Last update: 22nd May 2018
This Agreement is entered into between you (the "Merchant", "you", "your") and AGENT CASH LTD, ("AgentCASH", "we", "us", "our") and it sets out the terms and conditions for the provision of services as defined below. The Agreement also sets out the acquiring bank's rights as required under the card scheme rules. You need to enter into a separate agreement with the acquiring bank (an "Acquirer Agreement") in order to accept payment cards. If any Acquirer Agreement is in conflict with this Agreement, the Acquirer Agreement shall prevail to the extent necessary to resolve the conflict.
AGENT CASH LTD is a private limited company registered in England and Wales under company registration number 09283111, with its registered seat at 20-22 Wenlock Road, London, N1 7GU, United Kingdom.
In accordance with the terms of this Agreement, AgentCASH provides technical services, a card reader (the "Card Reader") and a license to use the mobile software application ("Software"), which enables the acceptance and processing of payments using the payment methods and payment cards listed on our website (the "Payment Cards"). The Card Reader processes the data stored on Payment Cards (the "Card Data"). The Software generates the data required for initiating the transaction (the "Transaction Data") and then forwards the Transaction Data to the acquiring bank for processing (as defined below). The acquiring bank uses the Transaction Data in order to initiate the payment transaction and transfer the appropriate amount to your bank account.
The provision of the technical services, the Card Reader and the Software are referred to as the “Services”.
The acquiring bank will deduct a fee for the payment service from the amount paid, as indicated on our website. The Acquirer may, in its sole discretion, arrange different fee rates for each individual merchant on the basis of the financial and operational risks of doing business with the Merchant and the volume of transactions.
We reserve the right to appoint a third party in order to fulfill some or all of our obligations under this Agreement.
We reserve the right to amend the list of accepted payment methods and supported Payment Cards at any time.
The Services may be used only in the territories agreed between us (the “Service Territory”). It is strictly forbidden to use the Services in the areas for which you have not obtained our permission.
You must install the Card Reader and the Software according to the instructions available on our website.
We will enable you to acquire the appropriate Card Reader at a purchase price published on our website. In the event that we allow you to purchase the Card Reader at a reduced price or that we give you the reader for free, we reserve the right to condition your ownership of the Card Reader on achieving a minimum volume of card transactions.
You are not allowed to sell, rent, license or transfer the Card Reader to a third party or allow the use of the Card Reader by a third party. You are also not allowed to modify the software or the hardware of the Card Reader in any way. You must not use the Card Reader for any purpose other than effecting payment transactions through the AgentCASH mobile application.
At our request, you must return the Card Reader to us, either upon termination or expiry of this Agreement or to replace an existing Card Reader. If you terminate the Agreement, you must return the Card Reader to us at your own expense and transfer the ownership of the Card Reader back to us.
We will refund the purchase price of the Card Reader if we are required to do so by law or if we agreed to a refund. We may charge a fee for processing returns of Card Readers. If the Card Reader is returned in used condition, we may refuse to refund the purchase price.
You are not allowed to copy the Software for purposes other than the use of our Services. You are also not allowed to alter, amend or reverse engineer the Software. If we publish an updated version of the Software, you are required to install the update and discontinue the use of the old version. You may only use the Software in your Service Territory.
AgentCASH is not a bank and does not offer banking services. In order to provide you with the Services, we have entered into an agreement with the acquiring bank (the "Acquirer"). Under this Agreement we will transmit the Transaction Data through our Software, in accordance with the authorization request, to the Acquirer in order to initiate a payment transaction.
You agree with the forwarding of the Transaction Data, along with any other relevant account information, to the Acquirer in order to initiate and process a payment transaction.
We reserve the right to change the Acquirer at any time. You agree that at any time we may forward any relevant information about you to the new Acquirer in order to ensure the continuity of payment services.
In order to use the AgentCASH Services you must register for the Services and set up an AgentCASH account. The registration process is available via the AgentCASH website or via the AgentCASH mobile application.
During the registration process, you will be asked to provide certain information, including but not limited to your name, address, email address, telephone number, bank account number and, if necessary, company name and legal form of organization, trade name, type of business, full business address and ownership information.
