Payment Processing Terms and Conditions
Last Updated: 6/24/26
These Payment Processing Terms ("Payment Terms") are entered into between Teamzap, LLC ("Provider") and the entity completing the onboarding process and submitting an Application to Provider ("Customer") and govern the Customer's receipt of Payment Processing Services as of the date that Processor approves Customer for such Payment Processing Services ("Effective Date"). Each of Provider and Customer are individually referred to herein as a "Party," and collectively as the "Parties."
1. Definitions.
Capitalized terms have the following meanings in these Payment Terms:
"Account" means an account that Customer sets up with Processor.
"ACH" means the Automated Clearing House.
"Applicable Laws" means all applicable present and future federal and state laws, rules, regulations and orders.
"Application" means the digital or paper applicable form that Customer submits to Provider for review as a condition to receive the Payment Processing Services.
"ASV Scan" means an external vulnerability scan of Customer's internet-facing systems conducted by or through a PCI SSC-approved Approved Scanning Vendor, where included in Customer's PCI Tool subscription.
"Shopper" means an individual person or legal entity who wishes to purchase Customer's goods or services using the Payment Processing Services.
"Cardholder Data" means a cardholder's primary account number ("PAN") together with, where stored, processed, or transmitted with the PAN, the cardholder name, expiration date, and/or service code, as defined under PCI DSS. For the avoidance of doubt, Cardholder Data does not include the last four digits of a PAN standing alone.
"Customer Bank Account" means the depository account capable of receiving ACH entries which is held at a U.S. or Canadian financial institution in the name of Customer that has been identified by Customer (via routing and account number) on its Application.
"Network Rules" means the rules and regulations of all applicable payment networks, including the rules of any applicable card brand, industry standards such as the Payment Card Industry Data Security Standards ("PCI-DSS"), and the rules and regulations of Nacha.
"PCI Assessment Data" means any data, questionnaire responses, scan results, reports, or other information submitted by or generated on behalf of Customer through the PCI Tool, including SAQ responses and ASV scan results.
"PCI Compliance Status" means Customer's documented achievement of a passing ASV scan result and completion of the applicable SAQ through the PCI Tool, or Provider's written acceptance of Compliance Evidence submitted pursuant to an Alternative Compliance Election under Section 4.6(b), as applicable.
"PCI Non-Compliance Fee" means the monthly fee charged to Customer for failure to achieve or maintain PCI Compliance Status, as further described in Section 4.6(c).
"PCI Tool" means the features within Provider's platform that enable Customer to complete a Self-Assessment Questionnaire ("SAQ") and, where applicable, initiate or receive ASV vulnerability scans of Customer's systems, in connection with Customer's PCI DSS compliance obligations under the Network Rules and the Processor Agreements.
"PCI Tool Fee" means the monthly subscription fee charged to Customer for access to the PCI Tool, as set forth in Section 4.6(b).
"Payment Processing Services" means the payment processing services that Customer receives from Processor through an integration with Provider.
"Payout" means a payment made to a third party as instructed by Customer in connection with the Split Payment Service.
"SAQ" means a Self-Assessment Questionnaire published by the PCI Security Standards Council that Customer completes to document its self-assessment of compliance with applicable PCI DSS requirements.
"Terms of Use" means the End User License Agreement, Terms and Conditions, or other terms or agreement that Customer has entered into with Provider for the provision of products or services by Provider to Customer.
"Transaction" means a transaction involving Customer's goods or services which are processed through the Payment Processing Services pursuant to these Payment Terms.
2. Payment Processing Services
2.1 Payment Processor.
Payment Processing Services that are accessible through an integration with Provider's platform are provided by Provider's designated third party processor, as Provider may designate or modify from time to time in its sole discretion ("Processor"). As of the Effective Date of these Payment Terms, the Processor is Adyen, N.V. ("Adyen"). Provider may suspend, modify, or terminate its relationship with any Processor in its sole discretion, at any time and without notice, and without affecting the Parties' relationship under these Payment Terms. Customer acknowledges that Processor, not Provider, has the ultimate decision whether to approve Customer for the Payment Processing Services.
