card association rules, and any applicable laws, rules or regulations.

Section 9 — General Provisions

9.01 Independent Contractors

The relationship of Braintree and Merchant is that of independent contractors. Neither Merchant nor its employees, consultants, contractors or agents are agents, employees, partners or joint ventures of Braintree, nor do they have any authority to bind Braintree by contract or otherwise to any obligation. They will not represent to the contrary, either expressly, implicitly, by appearance or otherwise.

9.02 Severability

If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, void or unenforceable for any reason, the remaining provisions not so declared shall nevertheless continue in full force and effect, but shall be construed in a manner so as to effectuate the intent of this Agreement as a whole, notwithstanding such stricken provision or provisions.

9.03 Waiver

No term or provision of this Agreement shall be deemed waived and no breach excused, unless such waiver or consent shall be in writing and signed by the party claimed to have waived or consented. Any consent by any party to, or waiver of, a breach by the other party, whether express or implied, shall not constitute a consent to, waiver of, or excuse for any different or subsequent breach.

9.04 Assignment

This Agreement will bind and inure to the benefit of each party's permitted successors and assigns. Merchant may not assign this Agreement without the written consent of Braintree. Braintree may assign this Agreement in its sole discretion without the written consent of Merchant.

9.05 Amendments

To be valid, any amendment or waiver of this Agreement must be in writing, but an email suffices as writing for a waiver by Braintree. Changes to this Agreement will be offered to you in text-form, e.g. by way of sending you an e-mail, with a minimum of 2 months prior notice before the suggested effective date of such change. You will be deemed to have consented to these changes unless you explicitly dissent before the effective date. In case you do not agree to the changes, you may terminate this Agreement without any extra cost at any time before the effective date of the change. In such an e-mail, we shall specifically inform you about your right to dissent, the effective date, and your option to terminate this Agreement. We also publish the amended version of this Agreement on the Braintree website(s) at www.braintreepayments.com. In cases where we add extra functionality to the existing services or any other change which we believe in our reasonable opinion to neither reduce your rights nor increase your responsibilities, we may make an announcement with only 1 month prior notice. You shall have 3 weeks to express your dissent in such a case.

9.06 Entire Agreement; Binding Effect

This Agreement, including all schedules, exhibits and attachments thereto, sets forth the entire agreement and understanding of the parties hereto in respect to the subject matter contained herein, and supersedes all prior agreements, promises, covenants, arrangements, communications, representations or warranties, whether oral or written, by any officer, partner, employee or representative of any party hereto. This Agreement shall be binding upon and shall inure only to the benefit of the parties hereto and their respective successors and assigns. Nothing in this Agreement, express or implied, is intended to confer or shall be deemed to confer upon any persons or entities not parties to this Agreement, any rights or remedies under or by reason of this Agreement.

9.07 Survival

Merchant remains liable under this Agreement in respect to all charges and other amounts incurred through the use of the Braintree Payment Services at any time, irrespective of termination of this Agreement.

All representations, covenants and warranties shall survive the execution of this Agreement, and all terms that by their nature are continuing shall survive the termination or expiration of this Agreement.

9.08 Contact for enquiries, communication and availability of contractual documents

If you have a question or complaint relating to the Braintree Payment Services or your Transactions, please contact the Braintree customer support as defined in the “contact” tab of the Braintree website.

All information relating to the services described in this Agreement and all customer service support and other communication during the contractual relationship will be provided in the English language only.

The general terms and conditions for the Braintree Payment Services will be available at all times on www.braintreepayments.com in the “Legal” tab, and/or be made available during signup process as an electronic copy per e-mail. You may request at any time free of charge electronic copy of your contractual documents.