In addition to the information required during the registration process, we reserve the right to request additional information, if deemed necessary by us or the Acquirer, in order to provide Services, comply with legal and regulatory requirements or assess the operational and financial risks of using our Services. If you do not provide such additional information, we have the right to suspend or cancel your AgentCASH account.
You agree that the information you provide during the registration process or otherwise is accurate, complete and up to date, and that you will immediately notify us of any changes in any information provided by you to us during the registration process or at any other time during the term of this Agreement. If any information becomes inaccurate or incomplete, the Services may be temporarily or permanently suspended.
Upon registration you will be given a personal user account and password that you will need in order to process payment transactions. It is your responsibility to ensure that this information and other login information are stored safely. You agree to keep the account access information solely at your own risk and in such a way that they remain inaccessible to unauthorized persons. Account details are personal and may not be transferred to anyone other than you.
Upon the completion of the registration process, we or the Acquirer will verify your identity in accordance with applicable anti-money laundering and anti-terrorism laws.
The decision on whether your identity has been properly verified will be made entirely at the discretion of AgentCASH and the Acquirer. Until you have successfully completed the registration and verification process, we reserve the right to suspend or not to start providing any Service under this Agreement.
Once your information has been verified, we will assign a category to you according to your business activity. This classification can be used to determine certain limits, such as the maximum transaction amount and the frequency of transactions that may be considered typical for that type of business or activity. Should there be any significant change in your business activity, you must immediately inform us thereof in order for us to adjust the existing limits to the new activity.
You must only use the Services to accept payment cards in accordance with applicable laws, regulations and card scheme rules. We may occasionally be required by the card schemes or the Acquirer to change this Agreement in connection with amendments to the card scheme rules.
You may only use our Services for the sale of products and services associated with your business activity. You must obtain our prior approval for any products or services that fall outside of the typical product or service range of your merchant category. If you are in doubt whether your goods or services are typical for your business category, please contact our Customer Service.
You must not use the Services with the intent of fraud or in a manner that is misleading to your customers, cardholders or any third party.
Card scheme brands and logos may be used only in accordance with the card scheme rules.
Without our permission you must not apply a minimum price threshold for accepting card schemes that exceeds the minimum transaction amount we impose for technical reasons.
You must not charge additional fees for the use of Payment Cards without our permission.
You must not dispense cash on any card transaction.
You must not accept payment transactions with debit or credit cards held in your name or the name of your company.
You must not act as a payment intermediary or aggregator or otherwise resell our Services to any third party.
You must not use the Services to accept payment for goods and services in connection with any illegal and immoral content; this applies particularly to the goods/services related to gambling that are illegal under applicable law.
You must provide and maintain, at your own expense, the mobile device required to use the Card Reader and the Software, together with the necessary contract with the telecommunications company allowing the transmission of the Transaction Data.
We do not guarantee that the Services will be compatible with your mobile device.
You must take all reasonable precautions to keep your Card Reader, application and mobile device secure and to avoid loss, theft, misappropriation or unauthorized use of your mobile device, Card Reader, account login details or security settings (including your user name, password and other security information).
You must at all times follow the instructions we gave you in relation to the security of any Card Data or Transaction Data, customer data and the integrity of the Card Reader and the Software. We may communicate such instructions to you through any agreed communication channel.
If your Card Reader or any security detail relating to your AgentCASH account is lost or stolen, or if you suspect that an unauthorized person has used or tried to use them, you must inform us thereof without delay by contacting our Customer Service.
If an unauthorized person has used your security details to access your AgentCASH account and we have not received any notification from you as described above, in the absence of any indication that your account may have been accessed without your authorization, we will continue to process every payment transaction initiated through your account.
When using the Services for transactions and provided that the Payment Card supports PINs, you must first ensure that the PIN is entered for verification purposes. When using the Services for transactions requiring a signature (Chip&Sign or Swipe&Sign), you must take all reasonable actions to make sure that the Payment Card used for payment was issued to the person presenting such card to you, for example by comparing the signature on the card to that made in your presence by the person presenting the card. In the event that the two signatures are not sufficiently similar for you to be sure that they were made by the same person, you do not have to accept that Payment Card unless the person presenting the card provides some other proof that he/she is the card holder.
