Alert Services Agreement V 4.4
Version 4.4, November 2025
WHEREAS:
(A) WHEREAS, the Company wishes to engage CBH for the provision of Software-as-a-Service (SaaS) Services as described herein.
(B) WHEREAS, CBH has agreed to supply the said services on the terms and conditions set out in this Agreement.
(C) WHEREAS, it is the express objective and intention of the Parties to this Agreement to achieve a high degree of efficiency in their professional relationship, to their mutual benefit.
NOW, THEREFORE, the Parties hereto agree as follows:
1. Conditions precedent
1.1 The following shall be the condition precedent for CBH to start rendering the Services:
1.1.1 The Company has integrated with CBH through the Technical Solution and/or registered with the CBH client’s hub;
1.1.2. The Company successfully underwent the verification and due diligence processes, by providing the Company Information requested by CBH.
1.1.3. The Company provided CBH by email, defined in this Agreement, with the following information: (a) Acquirer BIN; (b) Acquirer CAID; (c) Payment Descriptor; (d) d.b.a. (doing business as); (e) Company’s legal entity name; (f) MCC; (g) support email; and (h) support telephone.
1.1.4. The Company has paid the prepayment amount as specified in the Schedule(s) to this Agreement (if any).
1.2. If the Company becomes incompliant with any of the conditions precedent set out in clause 1.1, CBH shall have the right to suspend rendering Services until the Company is compliant again.
1.3. In consideration of the Fees and subject to the Company’s conformity with the Agreement, CBH shall render Services as set out in this Agreement.
2. Services
2.1. CBH shall render the Services agreed in Schedule(s) to this Agreement.
2.2. The change in Applicable Laws may affect CBH’s ability to provide and Company’s ability to receive the Services.
2.3. CBH is authorised to suspend rendering the Services as necessary to conduct maintenance, upgrade, repair and/or provide other necessary attention to CBH’s Technical Solution, servers or equipment. CBH will have reasonable discretion to determine when to suspend Services and shall give the 5 days e-mail written notice on such suspension.
2.4. Without derogating from any other right available to CBH under this Agreement, Applicable Laws or otherwise, on the basis of risk management considerations or where required to comply with the Applicable Law CBH, in its sole discretion, has the right to suspend the Services in any jurisdiction at any time and for any period of time.
2.5. CBH reserves the right to use third-party service providers in rendering any of the Services to the Company. CBH shall exercise reasonable care while choosing the provider. CBH accepts no liability for the provision of the Services by any third party.
2.6. As a Software-as-a-Service (SaaS) provider, CBH does not verify or modify the information. CBH provides a technical solution allowing the Company to transfer information between the Company and the Acquirer (and other third-party service providers, if applicable).
3. Fees
3.1. The Company shall pay the Fees defined in Schedule(s) to the Agreement.
3.2. Where Schedule(s) to the Agreement provides for a prepayment amount, the Company acknowledges and agrees that CBH may at its sole discretion refuse to commence providing the Services until such prepayment amount has been paid.
3.3. For purposes of using the Services, CBH shall provide the Company with access to an online system to manage and analyse its use of the Services, maintain and update payment and billing information, pay for the Services and perform other functions related to the account. The online system will show information on the Company’s use of the Service and the available Account Balance. The Company shall be solely responsible for maintaining the security of its account. The Company acknowledges and understands that the Company will be charged for any Services used or ordered through its account.
3.4. The Company may use the Services only while it maintains a positive Account Balance or, where a Credit Limit has been established in accordance with the Schedule(s) to the Agreement, until its negative Account Balance reaches that Credit Limit. Once the Account Balance is depleted or the Credit Limit is reached, CBH may, at its sole discretion (but without any obligation to do so), suspend the provision of the Services without further notice to the Company until the Account Balance is topped up. Upon replenishment of the Account Balance, CBH shall use commercially reasonable effort to resume the provision of the Services as soon as practicable. The Company acknowledges that operational delays may nevertheless occur, and the Company is therefore advised to maintain a sufficient Account Balance at all times to ensure the uninterrupted provision of the Services.
3.5. CBH shall exert commercially reasonable effort to notify the Company whenever its Account Balance is running low or, if Credit Limit is established, when the Credit Limit is about to be reached. The Company agrees that such notifications shall be for convenience only and no right or remedy available to CBH under this Agreement or otherwise shall be contingent on CBH providing such notification.
3.6. The Account Balance can only be used to pay for the Services. The Account Balance does not constitute a personal property right and has no value outside the Services. Additionally, the Account Balance is not a bank account or a payment account. The Account Balance is non-transferable, does not accrue interest, dividends, or any other earnings, does not constitute deposits, and is not insured by deposit insurance or any other governmental agency or any other guarantee fund, coverage or compensation mechanism. The Account Balance has no cash value and cannot be redeemed or exchanged for cash, in whole or in part. However, if this Agreement is terminated, CBH will upon request and as soon as reasonably practicable refund to the Company any unused Account Balance less any Fees and other amounts owed by the Company or its Affiliates to CBH or its Affiliates.
3.7. The Fees paid and due and the then-current Account Balance shall be confirmed by an invoice (or an electronic invoice) issued by CBH on a monthly basis. CBH shall have the right, in its sole discretion, to issue the invoice to Company if the Fees due reach (i) USD 10,000 (or equivalent in any currency) or (ii) where applicable, the Credit Limit (or equivalent in any currency). This shall be without prejudice to CBH issuing monthly invoice.
3.8. Unless otherwise specified in the relevant invoice, the net Fees due shall be paid by the Company to CBH’s bank account stipulated in the invoice within ten (10) calendar days of receiving the invoice.
3.9. The Company shall be responsible for providing to CBH complete and accurate billing and contact information and shall notify CBH of any changes to such information.
3.10. The Company may add amounts to its Account Balance using Top Up Methods supported by CBH. CBH shall notify the supported Top Up Methods to the Company from time to time. CBH supports Top Up Methods at its own discretion and may disable any Top Up Method at any time.
3.11. By submitting credit card details or connecting or using any other Top Up Method in its account, the Company (i) represents and warrants that the Company is duly authorised to use the Top Up Method; and (ii) authorises CBH and/or its payment service provider to charge the Top Up Method or otherwise process the payment of the Fees using such Top Up Method.
3.12. The Company is solely liable for problems arising from failed payment, including but not limited to payment processing errors, delays, or failures caused by third-party payment processors. If CBH and/or the payment service provider cannot charge the Company’s Top Up Method for any reason, the Company remains responsible for any uncollected amounts.