2.2 Processor Agreements.
As of the Effective Date of these Payment Terms, Customer's use of the Payment Processing Services is subject to the "AfP Terms and Conditions" (located at https://www.adyen.com/legal/terms-and-conditions-adyen-for-platforms-2022) and any other terms and conditions of Processor as each may be updated or modified by Processor from time to time (collectively, the "Processor Agreements"). Customer may not use any Payment Processing Services until Customer agrees to the Processor Agreements. BY AGREEING TO THESE PAYMENT TERMS, CUSTOMER EXPRESSLY (A) HEREBY ACCEPTS AND AGREES TO BE BOUND THE PROCESSOR AGREEMENTS; AND (B) AUTHORIZES PROVIDER TO CAPTURE CUSTOMER'S ELECTRONIC OR DIGITAL ACCEPTANCE OF THE PROCESSOR AGREEMENTS.
2.3 Customer Information and Onboarding.
Customer will follow the onboarding procedures and policies provided by Provider and Processor (as may be amended from time to time), including by providing all requested information. All information provided by Customer to Provider, including but limited to the information provided on the Application, must be truthful and accurate.
2.4 Transaction Processing and Settlement.
Transactions are processed by Processor, not Provider. Processor (itself or through its financial institution partners) will settle proceeds of Transactions to the Customer Bank Account in accordance with the Processor Agreements. Customer acknowledges and agrees that Provider does not process, receive, or hold Customer funds at any time.
2.5 Data Usage and Sharing; Shopper Interactions.
Customer authorizes Provider to (a) access and receive data relating to Customer's Account; (b) share data regarding the Account with Processor and applicable payment networks; and (c) issue instructions to Processor regarding Transactions and funds. Customer, not Provider or Processor, is responsible for providing the necessary disclosures to, and obtaining the required consents from, Shoppers.
3. Payment Terms
3.1 Fees.
The fees for the Payment Processing Services will be as set forth in the fee schedule pricing profile or other disclosure of fees provided as part of the onboarding process ("Payment Processing Fees") and will be set off from processed funds or automatically debited via ACH from the Customer Bank Account when due. Customer hereby authorizes Provider, Processor, their financial institutions, and any of their assignees to collect amounts owed under these Payment Terms by setting off such amounts from amounts otherwise due to Customer and by debiting funds from the Customer Bank Account ("ACH Debit Authorization"). All payments are non-refundable. The PCI Tool Fee and PCI Non-Compliance Fee, if applicable, are included within the scope of the ACH Debit Authorization and will be collected in the same manner as Payment Processing Fees. All PCI Tool Fees and PCI Non-Compliance Fees are exclusive of applicable taxes.
3.2 Disputes.
If Customer believes that there is an error in any statement provided by Provider or any information reported by Provider regarding a Transaction, Customer must notify Provider within thirty (30) days of Customer's receipt of the statement or payment containing the error or it will waive such claim.
3.3 Tax Reporting.
Provider or Processor, as determined between them, may send documents to Customer and the IRS or other tax authority for Transactions processed using the Payment Processing Services, including IRS Form 1099-K.
3.4 Electronic Delivery of Tax Documents.
Customer may elect to receive electronic delivery of tax-related documents from Provider or Processor. The Tax E-Delivery Consent will remain in effect until withdrawn by Customer.
4. Compliance
4.1 Laws and Rules.
Customer agrees to comply at all times with all Applicable Laws and Network Rules. Customer must also comply with any additional data protection standards and policies set forth in the Processor Agreements. Furthermore, Customer acknowledges and agrees that it is fully responsible for all acts and omissions of its employees, contractors, and agents. Without limiting the foregoing, to the extent Customer stores, processes, or transmits Cardholder Data in connection with its use of the Payment Processing Services, Customer is solely responsible for achieving and maintaining PCI DSS compliance applicable to its payment environment throughout the Term. Customer's access to and use of the PCI Tool does not limit or satisfy this independent compliance obligation.