You must at all times take all necessary measures to prevent a fraud or any illegal use of your AgentCASH account, the Card Reader or the Software. We are obliged to report any fraud or suspicion of illegal activity to the competent authorities.
If you have any reasonable suspicion that a card presented to you for payment is stolen, forged or being used in any illegal manner, you must note down the relevant card details and contact us immediately.
When accepting card transactions requiring a signature (Chip&Sign or Swipe&Sign), you must ensure that the card holder accepts the payment transaction and signs the electronic receipt with his/her name at the specified place in the Software.
We may at any time restrict the number or the value (or both) of the card transactions that require signature authorization.
When processing a transaction, you must submit the full amount of the invoiced goods/services as one transaction. If the transaction is declined, you cannot split the transaction into several smaller transactions. Please note that the card issuer reserves the right to issue a chargeback if you split a transaction. Splitting transactions can result in your funds being withheld and your merchant account terminated by the Acquirer.
It is your responsibility at all times to adhere to applicable data security standards determined by the Payment Card Industry Security Standards Council (PCI Council), whose requirements and measures ("PCI Standards”) can be found at www.pcisecuritystandards.org.
It is your obligation as a merchant accepting Payment Cards to determine which PCI Standards are applicable to you. Based on the information we hold on you, we may recommend that you take certain actions in order to become compliant with the relevant PCI Standard. However, the recommendations shall not constitute legal advice nor shall we be liable for the accuracy of any recommendations we give you.
You must notify us immediately of any interruption, defect or damage relating to the Card Reader, the Software or our Services.
You are obliged to fully cooperate with us at your own expense if your cooperation is required for the purposes of an audit imposed by the Acquirer or the card scheme, or to comply with an order or investigation of a competent authority, law enforcement agency or court.
Within the time limits determined by law and applicable card scheme rules, the transaction may be reversed through a process called chargeback (“Chargeback”) if such transaction:
If the Acquirer has received a Chargeback request in relation to a transaction, the Acquirer may deduct the amount of the Chargeback and any associated fees and fines from any outstanding amounts of other transactions or charge the costs in a different manner.
The Acquirer or AgentCASH will store signatures from digital receipts free of charge. You are not responsible for storing these documents.
If you operate a web shop, post material to the Service, post links on the Service, or otherwise make (or allow any third party to make) material available by means of the Service (any such material, “Content”) or other services, You are entirely responsible for the content of, and any harm resulting from, that Content. That is the case regardless of whether the Content in question constitutes text, graphics, an audio file, or computer software. By making Content available, you represent and warrant that:
By submitting Content to AgentCASH for inclusion on any services or applications provided by AgentCASH, you grant AgentCASH a world-wide, royalty-free, and non-exclusive license to reproduce, modify, adapt and publish the Content solely for the purpose of displaying, distributing and promoting your web shop. If you delete Content, AgentCASH will use reasonable efforts to remove it from the Service, but you acknowledge that caching or references to the Content may not be made immediately unavailable. Without limiting any of those representations or warranties, AgentCASH has the right (though not the obligation) to, in AgentCASH's sole discretion (i) refuse or remove any content that, in AgentCASH 's reasonable opinion, violates any AgentCASH policy or is in any way harmful or objectionable, or (ii) terminate or deny access to and use of the Service to any individual or entity for any reason, in AgentCASH's sole discretion. AgentCASH will have no obligation to provide a refund of any amounts previously paid.
User can agree to either a one (1) month or twelve (12) month contract agreement with AgentCASH User can opt to upgrade or downgrade their service agreement to any other contract agreement that AgentCASH is currently offering for sale at any time during User's contract term. Any plan downgrades will take effect when your next billing cycle begins. In the case of an upgrade, you will be charged for the difference in the cost of the two contracts over the remainder of the original contract term. At the end of the contract term, the contract will automatically renew indefinitely until explicitly cancelled. Cancellation must be issued via AgentCASH’s support addresses. Any cancellation must be done three (3) days prior to the end of the contract term to allow for adequate processing time.