9.09 Notices, Governing Law, and Jurisdiction

  1. Notice to Merchant. Merchant agrees that Braintree may provide notice to Merchant by posting it on Braintree’s website, emailing it to Merchant, or sending it to Merchant through postal mail. Notices sent to Merchant by mail are considered received by Merchant within 3 Business Days of the date Braintree sends the notice unless it is returned to Braintree. In addition, Braintree may send Merchant emails, including, but not limited to as it relates to product updates, new features and offers and Merchant hereby consents to such email notification.
  2. Notice to Braintree. Notice to Braintree must be sent by postal mail to PayPal (Europe) S.à r.l. et Cie, S.C.A. Attention: Legal Department, 22-24 Boulevard Royal L-2449, Luxembourg.
  3. Governing Law and Jurisdiction. The Parties choose Luxembourg law as the governing law of this Agreement. The competent courts of Luxembourg City shall have non-exclusive jurisdiction over all disputes arising out of or in connection with this Agreement.

EXHIBIT A

Section 1 — The Braintree Payment Service

Braintree

Braintree provides Merchants with the ability to accept credit and debit card payments on a website or mobile application. The Braintree Payment Services include payout of funds to a bank account defined by you, fraud protection tools, recurring billing functionality, payment card storage, foreign currency acceptance, white glove customer support, and other software, APIs and other services and technology as described on the Braintree website. Braintree also provides Merchants with the software and connectivity required to allow real-time secure data transmission and processing of credit and debit card payments.

How to receive payments

You can create and submit one-time or recurring transactions in your Braintree Dashboard or by API access for your customers and store the customer and card payment details with Braintree.

1.01 Getting started.

At the time of your sign up as a Braintree customer, Braintree needs to collect information about you and your business, and confirm your identity in accordance with its anti-money laundering and other regulatory obligations before you have full access to the Braintree Payment Services and disbursement of funds is possible. Braintree will notify you immediately when this mandatory process is completed. Braintree may let you create transactions before this process is complete. Any transactions you create before such time are subject to satisfactory completion of such process and subject to reversal in case the process is not complete within 30 Business Days.

1.02 Receiving payments, Bank Account and Payouts

Any proceeds from settled card transactions initiated by you will be received by Braintree from the sponsoring acquiring bank and settled to your Bank Account or directed to your Bank Account at our request by the sponsoring acquiring bank.

Subject to the terms of this Agreement, Braintree will pay to your Bank Account all amounts due to you and recorded by the sponsoring acquiring bank as Transactions, minus any fees, Reversals, Chargebacks, refunds or other amounts that you owe to Braintree under this Agreement.

Merchant acknowledges and agrees that a Transaction may become subject to a Chargeback even after settlement, or be invalidated for any other reason. Any of Merchant’s Payout Amounts are subject to any such event and the Merchant is required to pay to Braintree:

  1. the full amount of the original Transaction
  2. any fees and cost incurred by Braintree in this respect
  3. any Chargeback fees according to this Agreement.

You must designate at least one bank account for the deposit and settlement of funds associated with Braintree’s processing of the Transactions. Your Bank Account must be part of the SWIFT network and be able to receive the currency received from us.

With prior notice, you can change your Bank Account by way of contacting Braintree’s customer service. You authorize Braintree to initiate electronic credit and debit entries and adjustments to the Bank Account and you shall execute any documentation necessary to give effect to such authorization under the applicable legal framework of your Bank Account. Braintree will not be liable for any delays in receipt of funds or errors in the Bank Account entries caused by third parties, including but not limited to delays or errors by the payment brands or your bank.

1.03 Execution and cut-off times

If Braintree is managing your settlement, you agree that we will make commercially reasonable efforts to settle to your Bank Account, at the latest, by the end of the next Business Day following the date we have received the funds from your acquiring bank

Our obligation to execute payment orders within the time period set out above in this section only applies to payments executed in the currency of Pounds Sterling, Euro or the currency of the EEA State that has not adopted Euro as its currency, and to Bank Accounts within the European Union.

Braintree is under no obligation to execute your payment order if you do not have sufficient funds or in any of the cases described in Section 5.01. Braintree reserves the right not to effect a payment made by you until it receives cleared funds.

1.04 Refunds

You may issue refunds in relation to a Transaction (“Refund Transaction”) in the Braintree Dashboard or through your API access. Unless specifically approved otherwise by Braintree, Refund Transactions encompass the original amount and currency of the Transaction plus shipping cost.