4.2 Customer's Business.
4.2.1 Transactions. Customer understands that any Transactions processed through the Payment Processing Services must be bona fide sales between Customer and Shopper. Customer is solely responsible for all liabilities associated with Customer's payment processing activity.
4.2.2 Split Payment Service. Provider may, but is in no way obligated to, provide Customer with the ability to split settlement amounts from Transactions.
4.3 Prohibited Activities.
Customer will not use the Account or Payment Processing Services for any activity that is illegal, fraudulent, or prohibited by Processor or Provider from time to time. In furtherance of Customer's obligations under Section 4.3 of the Processor Agreements, Customer shall not copy, capture, store, or intercept full Cardholder Data (including full PANs, CVV/CVC codes, magnetic stripe data, or PIN data) through Provider's platform.
4.4 Fraud Monitoring.
Provider and Processor may monitor Transactions for the purpose of determining fraudulent activity and whether Customer is in good standing.
4.5 Cardholder Fee Programs.
If Customer elects to impose a fee on Shoppers with respect to Transactions, Customer must first seek approval from Provider and must comply with all applicable Network Rules and Applicable Laws.
4.6 PCI Tool; Compliance Obligations and Fees.
(a) Background; Processor Requirements. Customer acknowledges that, as a condition of using the Payment Processing Services, Customer is required under the Network Rules (including PCI DSS) and the Processor Agreements to maintain PCI DSS compliance applicable to Customer's payment acceptance environment. Customer further acknowledges that Processor (Adyen) maintains its own PCI DSS certification for its systems as contemplated in the Processor Agreements, but that such certification does not satisfy or substitute for Customer's independent PCI DSS compliance obligations. Provider is making the PCI Tool available to assist Customer in meeting these obligations.
(b) PCI Tool Fee; Alternative Compliance Election. Provider will make the PCI Tool available to Customer for a monthly subscription fee of $25.00 per month ("PCI Tool Fee"), which will be set off from processed funds or debited from the Customer Bank Account in accordance with Section 3.1. The PCI Tool Fee is non-refundable and will begin accruing on the date Customer is first provisioned access to the PCI Tool.
Notwithstanding the foregoing, Customer may elect to satisfy its PCI DSS compliance obligations through a qualified third-party partner of Customer's own choosing rather than through the PCI Tool ("Alternative Compliance Election"). To make an Alternative Compliance Election, Customer must: (i) provide Provider with written notice of its election via the payment portal or to the contact address in Section 9; (ii) submit to Provider current and valid evidence of PCI Compliance Status achieved through Customer's third-party partner, which must consist of a current Attestation of Compliance ("AOC") or, for SAQ-eligible merchants, a completed and signed SAQ applicable to Customer's payment environment, in each case dated within the prior twelve (12) months ("Compliance Evidence"); and (iii) receive written confirmation from Provider that the submitted Compliance Evidence has been accepted. Upon Provider's written confirmation of acceptance, Provider will: (A) remove Customer's access to the PCI Tool; and (B) cease accruing PCI Tool Fees effective as of the first day of the following billing month. For the avoidance of doubt, no PCI Tool Fees already charged prior to Provider's written confirmation of acceptance are refundable.
Provider reserves the right to adjust the PCI Tool Fee upon thirty (30) days' written notice to Customer.
(c) Compliance Deadline; PCI Non-Compliance Fee. Customer must achieve PCI Compliance Status within ninety (90) days of the date Customer is first provisioned access to the PCI Tool ("Compliance Deadline"), and must maintain PCI Compliance Status continuously thereafter throughout the Term. If Customer fails to achieve PCI Compliance Status by the Compliance Deadline, or if Customer's PCI Compliance Status lapses at any time during the Term, Provider will charge Customer a monthly PCI Non-Compliance Fee of $75.00 per month in addition to the PCI Tool Fee, beginning on the first day of the month following the Compliance Deadline or the date of lapse, as applicable. The PCI Non-Compliance Fee will continue to accrue each month until Customer either: (i) achieves PCI Compliance Status through the PCI Tool; or (ii) makes a valid Alternative Compliance Election under Section 4.6(b) and receives Provider's written confirmation of acceptance of Compliance Evidence, in which case the PCI Non-Compliance Fee will cease accruing effective the first day of the following billing month. PCI Non-Compliance Fees already charged prior to such confirmation are non-refundable. The PCI Non-Compliance Fee reflects Provider's costs and exposure associated with Customer's non-compliant status under the Network Rules and the Processor Agreements, and is not a penalty.
