Skip to main content
Fincra Technologies Limited

Terms of Use

Merchant Services Agreement

  • The general terms and conditions (“Terms and Conditions”);
  • The Services schedule (“Service Schedule”)
  • The General schedules (“General Schedules”);
  • Data Processing Agreement (“DPA”)

TERMS AND CONDITIONS

DEFINITIONS AND INTERPRETATION

  • Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
  • API” means Application Programming Interface.
  • Business Day“; means a day other than a Saturday, Sunday or public holiday on which banks are open for general business as communicated by us.
  • Card Scheme” means Visa, Verve, Mastercard or any other applicable card scheme.
  • Control“; means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests of the entity in question. The term “Controlled”; shall be construed accordingly.
  • Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data” means the quantities, characters, or symbols on which operations are performed by a computer, which may be stored and transmitted in the form of electrical signals and recorded on magnetic, optical, or mechanical recording media.
  • Data Protection Laws” means all applicable data protection laws and regulations applicable to a Party’s processing of Personal Data under this Agreement.
  • Data Subject” means a natural person who can be identified directly or indirectly by reference to the Personal Data collected by the Parties.
  • Further Guidance” means all internal or external documents, guidance, policies, and processes outlined or issued by FINCRA and communicated to You in relation to the Solution and services.
  • Parties” means You and FINCRA
  • PCI Standards” means the information security standards administered by the Payment Card Industry Security Standards Council.
  • Personal Data” means any information relating to a Data Subject and containing an identifier such as a name, an identification number, location data, photo, email address, bank details, posts on social networking websites, medical information, and other unique identifiers such as but not limited to Media Access Control (MAC) address, Internet Protocol (IP) address, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, Subscriber Identification Module (SIM). Personal Data shall include any online identifier or any one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
  • Processing and process” either mean any activity that involves the use of Personal Data or as the Data Protection Laws may otherwise define processing or process. It includes any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organising, structuring, storing, adapting or altering, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, Processing also includes transferring Personal Data to third parties.
  • Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorised disclosure of or access to, Personal Data transmitted, stored or otherwise processed;
  • Security Measures” means processes adopted by each Party to protect its Data. Such measures include but not limited to protecting systems from hackers, cyberattacks, viral attacks, data theft, damage by rain, fire or exposure to other natural elements. These measures also include setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing organisational policy for handling personal data (and other sensitive or confidential data), protection of email systems and continuous capacity building for staff.
  • Sensitive Data” means (a) financial, genetic, biometric or health information; (b) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (c) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.
  • Solution” means the FINCRA’s API, website, applications, and other software provided and/or used by FINCRA for the provision of the Service(s).
  • Sub-processor” means any processor engaged by a Processor or its Affiliates to assist in fulfilling its obligations with respect to providing service according to this Agreement. Sub-processors may include third parties or Affiliates of the Processor but shall exclude the Processor’s employees or consultants.

SERVICES

INTELLECTUAL PROPERTY RIGHTS

FEES AND PAYMENT TERMS

  • any Refunds;
  • any Chargebacks;
  • any Fines;
  • any amounts required to cover:
    • potential or expected Refunds, Chargebacks, Chargeback Costs, Fines, taxes, levies, VAT, withholding taxes, any liability or potential liability relating to a transaction or this Agreement;
    • any other charges or amounts incurred by or due to FINCRA under or in connection with this Agreement.

