Data Processing Addendum

Data Processing Addendum to CellPoint Digital’s Terms of Service

  1. Merchant Data. The Merchant shall own all right, title and interest in and to all of their Merchant Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Merchant Data. Merchant Data means the information, data and records originating with Merchant and input or integrated into the Platform by or on behalf of Merchant and all derivatives thereof created by Merchant’s use of the Services including Personal Data. Personal Data means includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
  2. Consent. In the event, CellPoint processes any Merchant Data on the Merchant’s behalf when performing its obligations under this Addendum, the Parties record their intention that the Merchant shall be the Data Controller and CellPoint shall be a Data Processor and in any such case:
    (a)     The Merchant acknowledges and agrees that the Merchant Data may be transferred or stored outside the EEA of the country where the Merchant and the Consumers are located in order to carry out the Services and CellPoint’s other obligations under this Addendum;
    (b)     The Merchant shall ensure that the Merchant has obtained any relevant consents from the Consumer and is entitled to transfer the relevant Merchant Data to CellPoint so that CellPoint may lawfully use, process, store and transfer the Merchant Data in accordance with this Addendum on the Merchant’s behalf;
    (c)     The Merchant shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; and
    (d)     Each party shall take appropriate technical and organizational measures against unauthorized or unlawful processing of the Personal Data and sensitive Personal Data or its accidental loss, destruction or damage.
  3. Limitations on Use. CellPoint or any Sub-processor (the “Sub-processor”) will Process Personal Data and sensitive Personal Data only on behalf of Merchant to deliver the Services in accordance with the Terms of Service or other documented instructions of Merchant, whether in written or electronic form. The duration of the Processing will be the same as the duration of the Terms of Service, except as otherwise agreed to in this Schedule or in writing by the parties.
  4. Compliance with Law. The Parties will comply with all Data Protection Laws relating to the protection of Merchant Data that apply with respect to the handling of Merchant Data.
  5. Description of Processing (“Process or Processing”). CellPoint or the Sub-Processor will process Merchant Data (including in relation to Cardholder Data). CellPoint shall not use Merchant Data for its own purposes.
  6. Confidentiality. CellPoint or the Sub-Processor will hold Merchant Data in strict confidence and impose confidentiality obligations on CellPoint personnel who will be provided access to, or will otherwise Process, Merchant Data, including requiring personnel to protect all Merchant Data in accordance with the requirements of this Schedule (including during the term of their employment or engagement and thereafter).
  7. Information Security Program. CellPoint or the Sub-Processor will implement, maintain, monitor and, where necessary, update a comprehensive written information security program that contains appropriate administrative, technical, and physical safeguards to protect Merchant Data against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized form of Processing) (“Information Security Program”).
  8. Data Integrity. CellPoint will ensure that all Merchant Data created by CellPoint on Merchant’s behalf is accurate and, where appropriate, kept up-to-date, and ensure that any Merchant Data that is inaccurate or incomplete is erased or rectified in accordance with Merchant’s instructions.
  9. Cross-Border Transfers. At Merchant’s request, CellPoint and any CellPoint Affiliate or subcontractor will enter into an appropriate data processing agreement that incorporates the European Commission Standard Contractual Clauses between Controllers and Processors, or any similar agreement relating to other countries with the Merchant to allow Merchant (or its international offices) to transfer Merchant Data to CellPoint and any CellPoint Affiliate or subcontractor located outside the European Economic Area.
  10. Subcontracting. CellPoint will not disclose or transfer Merchant Data to, or allow access to Merchant Data by (each, a “Disclosure”) any third party without Merchant’s express prior written consent; provided, however, that CellPoint may Disclose Merchant Data to its Affiliates and subcontractors for purposes of providing the Services to Merchant, subject to the following conditions: (a) CellPoint will maintain a list of the Affiliates and subcontractors to which it makes such Disclosures and will provide this list to Merchant upon Merchant’s request; (b) CellPoint will provide Merchant at least 30 days’ prior notice of the addition of any Affiliate or subcontractor to this list and the opportunity to object to such addition(s); and (c) if Merchant makes such an objection on reasonable grounds and CellPoint is unable to modify the Services to prevent Disclosure of Merchant Data to the additional Affiliate or subcontractor, Merchant will have the right to terminate the relevant Processing. CellPoint will, prior to any Disclosure, enter into an agreement with such third party that is at least as restrictive as this Schedule. Such an agreement will be provided to Merchant promptly upon request. CellPoint will be liable for all actions by such third parties with respect to the Disclosure.