(d) How to Achieve PCI Compliance Status. To achieve PCI Compliance Status through the PCI Tool, Customer must: (i) complete the applicable SAQ type for Customer's payment acceptance environment through the PCI Tool; and (ii) where required for Customer's SAQ type, achieve a passing ASV scan result through the PCI Tool. Customer is solely responsible for determining the correct SAQ type applicable to its environment. Provider does not review, validate, or certify Customer's SAQ responses.
(e) Informational Purpose Only; No Compliance Guarantee. THE PCI TOOL IS PROVIDED AS AN INFORMATIONAL AND ORGANIZATIONAL AID ONLY. PROVIDER IS NOT A QUALIFIED SECURITY ASSESSOR ("QSA") AND NOTHING IN THE PCI TOOL OR THESE PAYMENT TERMS CONSTITUTES A QSA ENGAGEMENT, FORMAL PCI DSS ASSESSMENT, LEGAL ADVICE, OR COMPLIANCE ADVICE. PROVIDER MAKES NO REPRESENTATION THAT USE OF THE PCI TOOL OR COMPLETION OF AN SAQ THROUGH THE PCI TOOL WILL SATISFY THE REQUIREMENTS OF ANY PAYMENT BRAND, ACQUIRER, OR REGULATORY BODY. CUSTOMER REMAINS SOLELY RESPONSIBLE FOR ITS OWN PCI DSS COMPLIANCE.
(f) Customer SAQ Responsibilities. Customer is solely responsible for: (i) selecting the correct SAQ type for its payment acceptance environment; (ii) the accuracy, completeness, and truthfulness of all SAQ responses; (iii) maintaining supporting documentation for all SAQ responses; and (iv) submitting any completed SAQ to Customer's acquiring bank or payment brand as separately required.
(g) Customer ASV Scan Responsibilities. Customer is solely responsible for: (i) accurately identifying and submitting all in-scope IP addresses, domains, and systems for ASV scanning; (ii) obtaining all necessary authorizations and permissions for Provider or its PCI Portal Vendor to scan designated systems; (iii) remediating all vulnerabilities identified in scan results within the timeframes required by PCI DSS; and (iv) initiating rescans as needed to achieve a passing result.
(h) PCI Portal Vendor. The PCI Tool is delivered through an integrated third-party portal ("PCI Portal Vendor") accessible through Customer's existing payment portal login, eliminating the need for a separate login credential. Provider has engaged the PCI Portal Vendor to provide SAQ workflow and ASV scanning services on Provider's behalf as a Subprocessor under the DPA. A passing ASV scan result reflects the opinion of the PCI Portal Vendor or its designated ASV only and does not constitute a representation or warranty by Provider regarding Customer's PCI DSS compliance status.
(i) PCI Assessment Data. PCI Assessment Data constitutes Customer data subject to the DPA and the confidentiality provisions of these Payment Terms. Provider shall not use PCI Assessment Data for any purpose other than providing the PCI Tool and shall not disclose PCI Assessment Data to any third party except: (i) to Provider's subcontractors, including the PCI Portal Vendor, solely as necessary to provide the PCI Tool; (ii) to Processor or payment brands to the extent required under the Network Rules or Processor Agreements; (iii) as required by Applicable Law or governmental authority; or (iv) with Customer's prior written consent.
(j) No Full Cardholder Data in PCI Tool. Customer shall not input, upload, or transmit full Cardholder Data (including full PANs, CVV/CVC codes, magnetic stripe data, or PIN data) into the PCI Tool or any other component of Provider's platform not expressly designated and certified for Cardholder Data processing.