1.05 Security of your access, unauthorized transactions

You agree to:

  1. not allow anyone else to have or use your password details and comply with all reasonable instructions we may issue regarding how you can keep your payment instrument safe
  2. Keep your personal details up to date. We may be unable to respond to you if you contact us from an address, telephone number or email account that is not registered with us.
  3. Take all reasonable steps to protect the security of the personal electronic device through which you access the Braintree Payment Services (including, without limitation, using pin and/or password protected personally configured device functionality to access the Services and not sharing your device with other people).
  4. You will be solely responsible to obtain accurate credit card information and authorization from your customers.

1.06 Statements / overviews

You may check at any time in your Braintree Dashboard your processed Transactions, as well as your Refunds, Chargebacks and amounts settled to your Bank Account, and their respective status, and credit / debit date. Such statements will also display fees and their breakdown. If you have agreed to a monthly settlement of fees, your fees will be shown in your monthly settlement statement and a detailed spreadsheet will be made available in the “statements” section of the control panel. In case you need a permanent file, we also offer your transaction overview for download.

In addition to viewing the Transactions from the Braintree Payment Services, the Braintree Dashboard may also offer you the ability to see your PayPal payments. This functionality requires that you connect your existing PayPal business account through the Braintree Dashboard.Please note that the functionality is for your convenience only and is not part of the Braintree Payment Services. You should refer to your PayPal account and information on www.paypal.com for full view and functionalities relating to your PayPal payments.

Section 2 — Data Protection (Customer Data)

Click here for a PDF version of this section 2, Exhibit A (EU Model Clauses) signed by PayPal.

Data Protection Terms and EU Standard Contractual Clauses are set out in the EU Personal Data Standard Contractual Clauses Addendum and are hereby incorporated by reference into this Agreement.

BRAINTREE PAYMENT SERVICES AGREEMENT

EU PERSONAL DATA STANDARD CONTRACTUAL CLAUSES ADDENDUM

This EU Personal Data Standard Contractual Clauses Addendum (“Addendum”) is entered into between the entity identified as the “merchant” on the signature page to the Payment Services Agreement or whose details have been input as part of the online registration process (“Merchant ”) and PayPal (Europe) S.á.r.l. et Cie, S.C.A. (“Braintree”) (collectively the “Parties”). This Addendum shall form part of the Payment Services Agreement between Merchant and PayPal (the “Agreement”) in accordance with the Execution of this Addendum section below.

PayPal, Inc., a Delaware corporation with offices located at 2211 North First Street, San Jose, CA 95131 (“PayPal”) is a party to the EU Standard Contractual Clauses as set out below.

Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.

WHEREAS:

  • (A) Braintree is established and located in the European Economic Area.
  • (B) Braintree’s parent company PayPal and its subcontractors are located in the USA and certain other countries outside the European Economic Area.
  • (C) The European Economic Area and Switzerland restrict the transfer of Personal Data to certain other jurisdictions, including the USA.
  • (D) In order to assist Merchants established in the European Economic Area or Switzerland to transfer Personal Data to Braintree and Braintree’s parent company PayPal and its subcontractors in the provision of the Services, Braintree agrees to enter into this Addendum on the terms set out herein and PayPal agrees to enter into the EU Standard Contractual Clauses on the terms set out herein.

EXECUTION OF THIS ADDENDUM

This Addendum amends and forms part of your Payments Services Agreement. The Addendum has been electronically pre-executed for and on behalf of Braintree and the EU Standard Contractual Clauses at Attachment 1 has been electronically pre-executed for and on behalf of PayPal through the application of Braintree’s e-signature to the Addendum and PayPal’s e-signature to the EU Standard Contractual Clauses. Both documents will only come into effect as set out below.