If you cancel your services, your cancellation takes effect on your next billing cycle. This means we won’t be able to refund you for early contract cancellation. All AgentCASH accounts begin an obligation-free trial which will allow you to evaluate the service. No credit card information is collected to initiate a trial account, and charges will only be applied after explicit account purchase. Please sign up for a monthly payment schedule if you are unsure of how long you will be using the service. If you have a question about charges made to your account, please contact us immediately. If the charges were made in error, we will immediately credit your account or credit card account for the appropriate amount. AgentCASH has a zero tolerance policy for chargebacks. Any customer who disputes a credit card payment that is found to be valid will be permanently blacklisted and barred from use of the Service. Any past due fees and costs will be sent to collections. If our collection efforts fail, unpaid debts will be reported to all available credit reporting agencies. All cancellations must be requested a minimum of 48 hours prior to 00:00:01 CST (GMT+0) on your monthly billing date.
AgentCASH has not reviewed, and cannot review, all of the material, including computer software, posted to the Service, and cannot therefore be responsible for that material’s content, use or effects. By operating the Service, AgentCASH does not represent or imply that it endorses the material there posted, or that it believes such material to be accurate, useful or non-harmful. You are responsible for taking precautions as necessary to protect yourself and your computer systems from viruses, worms, Trojan horses, and other harmful or destructive content. The Service may contain content that is offensive, indecent, or otherwise objectionable, as well as content containing technical inaccuracies, typographical mistakes, and other errors. The Service may also contain material that violates the privacy or publicity rights, or infringes the intellectual property and other proprietary rights, of third parties, or the downloading, copying or use of which is subject to additional terms and conditions, stated or unstated. AgentCASH disclaims any responsibility for any harm resulting from the use by visitors of the Service, or from any downloading by those visitors of content there posted.
We have not reviewed, and cannot review, all of the material, including computer software, made available through the services and webpages to which agentcash.com links, and that link to agentcash.com. AgentCASH does not have any control over those non-AgentCASH services and webpages, and is not responsible for their contents or their use. By linking to a non-AgentCASH website or webpage, AgentCASH does not represent or imply that it endorses such website or webpage. You are responsible for taking precautions as necessary to protect yourself and your computer systems from viruses, worms, Trojan horses, and other harmful or destructive content. AgentCASH disclaims any responsibility for any harm resulting from your use of non-AgentCASH websites and webpages.
As AgentCASH asks others to respect its intellectual property rights, it respects the intellectual property rights of others. If you believe that material located on or linked to by agentcash.com or any AgentCASH web shop or mobile application violates your copyright, you are encouraged to notify AgentCASH immediately. AgentCASH will respond to all such notices, including as required or appropriate by removing the infringing material or disabling all links to the infringing material. In the case of a visitor who may infringe or repeatedly infringes the copyrights or other intellectual property rights of AgentCASH or others, AgentCASH may, in its discretion, terminate or deny access to and use of the Service. In the case of such termination, AgentCASH will have no obligation to provide a refund of any amounts previously paid to AgentCASH.
Although we endeavor to make our Services available 24 hours a day, we accept no liability if, for any reason, the Services are unavailable or the Card Reader or the Software is unusable at any time or for any period. The provision of the Services may be suspended temporarily and without notice in the event of a system failure, maintenance or repair, or for reasons beyond our control. We will endeavor to notify you in advance of any scheduled maintenance or repairs that may result in the suspension of the Services.
You shall be liable to us, the Acquirer and the card schemes for:
You shall indemnify and hold us and the Acquirer or any of our or the Acquirer’s employees, directors, officers and representatives harmless against any third party claims brought against us or the Acquirer as a result of any of the events listed in the previous paragraph.
Any illegal activity or fraud will be reported to the competent authorities.
If you have any complaints about our Services, please contact our Customer Service via email at firstname.lastname@example.org. Customer Service will review your complaint and notify you of the results in a timely manner. You can also submit a written complaint by addressing it to AgentCASH Customer Service, AGENT CASH LTD, 1 Phipp Street, London EC2A 4PS, UK.