  11. Third Party Service Providers. Merchant acknowledges that in the provision of some services, CellPoint, on receipt of instructions from Merchant, may transfer Personal Data to and otherwise interact with Third Party Service Providers (as defined in the Terms of Service). Merchant agrees that if and to the extent such transfers occur, Merchant is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with data protection laws. For the avoidance of doubt, such third-party data processors are not Subprocessors in the context of this Addendum and CellPoint is not a party to the arrangements between the Merchant and the third-party data processors.
  12. Requests or Complaints from Individuals. CellPoint will promptly notify Merchant in writing, and in any case within two (2) days of receipt, unless specifically prohibited by laws applicable to CellPoint, if CellPoint receives: (i) any requests from an individual with respect to Merchant Data Processed, including but not limited to opt-out requests, requests for access and/or rectification, erasure, restriction, requests for data portability, and all similar requests; or (ii) any complaint relating to the Processing of Merchant Data, including allegations that the Processing infringes on an individual’s rights. CellPoint will not respond to any such request or complaint unless expressly authorized to do so by Merchant, will cooperate with Merchant with respect to any action taken relating to such request or complaint, and will seek to implement appropriate processes (including technical and organizational measures) to assist Merchant in responding to requests or complaints from individuals.
  13. Disclosure Requests. If CellPoint receives any order, demand, warrant, or any other document requesting or purporting to compel the production of Merchant Data (including, for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands or other similar processes) (“Disclosure Request”), CellPoint will immediately notify Merchant (except to the extent otherwise required by laws applicable to CellPoint). If the Disclosure Request is not legally valid and binding, CellPoint will not respond. If a Disclosure Request is legally valid and binding, CellPoint will provide Merchant at least 48 hours’ notice prior to the required disclosure, so that Merchant may, at its own expense, exercise such rights as it may have under applicable law to prevent or limit such disclosure. Notwithstanding the foregoing, CellPoint will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Merchant Data and will cooperate with Merchant with respect to any action taken with respect to such request, complaint, order or other document, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to Merchant Data.
  14. PCI DSS and Audit. Each Party shall ensure its compliance with the requirements of PCI DSS at all times. Merchant may provide to CellPoint a security assessment questionnaire related to Services, which CellPoint will accurately and promptly complete. Merchant acknowledges that the Services may be temporarily suspended during any time that Merchant is non-compliant with the requirements of this Schedule. If, after the original security questionnaire assessment, Merchant determines that further assessment is warranted, Merchant may request, no more than annually and with 30 days prior written notice, at Merchant’s cost, an assessment related to Services provided with a scope to be mutually agreed. During such a review, Merchant may examine policies, procedures and other materials related to specific Services performed, to the extent that such review does not compromise confidentiality obligations to any other clients or Merchants of CellPoint.
  15. Regulatory Investigations. Upon notice to CellPoint, CellPoint will assist and support Merchant in the event of an investigation by any regulator, including a data protection authority, or similar authority, if and to the extent that such investigation relates to Merchant Data handled by CellPoint on behalf of Merchant in accordance with this Schedule. Such assistance will be at Merchant’s sole expense, except where investigation was required due to CellPoint’s acts or omissions, in which case such assistance will be at CellPoint’s sole expense.
  16. Security Incident. CellPoint will notify Merchant in writing immediately (and in any event within forty-eight (48) hours) whenever CellPoint reasonably believes that there has been any accidental or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of, or damage to Merchant Data, or any other unauthorized Processing of Merchant Data (“Security Incident”). After providing notice, CellPoint will investigate the Security Incident, take all necessary steps to eliminate or contain the exposure of the Merchant Data, and keep Merchant informed of the status of the Security Incident and all related matters. CellPoint further agrees to provide reasonable assistance and cooperation requested by Merchant and/or Merchant’s designated representatives, in the furtherance of any correction, remediation, or investigation of any Security Incident and/or the mitigation of any potential damage, including any notification that Merchant may determine appropriate to send to affected individuals, regulators or third parties, and/or the provision of any credit reporting service that Merchant deems appropriate to provide to affected individuals. Unless required by law applicable to CellPoint, CellPoint will not notify any individual or any third party other than law enforcement of any potential Security Incident involving Merchant Data, in any manner that would identify, or is reasonably likely to identify or reveal the identity of, Merchant, without first obtaining written permission of Merchant. In addition, within 30 days of identifying or being informed of any Security Incident arising from any act or omission by CellPoint, CellPoint will develop and execute a plan, subject to Merchant’s approval, that reduces the likelihood of a recurrence of a Security Incident.