3.13. All bank fees, bank commissions, exchange rate losses or commissions on currency exchange, fees imposed by the card issuer or other Top Up Method provider or payment processor and all other costs and fees related to payments are at the expense of the Company. The Company undertakes to perform all necessary actions and pay all necessary accompanying fees and expenses so that CBH receives the full amounts due hereunder.
3.14. Any outstanding Fees and other amounts that are not paid within the timeframe specified in the relevant invoice (except to the extent they are disputed by the Company in accordance with this Agreement) shall be considered overdue (“Overdue Amounts”). Where there is any Overdue Amount owed by the Company to CBH, in addition to all other remedies that may be available under this Agreement or otherwise:
(a) Interest shall accrue on any Overdue Amounts owed by the Company to CBH at the rate of 10% per month, calculated daily or, if lower, the highest rate permitted under applicable Law, provided that CBH can, at its sole discretion, waive its right to claim the accrued interest or claim a lower interest;
(b) CBH also will be entitled at any time and without further notice to the Company (i) to suspend providing Services, (ii) to inform third party providers about any Overdue Amounts owed by the Company to CBH, (iii) to suspend the release of any data provided by the Company, including CAID(s), BIN(s), Payment Descriptor(s), and any other data or otherwise disrupt the provision of third party providers’ services to the Company, and (iv) to instruct any third party providers to withhold any data provided by the Company or otherwise disrupt the provision of their services to the Company;
(c) CBH may at any time and without notice to the Company deduct, recoup or set-off Overdue Amounts and any interest thereon from: (a) funds payable by CBH or its Affiliate to the Company or the Company’s Affiliate; (b) the Account Balance of each CBH account that CBH determines, acting reasonably, is associated with the Company or its Affiliate (c) the Top Up Method provided by the Company. If the currency of the amount being deducted is different from the currency of the amount owed by the Company, CBH may deduct, recoup or setoff an amount equal to the amount owed (using market exchange rate) together with any fees CBH incurs in making the conversion;
(d) CBH may also take other steps to recover the Overdue Amounts such as instructing a debt collection agency to contact the Company; issuing legal proceedings for enforcement purposes; informing fraud prevention agencies and selling, transferring or assigning the Overdue Amount to a third party; and
(e) Company shall reimburse CBH for all reasonable costs incurred by CBH in collecting any Overdue Amount or interest, including attorneys’ fees, court costs, and collection agency fees.
3.15. The Company acknowledges and understands that all Fees paid and due and Account Balance will be calculated exclusively based on the numbers in the CBH’s online system. If the Company has any valid reason for disputing any amount of an invoice or any charge to its Top Up Method, the Company shall notify CBH in writing within five (5) business days of receipt of the disputed invoice or charge. Within five (5) business days of receipt of the notification from the Company, CBH shall decide whether the invoice or charge amount is disputed reasonably. If CBH accepts the Company’s objections, the respective adjustments will be made to the Company’s Account Balance, and, where the Top Up Method was not already charged by CBH, the Company shall pay the adjusted sum within five (5) business days when the adjusted invoice has been sent. If CBH rejects the Company’s objections, the Company shall pay the Fees defined in the initial invoice. For the avoidance of doubt, where the Top Up Method was charged by CBH, the charge may not be reversed. Instead, the successfully disputed amount of the charge will be credited to the Company’s Account Balance.
3.16. Except as expressly stated in this Agreement, all payments made by Company to CBH are non-refundable. Payment made by Company to CBH confirms the Company’s agreement with the Fees defined in the invoice.
3.17. All fees payable to CBH under this Agreement are exclusive of value added tax and any additional or other taxes, charges or duties which may be imposed in connection with any and all payments made or due hereunder (collectively “Taxes”). All Taxes shall, if applicable, be borne by the Company. In case any Taxis or becomes chargeable (retroactively or going forward) in accordance with applicable laws, CBH shall add such amount to the Fees accordingly. Where Fees are charged by CBH, the Company acknowledges and understands that CBH will charge its Top Up Method or deduct against its available Account Balances so as to cover any applicable Taxes.
3.18. All Fees and other amounts payable to CBH hereunder shall be paid by Company in full without any setoff, recoupment, counterclaim, deduction, debit, or withholding for any reason (other than deduction from positive Account Balance).
3.19. Any repayment of funds to the End User for the execution of the Transaction (as a result of the Chargeback or otherwise) is subject to the following terms:
(a) the Company is solely responsible for repayment of funds, on the terms indicated in the agreement with the Acquirer (and/or other service providers (if any)); and
(b) the Fees charged by CBH in relation to execution of such Transaction is not to be returned to the Company.
3.20. The Company shall meet all costs associated with its compliance with the Applicable Law.
4. Amendments
4.1. CBH shall have the right, upon a three (3) day notice, to change any of the Services if:
(a) Company requests so;
(b) The changes are made at the Card Scheme(s) and/or other third-party’s request;
(c) The changes are imposed upon CBH under the Applicable Law;
(d) The change is required on the basis of risk management considerations of CBH;
(e) Company fails to fulfil its obligations under the Agreement.
4.2. CBH shall have the right, upon a ten (10) day notice, to change any provision of the Agreement, including but not limited, with regards to Clause 3 of the Agreement, if:
(a) The changes are made at the Card Scheme(s) and/or other third-party’s request;
(b) The changes are imposed upon CBH under the Applicable Law;
(c) The change is required on the basis of risk management considerations of CBH;
(d) Company fails to fulfil its obligations under the Agreement.
4.3. If the Company does not accept the changes prescribed in clause 4.2 of the Agreement, it has the right to terminate the Agreement before the new provisions enter into force. After the said term, the new changes are considered accepted and in force.
5. Prohibited actions
5.1. It is prohibited to the Company to:
5.1.1. Use the Services in a way that infringes Applicable Laws, good practices, rights of third parties, or the policies of the Acquirers.
5.1.2. Use the Services to handle the Transactions on the websites and in IT environments that were not previously approved by CBH.
5.1.3. Use the Services to process notifications received not via the Technical Solution.
5.1.4. Fail to protect the data relating to its End Users, which is collected and stored by the Company against unauthorised access. The Company shall immediately notify CBH if the Company reasonably believes that there has been any security breach including but not limited to instances of unauthorised access or attempt to access Transaction data or sensitive End-User data, where there is a suspected or confirmed damage, loss or theft of Transaction data or sensitive End-User data.
5.1.5. Take actions or omissions that may expose CBH to credit risk, risk of fraud, breach of duties related to anti-money laundering and terrorist financing or other statutory obligations or a sudden increase of risk (assessed under the procedures adopted by CBH based on the Company Information and other information available).