This Agreement shall enter into force as soon as you have given your consent to it, but the provision of Services may be suspended until we or the Acquirer have determined that you have completed the necessary registration and passed the verification process successfully. The Agreement will remain in force until terminated by either party, in accordance with the following provisions.
You have the right to terminate this Agreement, without giving any reason, by contacting the Customer Service.
We may terminate this Agreement at any time by giving you at least two months’ notice of termination.
Your account and this Agreement may be terminated by us after six months of non-use of the Services.
Once your account has been terminated, you will not be able to access your account details.
We reserve the right to immediately suspend or terminate the provision of part or all of the Services in case:
We will endeavor to notify you in advance of our intention to suspend the Services and will provide you with the reasons for doing so, whenever possible.
Upon the termination of this Agreement, you will no longer be entitled to use the Services, the Software and the license granted to you for the use of any logos, trademarks or other intellectual property under this Agreement. You must remove all AgentCASH and card schemes’ identification, logos and labels including but not limited to the ones displayed on your points of sale and websites.
The termination of this Agreement will not affect any rights or obligations which may have incurred prior to termination or expiry. The obligations of either party in this Agreement which are intended to survive termination shall continue in full force and effect notwithstanding the termination.
The parties must keep secret any confidential information or data which they have exchanged in their contractual relations except as otherwise provided for under this Agreement or to comply with legal obligations.
By paying with a Payment Card, the card holder agrees to the processing of his/her personal data necessary to complete the transaction through the AgentCASH Software. AgentCASH and the Merchant will store, transmit, process and use this data in accordance with the UK Data Protection Act of 1998, the EU Regulation 2016/679 (GDPR) and the PCI Data Security Standard (PCI DSS) on the protection of personal data. AgentCASH shall maintain appropriate technical and organizational measures to ensure a level of security appropriate for protection of personal data.
Except as expressly set out in this Agreement, by using the Services you do not acquire any right or interest in or to the Intellectual Property Rights subsisting in the Services. For the purposes of this Agreement, the term “Intellectual Property Rights” means all inventions (whether patented or not), design rights, database rights, copyright, moral rights, rights to trademarks, logos, trade names, all registered intellectual property rights, know-how and any rights or forms of protection of a similar nature and having equivalent or similar meaning.
You may not assign, transfer, copy or distribute the Services or permit third parties to use the Services.
Except to the extent permitted by law, you may not copy, adapt, reverse engineer, decompile, disassemble, modify, adapt or make error corrections to the Services.
You represent and warrant to us that: (i) you are at least 18 years of age; (ii) you are a resident of the Republic of Croatia; and (iii) you have the legal right and full power and authority to enter into this Agreement and perform your obligations under it.
We reserve the right to amend this Agreement at any time. Unless the amendment is required sooner in accordance with applicable laws or regulations, we will endeavor to give you at least two months’ prior notice of any such change. You will be notified of the change via a message within the Software or by email. If you do not wish to accept such change to the terms, you will be entitled to terminate this Agreement during the notice period by notifying us under the conditions described in this Agreement. Your continued use of the Services following any such notice period will be deemed to be an acknowledgment of your acceptance of the amended terms and conditions.
The latest version of this Agreement can be found on our website. At your request, we will provide you with a paper copy of this Agreement.
If any provision of this Agreement proves to be unenforceable in any way, this will not affect the validity of the remaining provisions.
Reports, notices and other communications under this Agreement (including any changes to the terms and conditions of this Agreement) shall be made in Croatian or English, in writing, delivered by email or electronically via your AgenCASH account. For the purposes of this Agreement, any notice may be given in writing, electronically, unless we specifically require a document to be written on paper and/or signed.
You must maintain a valid postal address and email address for the duration of this Agreement. You must inform us immediately if you change the address or other contact information you have provided to us during the registration process or during the term of the Agreement. We will not be responsible if, due to your oversight, we send a communication to an invalid address. AgentCASH will not bear responsibility if the email address specified by you is not valid or if you have changed your email address but have not notified us thereof.
Any communication sent to you electronically to the last address you have given us for this purpose shall be deemed to have been received on the day the communication was sent, except when the sending of the communication results in an immediate error message. Communication sent to you by post shall be deemed received on the second business day after posting.