  17. Cardholder Data. For purposes of this Schedule, “Cardholder Data” means any Merchant Data that includes, with respect to a payment card, the primary account number in circumstances where the cardholder’s name, address, date of birth, email address, mobile number, service code, expiration date are stored, processed or transmitted with the personal account number, or are otherwise present in the cardholder data environment. If CellPoint has access to Cardholder Data, CellPoint must at all times comply with the security standards for the protection of Cardholder Data, with which payment card companies require merchants to comply with the Payment Card Industry Data Security Standards currently in effect and as may be updated from time to time (“PCI Standards”). CellPoint will promptly provide, at Merchant’s request, current Attestation of Compliance with the PCI Standards by an authority recognized by the payment card industry for that purpose. If, during the term of a relevant agreement, CellPoint undergoes, or has reason to believe that it will undergo, an adverse change in its certification or compliance status with the PCI Standards, CellPoint will promptly notify Merchant of such circumstances. CellPoint will not take any actions that will compromise Merchant’s ability to comply with the PCI Standards.
  18. Return or Disposal. CellPoint will, as appropriate and as directed by Merchant, regularly dispose of Merchant Data that is maintained by CellPoint but that is no longer necessary to provide Services. Upon termination or expiration of this Schedule for any reason or upon Merchant’s request, CellPoint will immediately cease handling Merchant Data and will return in a manner and format reasonably requested by Merchant, or, if specifically directed by Merchant, will destroy, any or all Merchant Data in CellPoint’s possession, power or control, except as otherwise required by law applicable to CellPoint. If CellPoint has such a legal obligation to retain Merchant Data beyond the period otherwise specified by this Section, CellPoint will notify Merchant in writing of that obligation, to the extent permitted by applicable law, and will return or destroy the Merchant Data in accordance with this Section as soon as possible after that legally required retention period has ended. If CellPoint disposes of any paper, electronic or other record containing Merchant Data, CellPoint will do so by taking all reasonable steps (based on the sensitivity of Merchant Data) to destroy Merchant Data by: (a) shredding; (b) permanently erasing and deleting; (c) degaussing; or (d) otherwise modifying Merchant Data in such records to make it unreadable, unreconstructable and indecipherable. Upon request, CellPoint will provide a written certification that Merchant Data has been returned or securely destroyed in accordance with this Schedule.
  19. Other. CellPoint will provide relevant Data and assistance requested by Merchant to demonstrate CellPoint’s compliance with its obligations under this Schedule and assist Merchant in meeting its obligations under data protection laws regarding: (i) registration and notification; (ii) accountability; (iii) ensuring the security of the Merchant Data; and (iv) the carrying out of privacy and data protection impact assessments and related consultations of data protection authorities. In addition, when CellPoint is responding to a Merchant-mandated audit or inspection of CellPoint’s compliance with obligations, CellPoint will inform Merchant if CellPoint believes that any instructions of Merchant regarding the Processing of Merchant Data would violate applicable law.
  20. Adverse Changes. CellPoint will notify Merchant promptly if CellPoint: (i) has reason to believe that it is unable to comply with any of its obligations under this Schedule and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in applicable law that is likely to prevent it from fulfilling its obligations under this Schedule. In the event that this Schedule, or any actions to be taken or contemplated to be taken in performance of this Schedule, do not or would not satisfy either party’s obligations under the laws applicable to each party, the parties will negotiate in good faith upon an appropriate amendment to this Schedule.
  21. Survival. The obligations of CellPoint under this Schedule will continue for so long as CellPoint continues to have access to, is in possession of or acquires Merchant Data, even if all agreements between CellPoint and Merchant have expired or have been terminated.
  22. Conflicts. To the extent there is any conflict between the terms of this Schedule and the Terms of Service, this Schedule will prevail.