Automatic execution option

Provided that Merchant is a party to an executed and effective Payment Services Agreement with Braintree, this Addendum shall take effect, as between Braintree and that Merchant only, and the EU Standard Contractual Clauses shall take effect, as between PayPal and that Merchant only:

for Merchants who have entered into a Payments Services Agreement on or after 18 April 2016,

automatically on execution of the Payment Services Agreement (and the name, address and contact details that Merchant provided when entering into the Payment Services Agreement shall be deemed to be inserted into the data exporter section on page 23 of the Addendum and Merchant to have signed as Merchant on page 22 and as data exporter on pages 31 and 33 of the Addendum); and

for Merchants who entered into a Payments Services Agreement before 18 April 2016

in accordance with Section 9.05 (Amendments) of the Payments Services Agreement (and the name, address and contact details that Merchant provided when entering into the Payment Services Agreement shall be deemed to be inserted into the data exporter section on page 23 of the Addendum and Merchant to have signed as Merchant on page 22 and as data exporter on pages 31 and 33 of the Addendum), or (if earlier)

on the date that Merchant completes the physical execution actions set out below:

Physical execution option (Merchant may require this option for the purposes of obtaining prior approval of transfers from Merchant’s local data protection authority)

Notwithstanding the foregoing, provided Merchant is a party to an executed and effective Payment Services Agreement with Braintree, this Addendum shall take effect, as between Braintree and that Merchant only, and the EU Standard Contractual Clauses shall take effect, as between PayPal and that Merchant only upon completion of the following steps:

(i) Merchant to complete the information relating to the Data Exporter and execute the signature page at pages 22 and 23;

(ii) Merchant to complete and execute the signature pages at pages 31 and 33; and

(iii) Merchant to submit the completed and fully executed Addendum to Braintree at dataprivacy@braintreepayments.com

1 DEFINITIONS AND INTERPRETATION

1.1 The following terms have the following meanings when used in this Addendum:

Customer means a customer of Merchant who uses the Braintree Payment Services

Customer Data means the Personal Data that Merchant’s Customer provides to Braintree through the use of the Braintree Payment Services

Data Controller means the entity which determines the purposes and means of the Processing of Personal Data

Data Exporter means Merchant

Data Importer means PayPal

Data Processor means the entity which processes Personal Data on behalf of the Data Controller

Data Protection Requirements means all laws and regulation, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data

Data Subject means the individual to whom Personal Data relates

EU Standard Contractual Clauses means the agreement executed by and between Merchant and PayPal and attached hereto as Attachment 1 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Merchant Data means any Personal Data relating to Merchant or its employees, officers or contractors provided to or obtained by Braintree in the provision of the Braintree Payment Services

Personal Data means any information relating to an identified or identifiable person

Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

Sub-processor means any Data Processor engaged by PayPal and/or its Affiliates in the Processing of Personal Data

1.2 Addendum. This Addendum comprises: (i) paragraphs 1 to 5, being the main body of the Addendum; and (ii) Attachment 1 (EU Standard Contractual Clauses).

1.3 Conflict. If and to the extent that there is any inconsistency between this Addendum and the EU Standard Contractual Clauses in Attachment 1, the EU Standard Contractual Clauses shall prevail.

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE BRAINTREE PAYMENT SERVICES

2.1 Braintree is the Data Controller in respect of Merchant Data and may use it for the following purposes:

2.1.1 as reasonably necessary to provide the services to Merchant and its Customer;

2.1.2 to conduct anti-money laundering, know your customer and fraud checks on the Merchant;

2.1.3 to market to the employees and contractors of Merchant; and

2.1.4 any other purpose that it notifies (or Merchant agrees to notify on its behalf) to the employees and contractors of Merchant in accordance with Data Protection Requirements.

2.2 Braintree is Merchant’s Data Processor in respect of Customer Data. Braintree shall only Process Customer Data on behalf of and in accordance with Merchant’s instructions. Merchant hereby instructs Braintree to Process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the services Merchant and its Customer;

2.2.2 after anonymising the Customer Data, to use that anonymised Customer Data for any purpose whatsoever; and

2.2.3 as required to comply with applicable binding legal requirements by responding to binding requests for the disclosure of information as required by local laws, provided always that where the request is from a non-EEA law enforcement agency Braintree will (a) inform Merchant of the request, the data concerned, response time, the identity of the requesting body and the legal basis for the request; (b) wait for Merchant’s instructions provided the instruction and the opinion are received within a reasonable period of time, which shall be assessed in light of the time period afforded by the law enforcement agency to Braintree; (c) where Braintree is prohibited from informing Merchant about the law enforcement agency’s request, take reasonable steps to have this prohibition waived and to make available relevant information about the request as soon as possible to Merchant (these efforts will be documented); and (d) where the prohibition cannot be waived, compile a list, in compliance with its national law and on an annual basis, of the number of such requests received, the type of Customer Data requested and the identity of the law enforcement agency concerned and make it available to the Customer’s data protection authority annually on request (in which circumstances Braintree will be acting as a Data Controller).