You can contact our Customer Service by sending an email to email@example.com or via our website. You can also send written communication by post to AGENT CASH LTD, 1 Phipp Street, London EC2A 4PS, UK. However, we recommend that you communicate with us electronically.
Your AgentCASH account is personal and you may not assign or transfer any of your rights or obligations under this Agreement to any person without our prior written consent.
If we decide to transfer your account to another entity (for example within the process of restructuring or selling a part of the company), we will only do so if the entity to whom the account is transferred has appropriate regulatory licenses and authorizations. We will give you at least two months' prior notice of this change. You will be able to terminate your account in this period, if you wish to do so.
If you are a consumer, as defined by the applicable laws of the jurisdiction in which you reside, you have the right to terminate this Agreement in writing at any time within two weeks from the moment of entering into this Agreement or the date on which you were communicated these terms and conditions, whichever is later. The termination shall not affect any transactions already processed and submitted to the Acquirer or the card schemes for settlement.
A person who is not a party to this Agreement has no right (Rights of Third Parties) to enforce any provision of this Agreement.
This Agreement constitutes the entire agreement between you and us and supersedes and replaces all previous drafts, agreements, arrangements and understandings between you and us, whether written or oral, relating to its subject matter.
Each party agrees that for the purpose of entering into this Agreement no warranties were made except those set out in this Agreement.
This Agreement and any dispute or claim arising from or in connection with it or its subject matter are governed by English law, except if you entered into this Agreement as a consumer. In that case, mandatory local consumer protection laws may be applicable.
If you are a business customer eligible to contractually determine the venue for disputes arising from or in connection with this Agreement, you agree that:
This EU Data Processing Addendum (“Addendum”) supplements the existing terms and conditions Agreement (the “Agreement”) entered into by and between the “Merchant”, (“Controller”) and Agent Cash, Ltd. (“Processor”).
Any terms not defined in this Addendum shall have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum shall supersede and control.
1.1. “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person without additional information unavailable to any third party other than Authorized Subcontractors.
1.2. “Authorized Employee” means an employee of Processor who has a need to know or otherwise access Personal Data to enable Processor to perform their obligations under this Addendum or the Agreement.
1.3. “Authorized Individual” means an Authorized Employee or Authorized Subcontractor.
1.4. “Authorized Subcontractor” means a third-party subcontractor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this Addendum or the Agreement, and who is either (1) listed in the following https://recurly.com/legal/privacy/subprocessors or (2) authorized by Controller to do so under Section 4.2 of this Addendum.
1.5. “Data Subject” means an identified or identifiable person to whom Personal Data relates.
1.6. “Instruction” means a direction, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Controller to Processor and directing Processor to Process Personal Data.
1.7. “Personal Data” means any information relating to Data Subject which Processor Processes on behalf of Controller other than Anonymous Data, and includes Sensitive Personal Information.
1.8. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
1.9. “Privacy Shield Principles” means the Swiss-U.S. and EU-U.S. Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework.
1.10. “Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
1.11. “Sensitive Personal Information” means a Data Subject’s (i) government-issued identification number (including social security number, driver’s license number or state-issued identification number) or email address; (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; (iii) genetic and biometric data or data concerning health; or (iv) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or sexual activity, criminal convictions and offences (including commission of or proceedings for any offense committed or alleged to have been committed), or trade union membership.
1.12. “Services” shall have the meaning set forth in the Agreement.
1.13. “Standard Contractual Clauses” means an agreement that may be executed by and between Controller and Processor pursuant to the European Commission’s decision (C(2010)593) of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection.
1.14. “Supervisory Authority” means an independent public authority which is established by a member state of the European Union, Iceland, Liechtenstein, or Norway.
2.1. The rights and obligations of the Controller with respect to this Processing are described herein. Controller shall, in its use of the Services, at all times Process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with EU Directive 95/46/EC (the “Directive”), and, when effective, the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR” and together, “Data Protection Laws”)). Controller shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the Processing of Personal Data in accordance with Controller’s instructions will not cause Processor to be in breach of the Data Protection Laws. Controller is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Processor by or on behalf of Controller, (ii) the means by which Controller acquired any such Personal Data, and (iii) the instructions it provides to Processor regarding the Processing of such Personal Data. Controller shall not provide or make available to Processor any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Processor from all claims and losses in connection therewith.