5.1.6. Take any actions, as a result of which the Technical Solution or any part of CBH’s infrastructure will be negatively affected.
5.1.7. Engage in misleading or deceptive conduct nor to use Services itself or permit others to use the Services for any improper, immoral, or unlawful purposes.
6. Data protection
6.1. Personal data processing in connection with this Agreement shall be governed by Schedule C, which forms an integral part of the Agreement.
6.2. The Company agrees to receive commercial and marketing information from CBH.
7. Representations and warranties
7.1. The Company warrants to CBH that:
7.1.1. At the date of this Agreement, it has full power and lawful authority to execute and deliver this Agreement and to perform its obligations under this Agreement.
7.1.2. It is duly organised and validly existing under the laws of its domicile and has the legal capacity and corporate authority to own its property and carry on its business as now conducted and is not in breach of its by-laws.
7.1.3. It is in all material respects in compliance with and has at all times been, and is not in material default or violation in any respect of any Applicable Law.
7.1.4. There is no action, suit or proceeding at law or in equity now pending or, to the best of its knowledge, threatened by or against or affecting the Company which would impair its right to carry on its business as now conducted or affect its financial conditions or operations or its ability to perform the obligations required under this Agreement.
7.1.5. Any and all information and documentation provided by the Company is true, accurate, complete and updated and no information, document or statement provided or made available are untrue, false, incorrect, incomplete or misleading.
7.2. Each party warrants, represents, covenants and agrees that it has knowledge of all applicable Anti–Corruption Laws and that neither it nor any of its officers, directors, employees, agents, contractors, designees, ultimate beneficial owners or shareholders, nor any other party acting on its behalf, will directly or indirectly take any action that would constitute a violation of the Anti–Corruption Laws with respect to any activities related to any business for CBH or the Company. Each party warrants, represents, covenants and agrees that neither it nor any of its direct or indirect Representatives has or will pay, offer, promise to pay or authorize the payment of, offer or promise to pay, directly or indirectly, any monies or anything else of value to any current or former official, political party or official of a political party, or any candidate for public office in connection with this Agreement. Each party acknowledges that, for purposes of this Agreement, an “official” is (i) any officer or employee of a government or any department, agency or instrumentality of a government, (ii) any officer or employee of a public international organization such as the United Nations or the World Bank, (iii) any individual acting in an official capacity for or on behalf of a government agency, department, instrumentality or of a public international organization, (iv) any officer or employee of a company owned or controlled by a government or (v) any member of a royal family who may lack formal authority but who may otherwise be influential, including by owning or managing state–owned or controlled companies. Each party represents and warrants that all representations, warranties and covenants set forth in this clause are truthful and accurate. Each party shall notify the other party in writing immediately upon the occurrence of any event which would render the representations, warranties or covenants contained herein incorrect. If, in good faith, CBH believes that any action under this Agreement will likely cause a violation of the Anti–Corruption Laws, nonperformance shall be excused and this Agreement may be terminated at CBH’s option.
7.3. Each party warrants, represents, covenants and agrees that it will comply at all times with all applicable laws, rules, regulations, decrees and prohibitions of whatsoever nature relating (a) to the sale, export or transfer of items or (b) to transactions of any kind with restricted or embargoed countries or territories, restricted or blocked persons or restricted or blocked entities (together, “Embargoed Targets”), including, without limitation, those of the United States, Switzerland and the European Union or its member states ((a) and (b) together, the “Sanctions Laws”). Each party warrants, represents and covenants that (c) it is not located, organized under, ordinarily resident in or acting on behalf of an Embargoed Target and (d) that it is not an Embargoed Target and is not owned or controlled by an Embargoed Target, as defined either expressly or substantively, by the Sanctions Laws. Each party warrants, represents and covenants that it is not aware of any reason why it should be named on any list identifying Embargoed Targets maintained by implementing authorities of, without limitation, the United States, Switzerland or the European Union or member states thereof (together, “Lists”), as such Lists may be amended from time to time. Each party agrees that it shall not (e) sell, directly or indirectly, resell or deliver any good, software or technology to an Embargoed Target, (f) transport any such item on any vessel or other carrier that is owned, operated, flagged or chartered by an Embargoed Target or (g) broker, finance or otherwise facilitate any sale or resale of any such item or transaction that would cause a violation of any Sanctions Law. Each party agrees that it will provide immediately to the other party all information, including, without limitation, information concerning end customer, transit and final destination, shipping and intended end–use, to enable an assessment of compliance with the Sanctions Laws. If, in good faith, CBH believes that any action under this Agreement will likely cause a violation of the Sanctions Laws, nonperformance shall be excused and this Agreement may be terminated at CBH’s option.
7.4. Each Party undertakes that it shall not for the term of the Agreement and for a period of 2 years thereafter on its own behalf, or on behalf of any person directly or indirectly, canvass, solicit or endeavour to entice away from the other Party any person who has at any time during the term of the Agreement been employed or engaged by that Party.
7.5. If any of those representations and warranties may be affected at any time from the date of this Agreement, immediately, but no later than in 5 Business Days, the Company shall inform CBH on any changes, including regarding the Company Information, in particular changes regarding its legal form, address, bank data, significant changes in the privacy policy or terms and conditions of delivery of Goods.
7.6. Except as expressly stated in this Agreement, no representation, inducement or warranty was, prior to the execution of this Agreement, given or made by one of the Parties hereto with the intent of inducing the other Party to enter into this Agreement, and any representations, inducements or warranties that may have been so given are hereby denied and negated.
8. Liability
8.1. Neither Party (or either of its affiliates, directors, officers, employees, contractors or representatives) shall be liable for special, incidental or consequential damages or lost profits (however arising, including negligence) arising out of or in any way relating to this agreement, even if there was prior notice of the possibility of such damage arising.
8.2. In no event shall CBH or its affiliates, directors, officers, employees, contractors, or representatives be liable for an amount exceeding any amounts paid to CBH under this agreement in the 6 (six) months preceding the occurrence of facts that first give rise to any liability hereunder. The existence of more than one claim or event from which liability arises will not enlarge this aggregate limitation. This aggregate limit is a single, global limit that applies to CBH.
8.3. Neither CBH, nor its affiliates, directors, officers, employees, contractors, or representatives shall bear contractual or non-contractual liability for any delay or failure to perform its obligations under this Agreement to the extent that the delay or failure is caused by any of the following:
8.3.1. failure, interruption, infiltration or corruption of any hardware, software or other telecommunications or data transmission system; or
8.3.2. CBH’s belief that the Transaction is unauthorised or fraudulent or poses a security risk.
8.4. The Company shall during the term of this Agreement and after its termination continue to bear responsibility for the Chargebacks and other penalties, fees, and adjustments resulting in any way from receiving Services and all other amounts then due or which thereafter may become due under this Agreement.