2.3 Scope and Purpose; Categories of Personal Data and Data Subjects. The objective of Processing Customer Data by Braintree is the performance of the Services pursuant to the Agreement. The types of Customer Data and categories of Data Subjects Processed under this Addendum are further specified in Attachment 1, Appendix 1 (Details of the Processing) to this Addendum.

2.4 Merchant undertakes to provide all notices and obtain all consents necessary for Braintree’s use of Merchant Data and Customer Data set out above.

2.5 The Parties will at all times comply with Data Protection Requirements.

3 DATA PROCESSOR TERMS

This section 3 applies only to the extent that Braintree acts as Data Processor or Sub-processor to Merchant. It does not apply where Braintree acts as Data Controller.

Data subject rights

3.1 Correction, Blocking and Deletion. To the extent Merchant, in its use of the Services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Requirements, Braintree shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent Braintree is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from Braintree’s provision of such assistance.

3.2 Data Subject Requests. Braintree shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Braintree shall not respond to any such Customer Data Subject request without Merchant’s prior written consent except to confirm that the request relates to Merchant to which Merchant hereby agrees. Braintree shall provide Merchant with commercially reasonable cooperation and assistance in relation to handling of a Customer Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Merchant does not have access to such Customer Data through its use of the Services. If legally permitted, Merchant shall be responsible for any costs arising from Braintree’s provision of such assistance.

Braintree personnel

3.3 Confidentiality. Braintree shall ensure that its personnel engaged in the Processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Braintree shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

3.4 Reliability. Braintree shall take commercially reasonable steps to ensure the reliability of any Braintree personnel engaged in the Processing of Customer Data.

3.5 Limitation of Access. Braintree shall ensure that Braintree’s access to Customer Data is limited to those personnel performing Services in accordance with the Agreement.

3.6 Data Protection Officer. Members of the PayPal Group have appointed a data protection officer where such appointment is required by Data Protection Requirements. The appointed person may be reached at dataprivacy@braintreepayments.com.

3.7 Sub-processors. Merchant acknowledges and expressly agrees that PayPal’s affiliates may be retained as Sub-processors; and (b) Braintree, PayPal and PayPal’s affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

3.7.1 List of Current Sub-processors and Notification of New Sub-processors. Braintree shall make available to Merchant a current list of Sub-processors for the respective Services with the identities of those Sub-processors (“Sub-processor List”). The Sub-processor list is included in Attachment 2 to this Addendum. Where a Sub-processor is proposed to be changed Braintree shall provide 2 months’ prior notice by email to Merchant before implementing such change

3.7.2 Objection Right for new Sub-processors. If Merchant has a reasonable basis to object to Braintree’s use of a new Sub-processor, Merchant shall notify Braintree promptly in writing within 2 months after receipt of Braintree’s notice. In the event Merchant objects to a new Sub-processor(s) and that objection is not unreasonable Braintree will use reasonable efforts to make available to Merchant a change in the affected Services or recommend a commercially reasonable change to Merchant’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Merchant. If Braintree is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Merchant may terminate the Agreement in respect only of those Braintree Payment Services which cannot be provided by Braintree without the use of the objected-to new Sub-processor, by providing written notice to Braintree. Merchant shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Braintree Payment Services.

3.8 Audits and Certifications. where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, Braintree shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of Braintree or PayPal) information regarding Braintree’s compliance with the obligations set forth in this Addendum in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact Braintree in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Merchant shall reimburse Braintree for any time expended for any such on-site audit at Braintree’s then-current professional services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and Braintree shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Braintree. Merchant shall promptly notify Braintree with information regarding any non-compliance discovered during the course of an audit.