(k) Relationship to Processor Agreements. Customer acknowledges that the PCI Non-Compliance Fee charged by Provider does not limit, satisfy, or substitute for any fines, assessments, or other consequences that may be imposed by Processor, Scheme Owners, Acquirers, or payment brands as a result of Customer's PCI non-compliance. A Customer who has made a valid Alternative Compliance Election remains subject to all obligations of the Processor Agreements and Network Rules with respect to PCI DSS compliance.
(l) Suspension for Non-Compliance. Provider reserves the right, in its sole discretion or at the direction of Processor, to suspend Customer's access to the Payment Processing Services if Customer's PCI Non-Compliance Fee has been outstanding for sixty (60) or more days, or if Processor or a Scheme Owner requires suspension due to Customer's PCI non-compliance status.
(m) PCI Portal Vendor Terms. Customer's use of the PCI Tool through the PCI Portal Vendor's platform may be subject to applicable third-party terms of the PCI Portal Vendor, which will be disclosed to Customer at the time of PCI Tool activation or upon request.
(n) Integrated Portal Access; Credential Security. Customer acknowledges that access to the PCI Tool is provided through Customer's existing payment portal credentials. Customer is solely responsible for: (i) maintaining the security and confidentiality of its portal login credentials; (ii) ensuring that access to the PCI Tool is limited to authorized individuals; and (iii) any actions taken through the PCI Tool using Customer's portal credentials, whether or not authorized by Customer.
(o) Ongoing Alternative Compliance Obligations. A Customer who has made an Alternative Compliance Election and had PCI Tool access removed remains subject to all PCI DSS compliance obligations under Section 4.1 and the Network Rules. Customer must: (i) maintain PCI Compliance Status through its third-party partner on a continuous basis throughout the Term; (ii) provide Provider with updated Compliance Evidence upon each annual renewal, and in any event no later than thirty (30) days after the expiration of Customer's prior Compliance Evidence; and (iii) notify Provider promptly if Customer's PCI Compliance Status lapses. If Customer fails to timely provide updated Compliance Evidence, Provider may, in its sole discretion: (A) reinstate Customer's access to the PCI Tool and resume charging the PCI Tool Fee effective the first day of the following billing month; and (B) begin charging the PCI Non-Compliance Fee under Section 4.6(c) if Customer does not achieve PCI Compliance Status within thirty (30) days of Provider's notice of reinstatement.
(p) Compliance Evidence Standards. All Compliance Evidence submitted by Customer in connection with an Alternative Compliance Election must: (i) be issued or countersigned by a PCI SSC-recognized QSA or, for SAQ-eligible merchants, completed in accordance with PCI DSS SAQ instructions; (ii) reflect Customer's actual payment acceptance environment and all in-scope systems; (iii) not be expired at the time of submission; and (iv) on its face cover the same legal entity that is party to these Payment Terms. Provider reserves the right to reject deficient Compliance Evidence and notify Customer of the specific deficiency. Customer will have fifteen (15) days after such notice to cure the deficiency before Provider reinstates PCI Tool access and fees.
5. Customer Losses.
Customer is solely responsible for chargebacks, fines, assessments, penalties, Payment Processing Fees, currency conversion differences and other losses otherwise owed or incurred by Customer pursuant to or in connection with these Payment Terms and the Processor Agreements, as applicable (collectively, "Customer Losses"). For the avoidance of doubt, any fines, assessments, or penalties imposed by Processor, Scheme Owners, or Acquirers as a result of Customer's PCI DSS non-compliance constitute Customer Losses for which Customer is solely responsible, and such amounts may be collected by Provider pursuant to Customer's ACH Debit Authorization. The PCI Non-Compliance Fee charged by Provider under Section 4.6 is separate from and in addition to any such third-party fines or assessments. Customer will pay all costs and expenses, including attorneys' fees, incurred by or on behalf of Provider in connection with the collection of Customer Losses. This Section will survive termination of these Payment Terms.