SET-OFF

WARRANTIES AND DISCLAIMER

  • You warrant that all corporate action required to enter into this Agreement and the exercise of your rights and the performance of your obligations under this Agreement have been duly taken.
  • You warrant that You are duly registered and have the full capacity and corporate authorisation to enter into this Agreement and discharge the obligations and responsibilities created herein.
  • You warrant that You have the required licenses and regulatory approvals to conduct your business and enter into this Agreement.
  • You will use the services in accordance with the terms of this Agreement, all applicable law, Card Scheme Rules and Further Guidance. In particular, You will not use the services in a manner that could result in a violation of anti-money laundering, counter-terrorist financing, and similar legal and regulatory obligations.
  • You shall comply with any technical specifications available on FINCRA’s website, which FINCRA reserves the right to modify at any time.
  • You will keep FINCRA indemnified against all actions, claims, proceedings and all legal costs or other expenses arising out of any breach of the above warranties or out of any claim by a third party based on any facts which if substantiated would constitute such a breach or a breach of other relevant legal or settlement obligation or contractual duty.
  • FINCRA warrants to You that no element of the Solution or services constitutes a breach of any patent, copyright, or other intellectual property in its country of operation.
  • FINCRA neither warrants that the operation of the Solution or any ancillary products or services will be uninterrupted nor error-free nor will it be 100% fraud or fail-proof.
  • Except as outlined in this Agreement, FINCRA makes no express or implied representations or warranties concerning the Solution or its condition, merchantability, or fitness for any particular purpose or use by You.
  • FINCRA disclaims and excludes any warranty that is not expressly stated in this Agreement.
  • You and FINCRA warrant that you are not contemplating or in the process of being wound
    up.

INDEMNITY

LIMITATION OF LIABILITY OF FINCRA

  • loss or damage which is incurred by You as a result of:
    1. third party claims;
    2. viruses, malware, IP spoofing, exposure of API keys, fraudulent or malicious attacks, disruptive codes, power cuts or service interruptions or other IT or hardware or software problems or faults;
    3. decisions by any relevant court, regulatory or other authority or the operation of Applicable Law; and/or
    4. loss of profit, goodwill, business opportunity or anticipated saving suffered by You;
  • indirect, consequential, punitive, exemplary or similar loss or damage (including damage to reputation) suffered by You; and/or
  • loss or damage which may be the consequence, wholly or partially, of a breach of the
    Agreement by You.

RELATIONSHIP BETWEEN PARTIES

CONFIDENTIALITY

  • as required by law or by any regulation or similar provision, provided that the Receiving Party, where possible, gives the Disclosing Party not less than seven (7) Business Days written notice of such disclosure to enable the Disclosing Party to take whatever steps it deems necessary to protect its interest in this regard;
  • and shall to the extent possible disclose only the portion of the information necessary;
  • to its representatives who need to know it strictly for the purpose of carrying out that Party’s obligations under this Agreement, on the basis that such representatives will keep the same confidential on the terms of this Agreement; or
  • to its affiliates.

FORCE MAJEURE

TERM AND TERMINATION

Term

  • it is required or requested to do so by any regulatory authority;
  • You fail to comply with any applicable laws;
  • You fail to comply with any term of this Agreement;
  • You fail to comply with access and/or interface specifications as communicated by FINCRA;
  • FINCRA is required to do so by a Card Scheme or payment partner;
  • Fraud is committed by your customer;
  • Fraud is committed due to your act and/or omission;
  • You fail to pay any sums under this Agreement by the payment due date;
  • anything happens to You or a matter is brought to the attention of FINCRA which in its absolute discretion, it considers may affect your ability or willingness to comply with all or any of your obligations or liabilities herein;
  • FINCRA, in its absolute discretion, determines that the relationship with your business represents an increased risk of loss or liability;
  • You did not submit complete and/or accurate Know Your Customer documents; and/or
  • any fines or any other claims are brought against FINCRA by any Card Scheme, financial institution or any other third party arising from any aspect of the parties’ relationship (including in connection with any security breach, compromise or theft of Data held by You or on your behalf irrespective of whether such security breach, compromise or theft of Data was within or outside your control.

NOTICES

  • if sent by electronic mail, the next Business Day assuming that no notification of failure to deliver the electronic mail was received by the sending party;
  • if sent by registered first class post 7 Business Days after posting it.