3.9 Security: Braintree shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1, Appendix 2 of the Addendum to keep Customer Data secure and protect it against unauthorised or unlawful processing and accidental loss, destruction or damage. Since Braintree provides the Braintree Payment Service to all customers uniformly via a hosted, web-based application, all appropriate and then-current technical and organisational measures apply to Braintree’s entire customer base hosted out of the same data centre and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, Braintree is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained. In the event of any detrimental change Braintree shall provide a notification together with any necessary documentation to Merchant by email or publication on a website easily accessible by Merchant.

3.10 Braintree shall promptly inform Merchant as soon as it becomes aware of serious disruptions of the processing operations, reasonable suspected or actual data protection violations or any security breach in connection with the processing of Customer Personal Data which, in each case, may significantly harm the interest of the Data Subjects concerned.

4 EU STANDARD CONTRACTUAL CLAUSES RELATED TERMS

4.1 Application. The EU Standard Contractual Clauses are set out in Attachment 1 (the “EU Standard Contractual Clauses”). The EU Standard Contractual Clauses apply only to Customer Data that is transferred by Merchants established in the European Economic Area (“EEA”) or Switzerland to Braintree.

4.2 Instructions. This Addendum and the Agreement are Data Exporter’s complete and final instructions to Data Importer for the Processing of Customer Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the EU Standard Contractual Clauses, the Data Exporter gives the following instructions: (a) to process Customer Data in accordance with the Agreement; and (b) to process Customer Data initiated by Merchants in their use of the Braintree Payment Services during the Term. These instructions also describe the duration, object, scope and purpose of the processing.

4.3 Sub-processors. Pursuant to Clause 5(h) of the EU Standard Contractual Clauses, the Data Exporter acknowledges and expressly agrees that the provisions of paragraph 3.7 of this Addendum shall also apply to the Data Importer as if it were Braintree.

4.3.1 The parties agree that the copies of the sub-processor agreements that must be sent by the Data Importer to the Data Exporter pursuant to Clause 5(j) of the EU Standard Contractual Clauses may have all commercial information, or clauses unrelated to the EU Standard Contractual Clauses or their equivalent, removed by the Data Importer beforehand; and, that such copies will be provided by Data Importer only upon reasonable request by Data Exporter.

4.4 Audits and Certifications. The Parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the EU Standard Contractual Clauses shall be fulfilled in the following manner: the provisions of paragraph 3.8 of this Addendum shall also apply to the Data Importer as if it were Braintree.

4.5 Certification of Deletion. The Parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s request.

4.6 Liability. The Parties agree that all liabilities between them (and in respect of PayPal, such liabilities shall be aggregated with those of Braintree so that collectively their cumulative joint liability is capped at the level set out in the Agreement) under this Addendum and the EU Standard Contractual Clauses will be subject to the terms of the Agreement (including as to limitation of liability), except that such limitations of liability will not apply to any liability that PayPal may have to Data Subjects under the third party rights provisions of the EU Standard Contractual Clauses.

4.7 Exclusion of third party rights. Subject to paragraph 4.6, PayPal shall be granted third party rights in relation to obligations expressed to be for the benefit of the Data Importer or PayPal in this Addendum and Data Subjects are granted third party rights under the EU Standard Clauses. All other third party rights are excluded.

5 LEGAL EFFECT

This Addendum shall take effect between, and become legally binding on the Parties and the EU Standard Contractual Clauses shall take effect between, and become legally binding between PayPal and Merchant, on the date determined by “Execution of this Addendum” section above.

Merchant

For and on behalf of (insert Merchant legal name)…………………………………

Signature……………………………………………

Name of signatory…………………………………….

Title of signatory……………………………………

Date………………………………………………..

Braintree

For and on behalf of PayPal (Europe) S.á.r.l. et Cie, S.C.A.

Signature…………………………………………….

Name of signatory……………………………………..

Title of signatory…………………………………….