8.5. Any compensation claim for faults or damages must be presented in writing by the Company to CBH within 60 (sixty) days after the occurring of the alleged fault or damage. Otherwise the claim shall be considered invalid.
9. Indemnification
9.1. Company agrees to defend, indemnify and hold CBH harmless from any claim or demand (including reasonable legal fees) made or incurred by any third party due to or arising out of:
(a) Company’s breach of this Agreement;
(b) Company’s improper use of the Services;
(c) Company’s negligence or willful misconduct, and/or
(d) Company’s violation of Applicable Laws or the rights of a third party.
10. Remedies
10.1. Each Party agrees that breach of this Agreement will give rise to irreparable injury for which:
(a) money damages may not be a sufficient remedy for any breach of this Agreement by such Party;
(b) the other Party may be entitled to specific performance and injunction and other equitable relief with respect to any such breach;
(c) such remedies will not be the exclusive remedies for any such breach, but will be in addition to all other remedies available at law or in equity; and
(d) in the event of litigation relating to this Agreement, if a court of competent jurisdiction determines in a final non-appealable order that one Party, or any of its representatives, has breached this Agreement, such Party will be liable for reasonable legal fees and expenses incurred by the other Party in connection with such litigation, including, but not limited to, any appeals.
11. Intellectual property
11.1. CBH or its licensors own the Proprietary Information.
11.2. Except as expressly stated herein, this Agreement does not transfer any right, title or interest in the Services or the Proprietary Information to the Company.
11.3. The Company acknowledges that the unauthorised use or release of the Proprietary Information or any part thereof, except as provided herein, would result in damages to CBH, which could not be adequately compensated for in damages by monetary award.
11.4. CBH grants to the Company a limited, revocable, non-exclusive, non-transferable, worldwide right to use the Services and the Proprietary Information, solely for the Company’s own internal business purposes and subject to the terms of this Agreement.
11.5. The Company acknowledges that it is prohibited from any use, reproduction, decompilation, reverse engineering, modification or distribution of any Proprietary Information that is not expressly authorised in this Agreement. The Company may not sell, resell, assign or otherwise transfer rights to CBH Services or any Proprietary Information.
12. Confidentiality
12.1. Each Party agrees to maintain all Confidential Information of the other Party in confidence to the same extent that it protects its similar confidential information and to use such Confidential Information only as permitted under the Agreement. Each Party agrees to take all reasonable precautions to prevent any unauthorised disclosure or use of the Confidential Information of the other Party including, without limitation, disclosing such Confidential Information only to its employees or contractors with a need to know and who are parties to appropriate agreements sufficient to comply with this section.
12.2. The obligation of confidentiality shall extend for a period of three years after the termination of this Agreement, but shall not apply with respect to information that lawfully becomes a part of the public domain, or of which the Parties gained knowledge or possession free of any confidentiality obligation.
13. Governing law and dispute resolution
13.1. This Agreement shall be governed by the Applicable Law. Each Party to this Agreement irrevocably agrees that the courts of England shall have exclusive jurisdiction to hear, settle and/or determine any dispute, controversy or claim (including any non-contractual dispute, controversy or claim) arising out of or in connection with this Agreement, including any question regarding its existence, validity, formation or termination. For these purposes, each Party irrevocably submits to the jurisdiction of the English courts.
14. Entire agreement
14.1. This Agreement represents the entire understanding of the Parties concerning the subject matter hereof and supersedes any other prior or contemporaneous agreements or understandings, whether written or oral.
14.2. If any provision of the Agreement is found by a proper authority to be unenforceable or invalid, such unenforceability or invalidity shall not affect the other provisions of this Agreement, and this Agreement shall be construed as if such unenforceable or invalid provision had never been contained herein.
15. Set-Off
15.1. CBH or its Affiliate may at any time, without notice to Company, deduct, recoup or set-off any liability of Company or its Affiliate to CBH or its Affiliate against any liability of CBH or its Affiliate to Company or its Affiliate, whether either liability is present or future, liquidated or unliquidated, and whether or not either liability arises under this Agreement. If the liabilities to be set off are expressed in different currencies, CBH or its Affiliate may convert either liability at a market rate of exchange for the purpose of set-off. Any exercise by CBH or its Affiliate of its rights under this clause shall not limit or affect any other rights or remedies available to it under this Agreement or otherwise.
16. Assignment
16.1. This Agreement will bind and inure to the benefit of each Party’s permitted successors and assigns.
16.2. Partner may not assign the rights and obligations under this Agreement without the written consent of CBH.
16.3. CBH may assign the rights and obligations under this Agreement.
17. Notices
17.1. All communication, notices or reports permitted or required under this Agreement shall be in writing and in English.
17.2. All notices shall be by personal delivery, nationally recognized overnight courier service or by certified or registered mail, return receipt requested or by email, stated herein, and shall be deemed given upon the earlier of actual receipt or 1 (one) day after deposit with the courier service, 5 (five) days after deposit in the mail, or receipt by sender of confirmation of electronic transmission or on the date when the email has been sent. Notices shall be sent to the addresses set forth herein or such other address as either Party may specify in writing.
18. Execution
18.1. This Agreement may be executed in two or more counterparts in English (which both Parties understand properly), all of which when taken together shall be considered one and the same agreement and shall become effective when counterparts of the Schedule have been signed by each Party and delivered to each other Party, it being understood that the parties need not sign the same counterpart. In the event that any signature is delivered by facsimile transmission or by e-mail delivery of a “.pdf” format data file, such signature shall create a valid and binding obligation of the Party executing (or on whose behalf such signature is executed) with the same force and effect as if such facsimile or “.pdf” signature page were an original thereof.
18.2. The Agreement can be accepted and thus executed in electronic form (e.g., by an electronic or other means of demonstrating assent) and Company’s acceptance will be deemed binding between the Parties. The Company cannot contest the validity or enforceability of this Agreement, including under any applicable statute of frauds, because it was accepted or signed in electronic form. Electronically maintained records when produced in hard copy form shall constitute business records and shall have the same validity as any other generally recognized business records.
18.3. For the avoidance of doubt, should either party fail to sign these Agreement, and despite the lack of signature by authorized signatory of the Company, the Services under this Agreement are still provided by CBH to the Company, the performance of the Services shall constitute the Company’s acceptance of the terms and conditions of this Agreement. Further may inter alia confirm the Company’s acceptance to this Agreement:
(a) completing integration with CBH through the Technical Solution;
(b) starting receiving Services through the Technical Solution;
(c) payment of the Fees by the Company to CBH for the Services; and
(d) other activities, conducted by the Company and/or CBH, reflecting the performance of this Agreement.