ADDITIONAL SERVICES

AUDIT/INSPECTION

MODIFICATIONS

WAIVER

SEVERANCE

NO ASSIGNMENT

FURTHER ASSURANCES

WHOLE AGREEMENT

INDUCEMENT AND ANTI-CORRUPTION

RESERVE BALANCE

NON-CIRCUMVENTION

ERRONEOUS DEPOSIT/PAYMENT

DATA PRIVACY AND INFORMATION SECURITY

  • Compliance with 27001:2022, ISO 22301
  • Establishment of controls for possible risks via Risk Assessment process
  • Notification of any incident/data breach without any undue delay
  • Commitment to information security and data privacy and protection.
  • Establishment of acceptable use of information systems assets

ABUSE OF API

SERVICES SCHEDULE

a. Collections and Payouts

  1. YOUR OBLIGATIONS
    You shall:
    • Not use the VBAs to facilitate prohibited or illegal transactions.
    • Ensure that sending accounts do not belong to sanctioned entities, or individuals or domiciled in sanctioned countries.
    • Ensure that You have adequate controls, safeguards and information technology security for the operation of your platform against malware, viruses and other threats.
    • Update Your records with FINCRA as often as changes occur.
    • Advice FINCRA of your nominated settlement account or settlement wallet details.
    • Be responsible for maintaining adequate security and control of all IDs, passwords, or any other codes that You use to access the Solution or services.
    • Comply with all acceptable use policies communicated by FINCRA.
    • Not infringe FINCRA's or any third party's intellectual property or privacy rights.
    • Not use FINCRA’s Solution or services for any illegal or suspicious activity and/or transactions.
    • Not use an anonymizing proxy or other automated devices or manual processes not authorised by FINCRA to access, monitor or alter FINCRA’s Solution or services.
    • Be fully responsible for correct integration to the FINCRA Solution. FINCRA will however provide implementation support.
    • Be solely responsible for the authentication and approval of all transactions initiated via the Solution.
    • Be liable for any use of the passwords or other identification used to access the Solution or services.
    • Notify FINCRA of any security breach, misuse, irregularity, suspected fraudulent transaction or suspicious activities that may be connected with attempts to commit fraud or other illegal activity during the term of this Agreement.
    • Be solely responsible to your customers.
    • Provide all relevant information on the transactions covered under this Agreement to enable the processing of the transactions via the FINCRA network.
    • Comply with all applicable laws and any relevant Card Scheme Rules.
    • Not act in contravention of or cause FINCRA to act in contravention of any Card Scheme Rules to which FINCRA is subject.
    • Only accept payments and/or process Refunds:
      • from customers in connection with goods and/or services supplied by You;
      • in respect of goods and services which:
      • commonly fall within your business as identified in your request to FINCRA for the services;
      • in respect of goods or services the customer would reasonably expect to receive; and
      • in respect of goods or services the provision of which is in accordance with applicable law.
    • Solely be responsible for ensuring the correct implementation, installation, integration, security, and operation of all systems, equipment, software, and telecommunications and use of the Services on your own platform.
    • Provide immediate notice of (i) any unauthorized third-party use of the Services; and/or (ii) any event which might lead to such unauthorized use.
    • Take all reasonable steps to assist FINCRA in handling any claim or query raised by any third party or regulator in connection with the Services.
    • Immediately notify FINCRA of any act, omission or error which does or may adversely affect your ability to perform your obligations under this Agreement or cause loss or damage to FINCRA (including but not limited to any material change in the nature or extent of your business).
    • You acknowledge and agree to abide by and ensure that all equipment and software You use in connection with the transactions and the storage and/or processing of Data complies with, any payment application data security standards of any relevant Card Scheme as updated from time to time. You shall ensure that
      any of your agents, sub-contractors or any third parties are aware of and shall comply with the terms of this Agreement.
    • Immediately notify FINCRA on becoming aware of any actual or suspected security breach relating to any Data. As soon as reasonably practicable, You shall identify and remediate the source of such a security breach and take any additional steps required by FINCRA. This clause shall not prejudice any other remedies available to FINCRA under this Agreement.
    • Comply with any additional security, authentication, risk control, or other requirements imposed by a regulator, FINCRA or a Card Scheme, including but not limited to where you are, in the opinion of FINCRA and/or the Card Scheme, engaged in high-risk activities.
    • Not engage in any practice prohibited by any of the Card Scheme Rules unless permitted by applicable law.
    • Not make any warranty or representation whatsoever in relation to FINCRA’s Solution which may bind FINCRA or make it liable in any way whatsoever.
    • Implement or sign up to a fraud monitoring solution as may be required by FINCRA.
    • Make connections to such other systems as FINCRA may require from time to time.
    • Not disclose any system access credentials provided by FINCRA pursuant to this Agreement.
    • Perform the necessary KYC (Know Your Customer) & due diligence of all your customers and provide the same to FINCRA on request.
    • Be and remain Payment Card Industry Data Security Standard (PCIDSS) compliance during the term of this Agreement, if requested by Fincra;
    • Implement a fraud protection and monitoring tool and provide evidence of same to FINCRA, if requested by FINCRA;
    • Not use any cardholder payment card details including but not limited to Primary Account Number (PAN) or Card Number, Personal Identification Number (PIN), Card Verification Value (CVV) for any purpose other than for the facilitation of the payment authorized by the cardholder;
    • Implement a two-factor authentication system as required by law, guidelines or directives;
    • Take full responsibility for the integration process using the API furnished by FINCRA. All integration however, shall be subject to passing FINCRA’s Integration acceptance tests before go live;
    • Be responsible for data stored or transmitted on or through You or any use of the Systems passwords or identification codes assigned by FINCRA.
    • Keep records of all transactions carried by all your customers through the Solution and provide such records to FINCRA on request.
    • Take out and maintain insurance policies required by applicable laws and regulations in connection with your business operations.
    • Comply with applicable data protection regulations or laws.
  2. FINCRA’S OBLIGATIONS
    FINCRA shall:
    Provide You access to the Solution and services.
    Provide implementation support to You.
    Provide the services with reasonable care.