Date…………………………………………………

ATTACHMENT 1

STANDARD CONTRACTUAL CLAUSES

Controller to Processor export of personal data (from EEA countries)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: ………………………………………..

Address: …………………………………………….

Tel.: ……………………………………………….

fax: ………………………………………………..

e-mail: ……………………………………………..

Other information needed to identify the organisation: …………………………… (the data exporter)

And

Name of the data importing organisation: Paypal, Inc

Address: 2211 North First Street, San Jose, CA 95131

E-mail: dataprivacy@braintreepayments.com

Other information needed to identify the organisation: …………………………… (the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.


Clause 1

Definitions

For the purposes of the Clauses:

  • (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • (b) 'the data exporter' means the controller who transfers the personal data;
  • (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  • (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
  • (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • (e) that it will ensure compliance with the security measures;
  • (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • (j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  • (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  • (d) that it will promptly notify the data exporter about:
    • (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    • (ii) any accidental or unauthorised access, and
    • (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  • (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  • (h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  • (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  • (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    • (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    • (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full): …………………………………………….

Position: …………………………………………….

Address: …………………………………………….

Other information necessary in order for the contract to be binding (if any):

Signature…………………………………………….(stamp of organisation)

On behalf of the data importer (Paypal, Inc):

Name (written out in full): …………………………………………….

Position: …………………………………………….

Address: 2211 North First Street, San Jose, CA 95131

Signature…………………………………………….(stamp of organisation)


APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is: Merchant

An entity that uses the Data importer’s services in respect of its Customers

Data importer

The data importer is: Paypal, Inc

A payment serivces provider which in relation to the Braintree services provides a payment gateway so that Merchant can provide Customer credit card and other details to banks and other payment service providers to process payments from Customers

Data subjects

The personal data transferred concern the following categories of data subjects:

The data exporter’s Customers

Categories of data

The personal data transferred concern the following categories of data:

Customer name, amount to be charged, card number, CSV, post code, country code, address, email address, fax, phone, website, expiry date, shipping details, tax status

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Not applicable, unless Merchant configures the service to capture such data.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

The receipt and storage of Personal Data in the performance of the Services during the Term of the Agreement.

DATA EXPORTER

Name: …………………………………………….

Authorised Signature …………………………………………….

DATA IMPORTER

Name: …………………………………………….

Authorised Signature …………………………………………….


APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The following measures will be implemented:

  1. Measures taken to prevent any unauthorised person from accessing the facilities used for data processing (e.g. secured access, badges);
  2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorised persons(e.g. data kept in locked premises);
  3. Measures taken to prevent the unauthorised introduction of any data into the information system, as well as any unauthorised knowledge, amendment or deletion of the recorded data (e.g. restricted access to the IT infrastructure);
  4. Measures taken to prevent data processing systems from being used by unauthorised person using data transmission facilities ( e.g. firewalls);
  5. Measures taken to guarantee that authorised persons when using an automated data processing system may access only data that are within their competence (e.g. specific users accounts);
  6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities (e.g. VPN, encryption of data);
  7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorised person ;
  8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorised manner when data are disclosed and data media transported;
  9. Measures taken to safeguard data by creating backup copies (encryption of data back-ups).

ATTACHMENT 2

Sub-processor List

  1. Century Link: 100 CenturyTel Drive, Monroe, LA 71203
  2. Kount Inc: 71203917 South Lusk, 3rd Floor, Boise, ID 83706

Section 3 — Regulatory

3.01 Regulatory notice

For merchants with seat in the European Union, Liechtenstein, Vatican City, Isle of Man, Guernsey, Jersey and San Marino or Norway, Braintree is provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., (R.C.S. Luxembourg B 118 349) (“PayPal”). PayPal is duly licensed as a Luxembourg credit institution in the sense of Article 2 of the law of 5 April 1993 on the financial sector as amended (the “Law”) and is under the prudential supervision of the Luxembourg supervisory authority, the Commission de Surveillance du Secteur Financier (the “CSSF”).The CSSF has its registered office in L-1150 Luxembourg. Because the funds processed by Braintree for you do not legally qualify as a deposit or an investment service, you are not protected by the Luxembourg deposit guarantee schemes provided by the Association pour la Garantie des Dépôts Luxembourg

