Legal Process Guidelines
Government, Law Enforcement, and Civil Litigants within the United States
The purpose of this document is to provide guidance to law enforcement and civil litigants seeking records from Network Merchants, LLC (“NMI”). These Guidelines do not create any obligation or enforceable right against NMI, nor do they constitute legal advice or a waiver of any objection by NMI. These Guidelines and NMI’s policies may be updated in the future without further notice.
Protecting the privacy of all who rely on our services is paramount to us. To this end, NMI requires valid and binding legal process before disclosing data, except in emergencies, where lawful consent has been provided, or in other circumstances in NMI’s sole discretion and consistent with applicable law. We review all legal process for authenticity, facial validity, and legal sufficiency, including by ensuring the form of legal process is sufficient under applicable law to obtain the type of data requested. NMI reserves the right to object to requests that do not comply with applicable laws.
1. About NMI
NMI is a global leader in embedded payment solutions – we are not a bank. Our payment software tools enable thousands of partners that serve merchants around the world and across the commerce ecosystem. Our products and solutions include industry-leading payment gateway technology and our seamless merchant underwriting, acquiring, onboarding and management platform and more.
Because NMI is not a bank, we do not hold funds nor manage bank accounts, and we cannot freeze assets and cannot process garnishment requests. Banking services are provided by Merrick Bank, Member FDIC.
2. General Requirements for Law Enforcement Requests and Civil Requests
All legal process must be:
- addressed to Network Merchants, LLC;
- dated and signed by an attorney, government official, or judicial officer (as applicable);
- assembled in the complete form as issued by the competent authority and issued on government letterhead or with a caption that identifies the court that issued the process and the case/docket number; and
- issued under the authority of a court with jurisdiction over NMI.
- State law enforcement and state civil litigants outside of Illinois and Delaware generally must domesticate their legal process in Illinois or Delaware, where the company is headquartered and incorporated, respectively. If you believe your request is binding on NMI and need not be domesticated, please identify the legal basis for your position.
Additionally, all legal process must identify:
- Sufficient information for NMI to locate the relevant business and/or individual whose data is being requested.
- Names, dates of birth, and social security numbers alone cannot be used to accurately locate responsive data. Accordingly, please include additional identifying information, including but not limited to email address, physical address, Gateway IDs, and/or transaction IDs, to the extent available.
- The specific types of data requested (see Section 5) and the applicable date range for the request;
- The legal basis for the request; and
- How and to whom the responsive data should be produced.
3. Law Enforcement Requests
a. Service of Preservation Requests, Data Requests, and Testimony Requests
Preservation requests and requests seeking the production of data must be submitted in PDF format to NMI at legalnotices@nmi.com. Acceptance of legal process via email is for convenience only and does not waive any objections, including lack of jurisdiction or proper service.
Requests that include a demand for witness testimony must be personally served on NMI at its Illinois offices. For more information about testimony requests, please see Section 6.
b. Preservation Requests
NMI will preserve data for 90 days upon receipt of a formal preservation request from law enforcement in connection with an official criminal investigation and pending the issuance of a court order or other legal process. Law enforcement may request one extension of the preservation request for an additional 90 days. If law enforcement agents do not request an extension before the expiration of the initial 90-day preservation period and/or do not serve NMI with compulsory legal process before the expiration of the preservation period, the preserved information will be deleted after the preservation period expires. It is the responsibility of law enforcement to track the expiration date for a preservation request and notify NMI of any request to extend the preservation period.
Preservation requests must be sent on official law enforcement letterhead, signed by a law enforcement official and must include sufficient identifiers for the entity and/or individual whose data is requested to be preserved (see Section 2) and a statement that steps are being taken to obtain a court order or other legal process for the data sought to be preserved.
c. Emergency Disclosure Request Procedures
If law enforcement believes there is an ongoing emergency involving an imminent threat of death or serious bodily harm to a person, please complete the NMI Emergency Disclosure Request form and submit it to us at legalnotices@nmi.com. The subject line of the email should include “Emergency Request.” We review these requests on a case-by-case basis.
Please note that we will only review and respond to emergency requests from law enforcement. We will not respond to emergency requests sent to this address by non-law enforcement officials.
4. Civil Requests
a. Service and Jurisdiction Requirements
Except for requests related to bankruptcy proceedings, all civil requests, including requests for records and/or testimony, must be personally served on NMI at its Illinois offices. Civil requests related to bankruptcy proceedings may be submitted via email at legalnotices@nmi.com.
All state civil requests must be properly domesticated in Illinois or Delaware.
b. Bankruptcy Requests
Please note NMI is not a bank, and therefore we do not hold funds or manage bank accounts, and we cannot freeze assets and generally cannot process garnishment requests. Accordingly, please consider whether NMI is the appropriate recipient of your request or whether it should be directed to NMI’s sponsor bank, Merrick Bank (Member FDIC), or another entity.
5. Information That May Be Available
Our Privacy Policy sets forth the categories of information that may be available from us. However, the information we may have for a particular request depends on whose data is being requested and which of our services they have used. We cannot guarantee the availability of any information. We retain data in accordance with our Privacy Policy.
Absent exigent circumstances or other lawful exceptions, certain categories of information may only be obtained pursuant to a court order or a search warrant.