b. Currency Conversion

  1. YOUR OBLIGATIONS
    You shall:
    • Initiate an exchange order for FINCRA’s processing.
    • Transfer the quantity of currency agreed in the exchange order into FINCRA’s account or e-wallet. FINCRA may automatically debit You for such exchange.
    • Provide the requisite KYC documents.
    • Submit to any compliance checks required by FINCRA.
    • Provide any supporting documents required by FINCRA.
    • Comply with applicable AML/CFT regulations.
    • Ensure that the proceeds of this Agreement are not used to fund illegal or prohibited transactions.
    • Abide by and continue to observe all guidelines and conditions related to each transaction as may be made from time to time and communicated by FINCRA.
  2. FINCRA’S OBLIGATIONS
    FINCRA shall:
    • Confirm acceptance of exchange orders initiated by You
    • Transfer the equivalent of the amount received from You into your bank account or e-wallet in the agreed currency.
    • Settle transactions within the agreed timelines.

c. Bank Verification Number (BVN) Verification

  1. YOUR OBLIGATIONS
    You shall:
    • Seek and obtain full and informed consent of the individual whose personal information is being validated prior to calling the verification API.
    • By no means create an alternate database using the data received via API.
    • Escalate technical issues encountered to FINCRA for quick resolution.
    • Comply with applicable data protection laws and regulations.
    • Comply with CBN regulations on BVN.
  2. FINCRA’S OBLIGATIONS
    FINCRA shall:
    • Provide You access to the verification API.
    • Provide implementation support to You.

GENERAL SCHEDULES

PROHIBITED TRANSACTIONS

  • Any illegal items or for any illegal purpose.
  • Any munitions or firearms.
  • Pirated software, DVD or videos or item(s) otherwise infringing copyrighted works.
  • Illegal drugs, drug paraphernalia, prescription drugs or controlled substances or items that may represent these uses.
  • Viaticals.
  • Reselling prepaid cards or gift cards/certificates; Personal use such as gifts, loans or payments from friends and family.
  • Cigarettes, tobacco or e-cigarettes.
  • Internet, mail or telephone order pharmaceutical or pharmacy referral services.
  • Items that promote hate, violence, racial intolerance, or the financial exploitation of a crime.
  • Goods or services that infringe on the intellectual property rights of a third party.
  • Products or services that process pop-ups or contain, promote, reference or link to any spyware, malware, virus, back door, drop dead device or other program installation.
  • Live animals.
  • Weapons (including without limitation, knives, guns, firearms or ammunition);
  • Transactions directly or indirectly involving persons (individuals or entities) with whom U.S. persons are prohibited from engaging pursuant to sanctions and export controls administered by the Departments of Treasury, Commerce and State; or UKHMT, EU, UNSC etc
  • Marijuana and related businesses.
  • Any other category or payor that FINCRA or the payment partner decides to prohibit, in its sole discretion.