19. Term and termination
19.1. The term of this Agreement shall commence on the Effective Date and shall continue until terminated by either Party upon 30 (thirty) days notice in writing to the other Party.
19.2. Without derogating from the aforesaid, CBH may terminate this Agreement immediately:
(a) if the Company fails to perform any obligation required under this Agreement and does not remedy such breach within 5 (five) days from a written request to such effect made by CBH;
(b) if CBH reasonably suspects or believes that the Company is using the Services in connection with any unauthorised, dishonest or criminal activities or upon notice from the Card Schemes that the Company is suspended or violated any of their rules;
(c) if CBH is required to do so by any Card Schemes or regulatory authority.
(d) If the Company becomes insolvent, fails to pay its debts due to CBH, makes a general assignment for the benefit of creditors, commences procedures for voluntary winding up, suffers or permits the appointment of a receiver for its business assets, or is wound up or liquidated, voluntary or otherwise.
19.3. In case the Agreement is terminated by any Party, all Fees due to CBH under the Agreement shall become payable the day before such termination of the Agreement.
19.4. Any termination of this Agreement shall not relieve the Company from any liability arising prior to the termination of this Agreement.
20. No agency
20.1. It is agreed and understood that either Party is not the agent or representative of the other Party and has no authority or power to bind or contract in the name of or to create any liability against the other Party in any way or for any purpose. Nothing contained herein shall be construed to create a partnership or joint venture between the Parties.
21. Expenses
21.1. Notwithstanding any other provision in this Agreement to the contrary, in no event will CBH be obligated to pay any expenses, fees, costs or other amounts to any subcontractor, person, or entity under this Agreement.
22. No waiver
22.1. No failure or delay by either Party in enforcing any provision of this Agreement will be deemed a waiver of such Party’s ability to enforce the same provision of this Agreement at a future date.
23. Force majeure
23.1. The Parties shall not be responsible for any failure to perform its obligations under this Agreement if such failure is caused by acts of God, war, terrorism, civil insurrection, acts of militia or military, strikes, revolutions, lack or failure of transportation or communications facilities, changes to the Applicable Law, or other causes that are beyond Parties’ reasonable control. In the event of such a failure, Parties’ obligations shall be suspended until such time as the cessation of all causes of such failure.
24. Survival
24.1. The following sections shall survive termination of this Agreement: Intellectual Property, Confidentiality, Term and Termination, and Definitions, as well as any other terms which by their nature should survive termination of this Agreement.
Schedule B to the Alert Services Agreement
Interpretations and Definitions
1. Interpretations
1.1. In this Agreement, unless the context otherwise requires:
(a) headings are for convenience only and do not affect the interpretation of this Agreement;
(b) words denoting the singular include the plural and vice versa;
(c) a reference to a person includes a reference to any individual or legal entity and any governmental authority;
(d) if the numeric and literal versions of a number differ – the literal version shall have precedence;
(e) a reference to a specific Clause, Subsection, Annex, Schedule or Preamble is a reference to the applicable Clause, Subsection, Annex, Schedule or Preamble hereof;
(f) references to any law or normative act shall include any changes, amendments, supplements or substitutions of such law or normative act (in whole or in part);
(g) a reference to any agreement or document is a reference to that agreement or document as may be amended, novated, supplemented, extended or restated, however, to the exclusion of any amendments and supplements made in breach of this Agreement; and
(h) a reference to a party to any document (including to this Agreement) includes that party’s successors and permitted assigns.
2. Definitions
| Account Balance | means a bank or other third-party financial institution, which has a contractual relationship with the Company, in connection with which it enables the Parties to accept payments by End Users and receive value in relation to such payments. |
| Acquirer | means a bank or other third-party financial institution, which has a contractual relationship with the Company, in connection with which it enables the Parties to accept payments by End Users and receive value in relation to such payments. |
| Agreement | means the respective Agreement entered into on the date stated on the first page of the respective Schedule by and between CBH and the Company. |
| Anti–Corruption Laws | means the U.S. Foreign Corrupt Practices Act (“FCPA”) and any other applicable anti–bribery and anti–corruption laws and regulations, including, without limitation, any laws intended to implement the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, signed in Paris on December 17, 1997 (the “OECD Convention”). |
| Applicable Law | means the Law of England and Wales. Where context requires, the Applicable Law shall include Card Scheme Rules, Anti-Corruption Laws, Data Protection Laws, any transnational, domestic or foreign federal, state or local law (statutory, common or otherwise), constitution, treaty, convention, ordinance, code, rule, regulation, order, injunction, judgment, decree, ruling or other similar requirement enacted, adopted, promulgated or applied by a respective governmental authority that is binding upon or applicable to Parties, as amended unless expressly specified otherwise. |
| Business Day | means each day on which the banks are open for business in Cyprus. |
| BIN | means the Bank Identification Number (BIN) that is used to clear and settle the transaction within Card Schemes and the country in which it is licensed for use. |
| CAID | means the Card Acceptor ID which is a numeric string that identifies a store location or transaction point and is provided by the Company’s Acquirer. |
| Card | means a credit, debit, pre-paid, charge or purchase or other card issued by a Card Scheme and any other cards in relation to which CBH is able and has agreed to provide the Services (as notified by CBH to the Company from time to time). |
| Cardholder | means a person or an entity: |
| (a) to whom the Card is issued and whose name is embossed or imprinted on the face of the Card, and/or | |
| (b) other authorised user of the Card. | |
| Card Scheme Rules | means the rules of Card Schemes (in particular MasterCard and/or Visa), which regulate the use of their trademarks, processing of the Transactions, the refunds and Chargebacks requirements for the Cards’ acceptance on the Internet, etc. Information on the rules of Card Schemes is available on their public websites. |
| Card Schemes | means Visa, MasterCard, American Express, JCB, Diners, Discover and/or such other organisation governing the issuance and use of Cards including, but not limited to their respective members, as may be approved and notified by CBH to the Company in writing from time to time. |
| Chargeback | means any End User charge, which is identified as being invalid or non-collectable after initial acceptance, on account of fraud, lost, cancelled, unissued, or invalid account identification, an unresolved End User complaint, or other cause. |
| Company Information | means all information reasonably requested by CBH and provided by the Company necessary for the KYC processes with Acquirers and proper provision of the Services. |
| Confidential Information | means the information, including the Proprietary Information, about existence of this Agreement, its pecularities, and relations between the Parties and any information or material: |
| (a) concerning this Agreement, either Party’s internal business, employees, policies and/or actual or potential customers; or | |
| (b) which derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by other persons who can obtain economic value from its disclosure or use. | |
| Provided, however, that the Confidential Information excludes any information or material: | |
| (a) which is or subsequently becomes to the general public other than through a breach by the receiving Party; | |
| (b) which is already known to the receiving Party before disclosure by the disclosing Party; | |
| (c) which is independently developed by the receiving Party without use or reference to the Confidential Information of the other; or | |