2.2. Processor shall Process Personal Data only (i) for the purposes set forth in the Agreement, (ii) in accordance with the terms and conditions set forth in this Addendum and any other documented instructions provided by Controller, and (iii) in compliance with the Directive, and, when effective, the GDPR. Controller hereby instructs Processor to Process Personal Data for the following purposes as part of any Processing initiated by Controller in its use of the Services.
2.3. The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this Addendum.
2.4. Following completion of the Services, at Controller’s choice, Processor shall return or delete the Personal Data, except as required to be retained by the laws of the European Union or European Union member states.
3.1. Processor shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.
3.2. Processor shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Processor, any Personal Data except in accordance with their obligations in connection with the Services.
3.3. Processor shall take commercially reasonable steps to limit access to Personal Data to only Authorized Individuals.
4.1. Controller acknowledges and agrees that Processor may (1) engage the Authorized Subcontractors to access and Process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.
4.2. A list of Processor’s current Authorized Subcontractors (the “List”) is available at https://recurly.com/legal/privacy/subprocessors (such URL may be updated by Processor from time to time). At least ten (10) days before enabling any third party other than Authorized Subcontractors to access or participate in the Processing of Personal Data, Processor will add such third party to the List and Controller can subscribe to updates via email. Controller may object to such an engagement in writing within ten (10) days of receipt of the aforementioned notice by Controller.
4.2.1. If Controller reasonably objects to an engagement in accordance with Section 4.2, Processor shall provide Controller with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Processor, in its sole discretion, cannot provide any such alternative(s), or if Controller does not agree to any such alternative(s) if provided, Processor may terminate this Addendum. Termination shall not relieve Controller of any fees owed to Processor under the Agreement.
4.2.2. If Controller does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Processor, such third party will be deemed an Authorized Subcontractor for the purposes of this Addendum.
4.3. Processor shall ensure that all Authorized Subcontractors have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement by Processor, any Personal Data both during and after their engagement with Processor.
4.4. Processor shall, by way of contract or other legal act under European Union or European Union member state law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Subcontractor is subject to obligations regarding the Processing of Personal Data that are no less protective than those to which the Processor is subject under this Addendum.
4.5. Processor shall be liable to Controller for the acts and omissions of Authorized Subcontractors to the same extent that Processor would itself be liable under this Addendum had it conducted such acts or omissions.
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data.
6. Transfers of Personal Data
6.1. Any transfer of Personal Data made subject to this Addendum from member states of the European Union, Iceland, Liechtenstein, Norway, Switzerland or the United Kingdom to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries shall, to the extent such transfer is subject to such laws and regulations, be undertaken by Processor through one of the following mechanisms: (a) in accordance with the Swiss-U.S. and EU-U.S. Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework (the “Privacy Shield Principles”), or (b) the Standard Contractual Clauses.
6.2. If transfers are made pursuant to 6.1(a), Processor self-certifies to, and complies with, the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks, as administered by the U.S. Department of Commerce, and shall maintain such self-certification and compliance with respect to the Processing of Personal Data transferred from member states of the European Union, Iceland, Liechtenstein, Norway, Switzerland or the United Kingdom to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of the foregoing countries for the duration of the Agreement.
7. Rights of Data Subjects
7.1. Processor shall, to the extent permitted by law, promptly notify Controller upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”).
7.2. Processor shall, at the request of the Controller, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Controller in complying with Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Controller is itself unable to respond without Processor’s assistance and (ii) Processor is able to do so in accordance with all applicable laws, rules, and regulations. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.
8.1. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.
8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.
8.3. Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours.
8.4. Upon Controller’s request and at Controller’s choice, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of such certifications or reports under (i) is not reasonably sufficient under the Data Protection Laws to demonstrate Processor’s compliance, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections.
8.5. In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control).
8.6. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
8.7. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.
9.1. The total liability of each of Controller and Processor (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.