SETTLEMENT

SERVICE SETTLEMENT SLA

Product

Currency

Settlements SLA

Collections
NGN
Instant Settlement
Collections
EUR
Instant Settlement
Collections
GBP
Instant Settlement
Collections
USD
Instant Settlement

Product

Currency

Destination Currency

Settlement SLA

Conversion
NGN
EUR/GBP/USD
Same day
Conversion
EUR
NGN
Same day
Conversion
EUR
GBP/USD
Same day
Conversion
GBP
EUR/USD
Same day
Conversion
USD
NGN
Same day
Conversion
USD
EUR/GBP
Same day

Product

Currency

Destination Currency

Settlement SLA

Payout
NGN
NGN
Instant Settlement
Payout
NGN
EUR/GBP/USA
Same day
Payout
EUR
NGN/GBP/USD
Same day
Payout
EUR
GHS/KES
Same day
Payout
GBP
NGN/USD/GHS/KES
Same day
Payout
USD
NGN/USD/GHS/KES
T+1

FINCRA ALLOWED SETTLEMENT COUNTRIES

FINCRA PROHIBITED SETTLEMENT COUNTRIES

CHARGEBACK AND REFUNDS

  • In certain circumstances, Card Issuers, Card Schemes and/or Other Financial Institutions may require repayment in respect of a transaction previously settled and/or remitted to You or your customers, notwithstanding that authorisation may have been obtained from the Card Issuer and/or Other Financial Institution (such circumstances being a "Chargeback").
  • You acknowledge and agree that under all applicable rules, regulations and operating guidelines issued by Card Schemes, financial institutions, regulators and FINCRA relating to cards, transactions, other payment methods and processing of data, You may be required to reimburse acquirers for Chargebacks in circumstances where You have accepted payment in respect of the relevant transaction.
  • All Chargebacks shall correspond to the whole or part of the settlement value of the original transaction or, at an amount equivalent to the original settlement currency at the rate of exchange quoted for settlement purposes on the day the Chargeback is processed.
  • Where a Chargeback occurs or where You fail to address a Chargeback claim within 16 hours, FINCRA shall immediately be entitled to debit your position to make a reversal from your settlement account or e-wallet and/or make a deduction from any remittance, reserve and/or
    invoice to You to recover:
    • the full amount of the relevant Chargeback; and
    • any other costs, expenses, liabilities or Fines which may be incurred as a result of or in connection with such Chargeback (“Chargeback Costs”).
  • A Chargeback represents an immediate liability from You to FINCRA. Where the full amount of any Chargeback and/or any Chargeback Costs is not debited by FINCRA from your bank account or e-wallet or deducted from any remittance or invoice as referred to in the previous clause, then FINCRA shall be entitled to otherwise recover from You by any means the full amount of such Chargeback and Chargeback Costs (or the balance thereof, as the case may be).
  • FINCRA shall not be obliged to investigate the validity of any Chargeback by any Card Issuer Card Scheme, payment partner or Other Financial Institution, whose decision shall be final and binding in respect of any Chargeback.
  • As Chargebacks may arise a considerable period after the date of the relevant transaction, You acknowledge and agree that, notwithstanding any termination of this relationship for any reason, FINCRA shall remain entitled to recover Chargebacks and Chargeback Costs (and, where relevant, from any entity who has provided FINCRA with a guarantee or security relating to your obligations under this relationship) in respect of all Chargebacks that occur in connection to transactions effected during the term thereof.
  • FINCRA reserves the right to immediately pass on to and recover from You any fines incurred and/or impose further charges on You and/or terminate the relationship forthwith if we consider that the total value of refunds and/or Chargebacks is unreasonable. FINCRA can recover fines from You in the same way as Chargebacks and in any event they represent an immediate liability from You to FINCRA.
  • You agree that You bear the responsibility to prove to FINCRA’s satisfaction (or that of the relevant Card Issuer or Other Financial Institution) that the debit of a customer’s or cardholder’s account was authorised by such customer or cardholder.