| (d) which the receiving Party rightfully receives from third parties without restriction as to use or disclosure. | |
| Credit Limit | means the maximum negative Account Balance defined in Schedule(s) to this Agreement that CBH allows the Company to incur before payment is required. |
| Data Controller | means Company |
| Data Processor | means CBH |
| Data Protection Laws | means all applicable laws, statues, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data, including, if applicable, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. |
| Effective Date | means the date of the Agreement, stated on the first page of the Schedule A to this Agreement, executed by the Parties. |
| End User | means: |
| (a) the Cardholder, and/or | |
| (b) another person who makes a payment for Goods to Company. | |
| Fees | means the consideration payments under this Agreement that are paid by Company to CBH and that are defined in Schedule(s) to this Agreement. |
| Goods | means Company’s products and/or services that are sold or agreed to be sold in connection with a Transaction and which have been approved by CBH (Goods shall also include, but is not limited to, the payment flow, terms of use, business model, nature of business, projected monthly turnover, average and maximum Transaction’s amount, geo and other terms and conditions of the sale of Goods). |
| H2H payment flow | means the payment flow, where the collection of Transaction’s data is done and controlled by Company via its technical solution, which is compliant with PCI DSS. |
| Issuer | means the bank or other financial institution that has a contractual relationship with the Cardholder and that issues the Cards to the Cardholders. |
| Limits | means certain Chargeback, fraud or other limits (ratios), as updated from time to time, that Card Schemes may impose. |
| MID | means merchant identification number, a unique code assigned to a respective merchant account provided to Company by its payment service provider. |
| Parties | means CBH and the Company. |
| PCI DSS | means Payment Card Industry Data Security Standards as released from time to time by the Security Standards Council. |
| Proprietary Information | means all right, title and interest, including without limitation any patent, copyright, design, trade name, trademark, service mark or other intellectual property right (whether registered or not) including without limitation ideas, concepts, know-how, techniques, designs, specifications, drawings, blueprints, tracings, diagrams, models and other information relating to any such intellectual property and other intellectual property rights, in and in relation to the Services and all components used in the provision thereof, including without limitation, the Technical Solution, any software delivered to the Company, any technology embodied or implemented in the Services, any computer code provided by CBH for the Company’s websites and computer networks, business methods, business processes, website designs, graphics, text, content, trade names, trade secrets and know-how, and all documentation in relation to the foregoing, used in the provision of the Services. |
| Representatives | means the beneficial owners, principals, officers, authorized representatives, and employees. |
| Services | Means a complex of technical and organizational chargeback prevention services that enable a Company to resolve Cardholder’s billing disputes directly, before they are escalated to Chargebacks, through Technical Solution. |
| Sub-Processor | means the third party that may process personal data on behalf of Data Processor’s obligations under the Agreement. Data Processor shall ensure that Sub-Processors comply with substantially same obligations as Data Processor under this Agreement. Data Processor remains responsible at all times for compliance with the terms of this Agreement. |
| Technical Solution | means a technical solution offered by CBH to the Company for the purpose of facilitating Transactions by the transfer of information between the Company and the Acquirer (and other third-party service providers, if applicable). Technical Solution includes technical platform (including its designs), manner of integration between the Company and CBH, collection of Card and/or other Transaction data, processing them to obtain appropriate authorization, and sending the authorized Transaction data, same as the data on requested Chargebacks, for the settlement. |
| Transaction | means any payment by a Card or refund for payment of Goods sold to End Users by the Company, regardless whether the Transaction is approved or declined. |
| Threatening Condition | means the Company’s conduct including, without limitation, transmitting harmful, inaccurate or incomplete data to CBH and/or its partners or contractors, poses a threat to the systems, services, equipment, processes or intellectual property of CBH and/or its partners or contractors. |
| Top Up Method | means any payment instrument or funding mechanism accepted by CBH and designated by the Company to add funds to the Account Balance or to pay amounts due, including without limitation payment cards, direct debit, e-money/wallets, or other payment methods that CBH supports from time to time. |
| Website | means website(s), domain(s), sub-domain(s) and IT environments owned and operated by the Company where the Company accepts or states that it will accept, Transactions through the Technical Solution in relation to Goods which are purchased by End Users; the initial Website(s) being those which have been presented to and approved by CBH, together with any future Website(s) presented to and approved by CBH. |
Schedule C to the Alert Services Agreement
Data Processing Agreement
This Data Processing Agreement (the “DPA”), presented below is the part of the Agreement between the Company (the “Data Controller”) and the Provider (the “Data Processor”) that has the reference to this DPA and form an integral part of the Agreement.
1. Definitions
The following definitions shall apply in this DPA in addition to other defined in the Agreement; and, for the avoidance of doubt, in the event of any inconsistency or conflict, the applicable special definitions below shall supersede and/or amend the definitions in the Agreement.
| Data Controller | means the party that has authority over the processing of Personal Data, determining the purpose for its use and the manner that it is processed. |
| Data Processor | means the party that processes Personal Data on behalf of, and under the instruction of, the Data Controller. |
| Data Protection Authority | means the official body that ensures compliance with the Data Protection Laws within its applicable jurisdiction. |
| Data Subject | means the directly or indirectly identified or identifiable person to whom the Personal Data relates. |
| Data Breach | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. |
| Data Protection Laws | means all applicable laws, statues, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data, including, if applicable, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. |
| Employees | means employees, officers, consultants, suppliers, freelancers and individual subcontractors. |
| Personal Data | means any information regulated by Data Protection Laws, including information concerning an identified or identifiable individual, such as, name, address, age, gender, email address, etc., that is processed by the Data Processor on behalf of the Data Controller as a result of, or in connection with, the provision of the Services under the Agreement. |
| Processing | mean either any activity that involves the use of Personal Data or as the Data Protection Laws may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties. |
| Standard Contractual Clauses (“SCC”) | means contractual clauses established by the European Commission concerning the international transfer of Personal Data, as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 04 June 2021. |
| Sub-Processor | means the third party that may process personal data on behalf of Data Processor’s obligations under the Agreement. Data Processor shall ensure that Sub-Processors comply with substantially same obligations as Data Processor under this Agreement. Data Processor remains responsible at all times for compliance with the terms of this Agreement. |
2. General provisions
2.1. The Company attests that it is the Data Controller of Personal Data within the meaning of the Data Protection Laws and the Provider determines that it will be acting as a Data Processor in respect of the Personal Data that is the subject of the Agreement.