6. Liability
6.1 Indemnification.
6.1.1 Customer will indemnify and hold harmless Provider and its officers, affiliates, and representatives from and against any and all losses, damages, costs (including legal fees), claims, and assessments, incurred arising out of or in any way related to: (a) Customer's breach of any of its obligations in these Payment Terms; (b) the Processor Agreements or Customer's use of the Payment Processing Services; (c) Customer's violation or non-compliance with any Applicable Law or Network Rules (including non-compliance of PCI-DSS); (d) all Customer Losses; (e) Customer's implementation of a Cardholder Fee Program; (f) Customer's fraud, gross negligence, or willful misconduct; and (g) any fines, assessments, card brand penalties, or other costs imposed by Processor, Scheme Owners, Acquirers, or regulatory authorities arising from Customer's failure to achieve or maintain PCI DSS compliance, including any failure to use or properly complete the PCI Tool.
6.1.2 Provider will indemnify and hold harmless Customer from losses resulting from third party claims arising out of: (a) Provider's violation or non-compliance with any Applicable Law; or (b) Provider's gross negligence, fraud, or willful misconduct.
6.2 Warranty Disclaimer & Limitation of Liability.
CUSTOMER AGREES THAT CUSTOMER'S USE OF THE PAYMENT PROCESSING SERVICES SHALL BE AT CUSTOMER'S SOLE RISK. TO THE FULLEST EXTENT PERMITTED BY LAW, PROVIDER DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT WILL PROVIDER'S TOTAL CUMULATIVE LIABILITY EXCEED IN THE AGGREGATE THE TOTAL PAYMENT PROCESSING FEES CUSTOMER PAID TO PROVIDER IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY. FOR THE AVOIDANCE OF DOUBT, ANY ASSESSMENT, FINE, PENALTY, OR COST IMPOSED BY PROCESSOR, A BANK, A CARD NETWORK, A GOVERNMENT AGENCY, OR A REGULATOR WILL BE DEEMED A DIRECT DAMAGE FOR WHICH CUSTOMER IS SOLELY LIABLE.
6.3 Force Majeure.
Provider is not responsible for any delay or failure in performing its obligations under these Payment Terms for any cause or circumstance outside its reasonable control.
7. Term and Termination
7.1 Term.
The term of these Payment Terms will begin on the Effective Date and will continue initially for one (1) year ("Initial Term"). Thereafter, these Payment Terms will automatically renew for consecutive one (1) year renewal terms unless one Party gives the other Party notice of non-renewal no less than fifteen (15) days prior to the end of the then current Term.
7.2 Termination by Customer.
To terminate these Payment Terms, Customer can submit a notice of cancellation through the Customer portal on Provider's platform. Early termination may be subject to an Early Termination Fee equal to the greater of $500 or the average fees paid by Customer in the three (3) prior months multiplied by the number of months remaining in the then-current Term.
7.3 Termination by Provider.
Provider may terminate these Payment Terms immediately, with or without notice, if: (a) Customer breaches any provision of the Payment Terms or Processor Agreements; (b) Customer violates any Applicable Laws or Network Rules; (c) Provider is required to terminate by Processor or a government agency; or (d) Provider's agreement with Processor is terminated for any reason.
7.4 Effect of Termination.
The termination of these Payment Terms will not affect any of Provider's rights or Customer's obligations. After termination, Customer will continue to be liable for all chargebacks, refunds, fees, and adjustments relating to Transactions processed prior to termination.
8. General
8.1 Precedence.
Any inconsistency between the Payment Terms and Terms of Service will be resolved by giving precedence to these Payment Terms.
8.2 Amendments.
The Payment Terms may only be amended with the written consent of both Parties, except that Provider reserves the right to amend without consent if required to comply with Applicable Laws, Network Rules, or directives of the Processor. Provider will use reasonable efforts to give Customer thirty (30) days' prior notice. Provider additionally reserves the right to amend the terms applicable to the PCI Tool, including the PCI Tool Fee, PCI Non-Compliance Fee, and PCI Portal Vendor terms, upon thirty (30) days' notice to Customer.
8.3 Choice of Law and Venue; Jury Waiver.
The Payment Terms will be governed by the same state's laws, and will be decided in the same jurisdiction, as provided for in the Terms of Use. The Parties hereby waive their right to a jury trial.