SERVICE LEVEL AGREEMENT

FINCRA INCIDENT MANAGEMENT FRAMEWORK

  • Infrastructure Downtime
  • Fraud
  • Application Malfunction

MANAGEMENT OF INCIDENTS

  • E-Mail Communication
  • One-one via slack

Role

Responsibility

Contact

Role

Responsibility

Contact

End user /user /requester
FINCRA Merchant who usually experiences a disruption in service and raises an incident ticket to initiate the process of incident management.
FINCRA Merchant
First Level Support
This is the first point of contact for the FINCRA Merchant when they want to raise a request or incident ticket. First level support people have a working knowledge of the most common issues that might occur .
Merchant Success
Second Level Support
Made up of support engineers with advanced knowledge of incident management. They usually receive more complex requests from end users; they also receive requests in the form of escalations from first level support.
Support Engineers
Tier 3 (and above) service desk
This level is usually composed of specialist engineers who have advanced knowledge of particular domains in the FINCRA Merchant infrastructure.
CTO
Incident Manager
This stakeholder plays a key role in the process of incident management by monitoring how effective the process is, recommending improvements, and ensuring the process is followed, among other responsibilities.
CTO
Process Owner
This stakeholder owns the process followed for managing incidents. They also analyze, modify, and improve the process to ensure it best serves the interest of the organization.
CTO

EXTERNAL INCIDENT MANAGEMENT & SLAs

Channel

Contact Details

Response Time

Email
15 min FRT Mon - Sun, 7:00 am - 11:00 pm (WAT)
Live Chat
available in portal & on website
5 min FRT Mon - Sun, 7:00 am - 11:00 pm (WAT)
Self-Service portal
available in portal & on website
Real time ticket logging system available 24/7 with human response Mon - Sun, 7:00 am - 11:00 pm (WAT)

Category

Incident Types

Owner

High
Infrastructure Malfunction or downtime
Engineering
Medium
Complaints, Requests & Enquiries
Merchant Success
Low
Education gaps & Enquiries
Merchant Success

Prioritization

Nature of Incident

Fixer

Critical
Infrastructure Downtime, Application Malfunction, Fraud.
CTO
High
Fraud
Compliance
Medium
General Complaints/Requests
Merchant Success
Low
Enquiries
Merchant Success

Priority

Response Time

Resolution Time

Critical
10 min
2 hours
High
15 min
4 hours
Medium
15 min
12 hours
Low
15 min
24 hours
Escalation
Realtime
48 hours

DATA PROCESSING AGREEMENT

1. RESPONSIBILITIES

  • Each Party shall implement and maintain effective Security Measures (pseudonymisation and encryption etc) that are designed to preserve the security and confidentiality of each Party’s Data and protect its Data from Security Incidents. Such security measures shall be regularly tested and evaluated for effectiveness.
  • The Parties understand that Sensitive Data merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms of the Data Subject. The Controller will therefore not provide (or cause to be provided) any Sensitive Data to Processor for processing under the Agreement without the express consent of the Data Subject.
  • The Processor shall adopt such measures to ensure a level of security appropriate to the sensitivity of the Data transferred to the Processor. These measures include the pseudonymisation and encryption of personal data.
  • Processor shall notify Controller in writing within 48 (forty-eight) hours, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from Controller violates any Data Protection Law.
  • Processor shall ensure it can restore the availability and access to Personal Data promptly in the event of a Security Incident.
  • Processor shall ensure that any person who is authorised by Processor to process Personal Data (including its staff, agents and subcontractors) shall be under a contractual or statutory obligation of confidentiality.
  • Processor shall in updating or modifying its Security Measures, ensure that such updates and modifications do not result in the degradation of the Processor’s Security Measures.
  • Upon becoming aware of a Security Incident, Processor shall:
    • notify Controller without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident;
    • provide timely information relating to the Security Incident as it becomes known
      or as is reasonably requested by Controller; and
    • promptly take reasonable steps to contain and investigate any Security Incident.
  • Processor’s notification of or response to a Security Incident shall not be construed as an acknowledgement by Processor of any fault or liability concerning the Security Incident.
  • Notwithstanding the above, Controller agrees that except as provided in this Agreement, Controller is responsible for protecting the security of Personal Data when in transit to the Processor while the Processor is responsible for protecting the security of Personal Data it receives and transfers to any party including any Sub-Processor.
  • The Controller represents and warrants that:
    • it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to Processor; and
    • it has obtained and will continue to obtain, all consents and rights necessary under Data Protection Laws for Processor to process Personal Data for the purposes described in the Agreement.
  • Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data.
  • Controller will ensure that Processor’s processing of the Controller’s Data following Controller’s instructions will not cause Processor to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.