2.2. Personal data processing shall be entrusted to the Data Processor for the purposes and period of the performance of the Agreement and/or until no further processing is required by the Agreement or Applicable Law.
2.3. The subject matter, duration, nature and purpose(s) of the processing of Personal Data, as well as type of Personal Data and categories of Data Subjects are specified in Annex A.
2.4. The Data Processor shall refrain from processing Personal Data that is beyond the scope set forth in Annex A.
2.5. In case the Data Processor receives additional information that is not needed to fulfil the Agreement, it must inform the Data Controller immediately and stop the processing of the additional Personal Data.
3. Instructions
3.1. The Data Processor shall process the Personal Data only on instructions from the Data Controller and for no other purpose than the purpose(s) defined in Annex A.
3.2. The Data Processor shall inform the Data Controller if, in its opinion, an instruction infringes the Data Protection Laws. The processing of the Personal Data required in said instruction shall be delayed.
3.3. If the Data Processor is required to transfer Personal Data to a law enforcement agency, it shall inform the Data Controller of that legal requirement before processing the Personal Data, unless that law prohibits such information on important grounds of public interest.
4. Technical and organisational measures
4.1. The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk before starting to process Personal Data.
4.2. In assessing the appropriate level of security, the Data Processor shall take into account the risks that are presented by Processing Person Data, in particular risks arising from a Data Breach.
4.3. The Data Processor undertakes to ensure the security of Personal Data entrusted for personal data processing in accordance with the Data Protection Laws and industry practices, in particular, to formulate and apply appropriate documentation and procedures for personal data processing, as well as technical, informational and legal security measures, as required by the Data Protection Laws, including inter alia:
4.3.1. the pseudonymisation and encryption of personal data;
4.3.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.3.3. the ability to restore the availability and access to personal data in a timely manner in the event of technical problems or any other incident;
4.3.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of personal data processing.
4.4. The Data Processor or its representative shall maintain a record (in writing or electronic form) of all categories of processing activities carried out on behalf of the Data Controller, containing:
4.4.1. the name and contact details of the Data Processor or its Sub-Processors and of the Data Controller, and, where applicable, of the Data Controller’s or the Data Processor’s representative, and the data protection officer;
4.4.2. the categories of Personal Data processing carried out on behalf of the Data Controller;
4.4.3. where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and including, where applicable, the documentation of suitable safeguards;
4.4.4. where possible, a general description of the technical and organisational security measures.
5. Data processor’s employees
5.1. The Data Processor shall ensure that all Employees with access to the Personal Data, are legally bound by confidentiality obligations during and after the termination of the DPA, including after the termination of their employment and/or other contractual arrangements with the Data Processor.
5.2. The Data Processor shall provide access to Personal Data to its Employees on a need-to-know basis only and shall make sure that the Employees are aware and compliant with the DPA, Data Controller’s written instructions and the Data Protection Laws.
5.3. The Data Processor shall keep records of persons authorised for Personal Data processing.
5.4. The Data Processor shall train its Employees involved in the processing of the Personal Data to comply with the Data Protection Laws and with the requirements established in this DPA.
6. Sub-processors
6.1. Data Controller authorizes Data Processor to appoint (and permit each Sub-Processor appointed in accordance with this clause 6 to appoint) Sub-Processors in accordance with this clause 6 and any restrictions in the Agreement.
6.2. The Data Controller hereby grants general written authorization to the Data Processor to engage an additional or replace existing Sub-Processors for the processing of the Personal Data under the Agreement. Upon request of the Data Controller, the Data Processor will provide a list of such Sub-Processors. The Data Controller has the right to object to any Sub-Processor. The objection shall be made by written communication within 10 business days after receipt of requested list of Sub-Processors. The Data Processor shall use reasonable efforts to replace the Sub-Processor.
6.3. Where the Data Processor engages Sub-Processors, the Data Processor shall ensure that Sub-Processors comply with data protection obligations compatible with those of the Data Processor under this clause 6 as applicable to their processing of Personal Data. The Sub-Processor in particular shall provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Laws. Where a Sub-Processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of that Sub-Processor’s obligations.
7. Data breaches
7.1. The Data Processor shall notify the Data Controller on Data Breach without undue delay. The notification shall include:
7.1.1. Description of the Data Breach, including, if possible, the categories of data and records concerned, the category and number of Data Subjects affected;
7.1.2. Likely consequences of the Data Breach;
7.1.3. Measures taken or proposed to address and/or mitigate the effects of the Data Breach.
7.2. The Data Processor shall, without undue delay, take all urgent measures as are agreed by the Parties or necessary under the Data Protection Laws, to investigate, mitigate and remedy the Data Breach and to protect the Personal Data.
7.3. Each Party needs the prior approval of the other Party to include and identify it in the breach notifications. The other Party should not delay or withhold the approval without a reasonable cause.
8. Cooperation
8.1. Upon request, the Data Processor shall assist the Data Controller to comply with its obligations under the Data Protection Laws when related to the processing of the Personal Data, including but not limited to:
8.1.1. Data Breaches;
8.1.2. data protection impact assessments (DPIA);
8.1.3. consultations with the Data Protection Authority; and
8.1.4. enquiries, complaints, audits, or claims from any court, government official, or Data Protection Authority.
8.2. Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data Proctection Laws.
8.3. The Data Processor shall make available to the Data Controller all information necessary to comply with its obligations under the DPA and the Data Protection Laws.
8.4. The Data Processor shall notify the Data Controller of any requirements from an official authority as soon as possible.
8.5. The Data Processor shall assist the Data Controller in fulfilling its obligations concerning the requests to exercise Data Subject rights under the Data Protection Laws.
8.6. The Data Processor shall promptly transfer to the Data Controller any request received from the Data Subjects and shall inform the Data Subjects that they can direct their requests directly to the Data Controller. The Data Processor will only handle the requests of the Data Subjects according to the Data Controller’s instructions.
9. Audit
9.1. Upon prior notice and no more than once a year, the Data Controller has the right to conduct an audit to verify the Data Processor’s compliance with the DPA.
9.2. The Data Processor shall make available to the Data Controller documentation necessary to demonstrate compliance with this DPA and Data Protection Laws, in particular, to provide information about appropriate technical and organizational measures that have been implemented.
9.3. The Data Controller shall schedule the audit with the Data Processor at least 2 weeks in advance. The Parties shall agree upon the scope, the timing, and the duration of the audit.