8.4 Electronic Signatures.
The Payment Terms may be executed and delivered by electronic means (including click-to-accept) with the same force and effect as an original signature.
9. Notices
Unless otherwise indicated, all notices required to be made of Customer to Provider must be in writing and sent to: Teamzap, LLC, 500 West 5th Street, Austin, TX 78701.
10. Survival
All portions of these Payment Terms that would reasonably be believed to survive termination shall survive, including the Limitation of Liabilities, Indemnification, and Dispute Resolution sections.
Schedule A – Data Processing Addendum
Data Processing Addendum
This Data Processing Addendum ("Addendum") supplements the Payment Processing Terms entered into by and between Teamzap LLC. ("Provider") and Customer.
Definitions
Capitalized terms not defined herein have the meanings set forth in the Payment Terms.
Processing of Data and Compliance with Applicable Laws
The Parties shall comply with this Addendum at all times. Provider shall only Process Personal Data for the limited and specified purposes described in Exhibit 1.
Security of Personal Data
Provider shall implement industry standard security safeguards taking into account the nature and sensitivity of the Personal Data and any additional measures required pursuant to Applicable Laws.
Subprocessing and Authorized Personnel
Provider shall take reasonable steps to ensure access to Personal Data is limited to those who need it to provide the Services. Customer acknowledges that Provider may engage Subprocessors and consents to their use.
Customer specifically acknowledges that Provider has engaged a third-party PCI portal vendor (the "PCI Portal Vendor") to provide SAQ and ASV scanning services through the PCI Tool. The PCI Portal Vendor processes PCI Assessment Data as a Subprocessor. Provider represents that it has or will enter into a data processing agreement with the PCI Portal Vendor requiring it to: (i) process PCI Assessment Data only for PCI Tool purposes; (ii) implement security measures consistent with PCI DSS requirements; (iii) not disclose PCI Assessment Data without authorization; and (iv) notify Provider of any Personal Data Breach involving PCI Assessment Data promptly. Upon Customer's written request, Provider will identify the then-current PCI Portal Vendor by name.
Personal Data Breach
Provider shall notify Customer of a Personal Data Breach not more than forty-eight (48) hours after confirming such breach, and will provide details regarding the nature of the breach, likely consequences, and measures taken to address it. In addition, in the event Provider discovers or is notified of a security incident that involves or reasonably may involve unauthorized access to Cardholder Data processed through Provider's platform, Provider shall notify Customer without undue delay and in no event later than forty-eight (48) hours after discovery, and shall provide reasonable cooperation in connection with any notifications required to Processor, payment brands, acquiring banks, or regulatory authorities.
Rights of Data Subjects
Provider will provide assistance as reasonably required to enable Customer to comply with Data Subject Rights requests within applicable time limits.
Recordkeeping
Provider shall maintain records to demonstrate its compliance with this Addendum and shall make such records available to Customer on request.
Exhibit 1 — Details of Processing
Nature and Purpose of Processing:
Each Party will Process Customer's Personal Data as necessary to provide the Services under the Payment Terms and in accordance with Customer's instructions.
Duration of Processing:
The term of the Payment Terms, unless otherwise required by Applicable Laws.
Categories of Data Subjects:
Customer employees and representatives; and Shoppers transacting through the Payment Processing Services.
Categories of Personal Data:
- Identity information (e.g., name, date of birth)
- Contact information (e.g., phone number, address, email address)
- Employment information (e.g., employer, job title)
- Device and network identifiers (e.g., IP address, MAC address)
- Location data (e.g., GPS, Bluetooth, GSM)
- Payment card data: last four digits of a PAN, card type, and transaction identifiers. Full PANs, CVV/CVC codes, magnetic stripe data, and PIN data are not stored or retained by Provider's platform.
- PCI Assessment Data (including SAQ responses and ASV scan results) processed through the PCI Tool, solely for the purpose of enabling Customer to achieve PCI DSS compliance status as required under the Network Rules.
Special categories of data / Sensitive Personal Data:
Not applicable.
— END OF PAYMENT PROCESSING TERMS —