We will attempt to resolve any complaint relating to the provision of the Braintree services or to the Payment Services Agreement via our customer service center. In addition, you may make a complaint to the following:

  1. European Consumer Centre (ECC-Net). You may obtain further information regarding the ECC-Net and how to contact them at ( http://ec.europa.eu/consumers/redress_cons/ ). Only for Micro-enterprises.
  2. UK Financial Ombudsman Service (FOS). For UK resident Users only - the FOS is a free, independent service, which might be able to settle a complaint between you and us. You may obtain further information regarding the FOS and contact the FOS at http://www.financial-ombudsman.org.uk. Only for Micro-enterprises with seat in UK.
  3. Commission de Surveillance du Secteur Financier (CSSF). The CSSF is the authority responsible for the prudential supervision of companies in the financial sector in Luxembourg. You can contact the CSSF at 110 Route d’Arlon L-2991 Luxembourg. You may obtain further information regarding the CSSF and how to contact them at: http://www.cssf.lu.

EXHIBIT C

"Activation Date": has the definition ascribed to such term in Section 8.

“Agreement”: means this Braintree Payment Services Agreement, including all exhibits and other agreements and documents incorporated herein.

"Associations": has the definition ascribed to such term in Section 6.01.

"Association PCI-DSS Requirements": has the definition ascribed to such term in Section 6.01.

“Bank Account”: means the bank account that you specify, according to Exhibit A, 1.02, to receive your Payout Amounts.

“Braintree Dashboard” is the web view where you can access, view and create your Braintree Transactions (“Control Panel”).

“Braintree Payment Service”: has the definition ascribed to such term in Section 1.01.

“Business Day” means a day where banks are generally open in Luxembourg.

"Cardholder Information": has the definition ascribed to such term in Section 6.01.

"Chargeback" means a challenge to a payment that a buyer files directly with his or her credit card issuer or company.

“Gateway Services”: has the definition ascribed to such term in Section 1.01.

“Intellectual Property”: has the definition ascribed to such term in Section 6.03.

“Intellectual Property Rights”: has the definition ascribed to such term in Section 6.03.

“Invalidated Payment”: has the definition ascribed to such term in Section 4.

“Merchant” or “you”: means the entity and/or individual who enters into this Agreement.

“PayPal” or “Braintree”: means PayPal (Europe) S.à r. l. et Cie, S.C.A., a limited liability partnership registered as number R.C.S. Luxembourg B 118 349 having a registered office at 22-24 Boulevard Royal, L-2449, Luxembourg.

“Payment Processing Services”: has the definition ascribed to such term in Section 1.01.

“Payout Amount”: means any amount due and recorded by the acquiring bank as a Transaction (less the sum of all Refund Transactions, Chargebacks, Reversals and any applicable charges or fees).

“Reversal”: means any payment that Braintree may in exceptional cases have to reverse to your customer because the payment: (a) violates the Acceptable Use Policy, or which we reasonably suspect of violating the Acceptable Use Policy; and/or (b) has been categorized by Braintree’s risk models as involving a as a risky payment required to be reversed to mitigate the risk associated with the payment. The term “Reversed” shall be construed accordingly.

“Refund Transaction” is any refund issued by you through the Braintree Dashboard or through your API access.

“Reserve” means an amount or percentage of your Payout Amounts that we hold in order to protect against the risk of Reversals, Chargebacks, or any other risk, exposure and/or liability related to your use of the Braintree Payment Services.

“Restricted Activities” any breaches of our Acceptable Use Policy and any activity specified in Section 4.01

“SEPA” means Single European Payments Area.

“Trademarks”: has the definition ascribed to such term in Section 6.05.

“Transaction”: means any proceeds from settled card transactions initiated by you that are received by Braintree from your acquiring bank. A Transaction shall be deemed to be complete when we have control of the funds related to the applicable transaction.

“Transaction Data”: has the definition ascribed to such term in Section 6.02.