9.4. The audit might be carried out by the Data Controller directly or by a third-party auditor appointed by the Data Controller. The Data Processor has the right to object the use of a particular third-party auditor, if it could be considered a competitor of the Data Processor.
10. Cross-border transfer of personal data
10.1. The Data Processor may transfer or otherwise process Personal Data outside the European Economic Area (“EEA”) without obtaining the Data Controller’s prior written consent.
10.2. The Data Processor may only process, or permit the processing, of Personal Data outside the EEA under the following conditions:
10.2.1. the Data Processor is processing Personal Data in a territory in relation to which the European Commission has made an adequacy decision; or
10.2.2. the Parties have executed Standard Contractual Clauses.
10.3. If the transfer requires execution of the SCC, the unchanged version of the SCC shall be deemed incorporated by reference hereto and completed as follows:
10.3.1. Module Two will apply;
10.3.2. in Clause 7, the optional docking clause will apply;
10.3.3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be at least 5 (five) business days;
10.3.4. in Clause 11, the optional language will not apply;
10.3.5. in Clause 17, Option 1 will apply, and the SCC will be governed by the law of Ireland;
10.3.6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
10.3.7. Annex I of the SCC shall be deemed completed with the information set out in Annex A to this DPA and in the Agreement, Data Controller is the data exporter, Data Processor is the data importer;
10.3.8. Annex II of the SCC shall be deemed completed with the information set out in Annex B to this DPA and in the Agreement.
11. California consumers privacy rights
11.1. This Clause 11 is applicable to processing of Personal Information of Consumers. The terms “Personal Information” and “Consumer” shall have the meanings stipulated in the California Consumer Privacy Act of 2018, as amended from time to time (“CCPA”).
11.2. The Data Processor shall not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement.
11.3. The Data Processor shall not retain, use, or disclose Personal Information for a commercial purpose other than providing the services specified in the Agreement.
11.4. The Data Processor shall not retain, use, or disclose Personal Information outside of the direct business relationship between the Data Processor and the Data Controller.
11.5. The Data Processor shall refrain from selling Personal Information, as the term “sell” is defined in the CCPA.
11.6.The Data Processor certifies that it understands the restrictions in Clauses 11.2 – 11.5 hereof and will comply with them.
12. Termination
12.1. Termination of this DPA shall not affect Parties’ accrued rights and obligations before or at the date of termination.
12.2. Upon the termination of the Agreement, whereby no further processing is required by the Agreement or Applicable Law, the Data Processor shall promptly return or irrevocably delete or remove the Personal Data.
12.3. The Data Processor may retain Personal Data to the extent required by Applicable Law and only to the extent and for such period as required by Data Protection Laws and always provided that Data Processor shall ensure the confidentiality of such Personal Data and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the Data Protection Laws requiring its storage and for no other purpose.
13. Miscellaneous
13.1. In the case of conflict or ambiguity between:
13.1.1. any provision of the DPA and any other provision of the Agreement, the provisions of the DPA shall prevail;
13.1.2. any provision of this DPA and the SCC, the provisions of the SCC shall prevail.
Annex A to Schedule C
Details of Personal Data Processing
| Subject matter of the processing of Personal Data: | The subject-matter of the data processing assignment is to enable the Company to resolve Cardholder’s billing disputes directly, before they are escalated to Chargebacks, through Technical Solution. |
| The nature the processing of Personal Data: | The scope of personal data processing shall include the following operations performed on the personal data: collecting, recording, storing, transferring, preparing, amending, making the data available, profiling with the use of personal data, deleting personal data both in paper form, as well as in the IT systems required for the provision of Services and for other purposes as may be required under the Agreement. |
| The nature and purposes of the processing of Personal Data: | The Personal Data shall be processed to the extent necessary for provision of the Services by the Data Processor under the Agreement, namely, enabling the Company to resolve Cardholder’s billing disputes directly, before they are escalated to Chargebacks, through Technical Solution and other services offered by the Data Processor to the Data Controller. |
| The frequency and duration of the processing of Personal Data: | The Personal Data shall be processed on a continuous basis until no further processing is required by the Agreement or Applicable Law. |
| The categories of Data Subjects and Personal Data: | The types of personal data which will be processed by Data Processor under this Agreement may include the following categories of personal data of End Users: name; date of birth; phone number; IP address; email address; length of customer relationship; device; postal address; and data concerning transactions and payments, including, but not limited to, order details. |
| The obligations and rights of Data Controller: | The obligations and rights of Data Controller are set out in the Agreement and this DPA. |
| List of Parties: | The data exporter is the Data Controller and the address, contact details and activities relevant to the data transferred under the SCC are as provided in the Agreement. The data importer is the Data Processor and the address, contact details and activities relevant to the data transferred under the SCC are as provided in the Agreement. |
| Data Protection Authority: | Office of the Commissioner for Personal Data Protection. |
Annex B to Schedule C
Technical and Organizational Security Measures
| Pseudonymisation and encryption of Personal Data: | Data Processor stores all Personal Data in encrypted form. Encryption and use are done by the HSM mechanism. |
| Ongoing confidentiality, integrity, availability and resilience of processing systems and services: | Data Processor ensures: – regular vulnerability scanning, – administrative access is allowed only through bastion sites, – access to systems is differentiated by the roles, – encryption keys are changed, and key and data access are reviewed on a regular basis. It is also possible to re-encrypt data in case of incidents. |
| The ability to restore the availability and access to data in the event of a physical or technical incident: | Data Processor maintains a recovery plan and ensures its periodic review and verification. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures: | Data Processor maintains a plan of periodic events: Daily, Weekly, Quarterly, Biannually, Annually, After Changes. All operations are audited annually. |
| User identification and authorisation: | Roles, personalized accounts and 2MFAs are used to access system management and administration. A policy on password complexity and frequency of password replacement is also applied. The duration of an inactive session is limited. |
| Personal Data protection during transmission: | Personal Data are transferred between systems using HTTPS TLS1.2 protocol. |
| Personal Data protection during storage: | Database storage and backups are encrypted with AES-256-GCM HSM keys. |
| Physical security of locations at which Personal Data are processed: | The Personal Data are stored on the AWS servers. The physical security of storage locations provided by AWS are compliant with standards: HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171. |
| Events logging: | Operational events are recorded in persistence storage and monitored 24/7. Infrastructure events are captured by AWS. |
| Internal IT and IT security governance and management: | Internal security policies are maintained and regularly updated. |
| Limited data retention: | Storage systems and procedures are maintained to ensure timely deletion of Personal Data. |