2. SUB-PROCESSING

  • Controller agrees that the Processor may engage Sub-processors to process Personal Data on Controller’s behalf.
  • Processor shall notify Controller of any engagement or disengagement of a Sub-processor and shall enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Controller’s Data as those in this Agreement;
  • The Processor shall remain responsible for the Sub-processor’s compliance with the obligations of this Agreement and for the acts or omissions of such Sub-processor that cause Processor to breach any of its obligations under this Agreement.

3. SECURITY REPORTS AND AUDITS

  • Where the Processor is audited against PCI standards, it shall supply (on a confidential basis) a copy of its annual attestation of compliance and certificate of compliance (“Reports”) to Controller within 5 Business Days of Controller’s written request, to enable Controller verify Processor’s compliance with the audit standards against which it has been assessed and this Agreement.
  • In addition to the Reports, the Processor shall respond to all reasonable requests for information made by the Controller to confirm the Processor’s compliance with this Agreement, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Controller’s written request, provided that Controller shall not exercise this right more than once per calendar year.
  • Where the Processor is not audited against PCI standards, the Processor shall allow for audit inspections by Controller or Controller’s nominated consultant in order to assess compliance with this Agreement and Data Protection Laws. Processor shall also make available to Controller all information reasonably necessary to demonstrate compliance with this Agreement and the Data Protection Laws.
  • In addition to the audit inspections, the Processor shall respond to all reasonable requests for information made by the Controller or Controller’s consultant to confirm the Processor’s compliance with this Agreement, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Controller’s or Controller’s consultant written request.

4. INTERNATIONAL TRANSFERS

5. RETURN OR DELETION OF DATA

6. RIGHTS OF A SUBJECT RIGHTS AND COOPERATION

  • Processor shall to the extent possible, assist the Controller to comply with its data protection obligations with respect to a Data Subject’s rights under Data Protection Laws.
  • If any request is made by a Data Subject to Processor directly, Processor shall not respond to such communication directly except as appropriate (for example, to direct the Data Subject to contact Controller) without Controller’s prior authorisation except as legally required.
  • If Processor is required to respond to a request made under clause 6.2, Processor shall promptly notify Controller and provide Controller with a copy of the request unless Processor is legally prohibited from doing so. For the avoidance of doubt, nothing in this Agreement shall restrict or prevent Processor from responding to any Data Subject or data protection authority requests concerning Personal Data for which Processor is a controller.
  • If a law enforcement agency sends Processor a demand for Personal Data (for example, through a subpoena or court order), Processor shall attempt to redirect the law enforcement agency to request that Data directly from Controller. As part of this effort, Processor may provide Controller’s contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Processor shall give Controller reasonable notice of the demand to allow Controller to seek a protective order or other appropriate remedies, unless Processor is legally prohibited from doing so.

7. INDEMNIFICATION

8. GENERAL TERMS

  • Processor shall have a right to collect, use and disclose Data for its legitimate business purposes, such as: (i) for accounting, tax, billing, audit, and compliance purposes; (ii) to provide, develop, optimize and maintain the services; (iii) to investigate fraud, spam, wrongful or unlawful use of the services; and (iv) as required by applicable laws.
  • No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.

9. NOTICES