6. Witness Testimony Requests
NMI provides a business record certification with its productions, which generally eliminates the need for live testimony to authenticate records. Should you believe that a custodian of records is still necessary to provide testimony, we require domestication of all state subpoenas pursuant to, as applicable, the Uniform Act to Secure the Attendance of Witnesses from Within or Without a State in Criminal Proceedings, 735 Ill. Comp. Stat. 220/1, et seq., or the Uniform Interstate Depositions and Discovery Act, 735 Ill. Comp. Stat. 35/1, et seq. All subpoenas seeking witness testimony must be personally served on NMI at its Illinois offices.
NMI does not provide expert witness testimony.
7. Notice Policy
We reserve the right to notify people who use our service of requests for their information prior to disclosure, unless we are prohibited by law from doing so or in exceptional circumstances as determined in our sole discretion.
8. Cost Reimbursement
We reserve the right to seek reasonable reimbursement costs for responding to requests for information.
DMCA Notice
Network Merchants, LLC (dba NMI) strongly respects copyright protections. We will respond as promptly as possible to any reports of copyright infringement on our primary and supplemental websites. NMI works within the guidelines of the US Digital Millennium Copyright Act (“DMCA”) to address and rectify any and all reports and instances of copyright infringement.
Infringement Reporting Procedure. To report copyright infringement, please email all of the below required information, in written English, to ComplianceDepartment@nmi.com:
- Signature (hand-signed or electronic) of the owner, or a person authorized by the owner, of a copyright that is allegedly infringed.
- Identification of the original copyrighted work that is allegedly infringed, including website address / URL, location on the webpage, type of material (such as whether it is text, a photo, or both), a description of the work, and any other relevant information, sufficient for NMI to identify it.
- Identification of the material in a NMI website or display that is allegedly infringing upon the work from point ii. above, including website address / URL, location on the webpage, type of material (such as whether it is text, a photo, or both), a description of the work, and any other relevant information, sufficient for NMI to identify it.
- Statement that the complaining Party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
- Contact information for the complaining Party, including email address, mailing address, and phone number.
- Statement that the information in the notification is accurate, and under penalty of perjury, that the complaining Party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
Copyright Agent Contact. NMI’s Copyright Agent contact information is as follows. Email is our preferred method of communication.
Network Merchants, LLC
Attention: NMI DMCA/Copyright Designated Agent
PO Box 120
Portsmouth, NH 03802
+1-847-352-4850
ComplianceDepartment@nmi.com
Take-Down Procedure. Upon receipt and verification of notice of infringement, NMI will remove the infringing materials, at its sole discretion. To the extent possible, NMI will notify the infringing party in writing after removal. Advance notice of removal is generally not possible.
Termination for Repeat Infringement. NMI reserves the right to terminate access, for any or all of our Software and Services, to any Party, if that Party is found to be repeatedly infringing copyrights.
Anti-Harassment and bullying Policy
Network Merchants, LLC and all its subsidiaries and Affiliates (herewith referred to as NMI, we, our or us) are committed to providing a working environment free from harassment and bullying and ensuring all our employees are treated, and treat others, with dignity and respect. We recognize that harassment and bullying can occur not only among employees but also from Third Parties, and we take such incidents very seriously.
Purpose
The purpose of this Policy is to set out our commitment to preventing and addressing harassment or bullying may occur by Third Parties such as partners, merchants, vendors, suppliers, visitors to our premises, and any other Third Party involved in our operations (herewith referred to as Third Parties).
At NMI, we maintain a strict zero-tolerance policy towards harassment or bullying. Harassment, bullying or victimization of any kind will not be tolerated and failure to uphold the dignity and respect of all NMI employees may result in corrective action. All parties are encouraged to report any incident of harassment or bullying involving NMI’s employees. To address and prevent future complaints, we will focus on constructive measures such as providing feedback to customers, collaborating with them to resolve issues, and reporting any serious concerns to the authorities.
What is Harassment by a third party
Harassment by a Third Party is any unwanted physical, verbal or non-verbal conduct that has the purpose or effect of violating a person’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for them. A single incident can amount to harassment.
It also includes treating someone less favorably because they have submitted or refused to submit to such behavior in the past.
Unlawful harassment may involve sexual harassment (unwanted behaviour of a sexual nature), or it may be related to age, disability, gender reassignment, marital or civil partner status, pregnancy or maternity, race, colour, nationality, ethnic or national origin, religion or belief, sex or sexual orientation. Harassment is unacceptable even if it does not fall within any of these categories.
Harassment may include, but is not limited to:
- unwanted physical conduct or “horseplay”, including touching, pinching, pushing and grabbing;
- continued suggestions for social activity after it has been made clear that such suggestions are unwelcome;
- sending or displaying material that is pornographic or that some people may find offensive (including emails, text messages, video clips and images sent by mobile phone or posted on the internet);
- unwelcome sexual advances or suggestive behavior (which the harasser may perceive as harmless);
- racist, sexist, homophobic or ageist jokes, or derogatory or stereotypical remarks about a particular ethnic or religious group or gender;
- outing or threatening to out someone as LGBTQ+;
- offensive emails, text messages or social media content;
- mocking, mimicking or belittling a person’s disability; or
- using your position of authority to offer job benefits or promotions in exchange for sexual favors.
A person may be harassed even if they were not the intended “target”. For example, a person may be harassed by racist jokes about a different ethnic group if the jokes create an offensive environment.
A person may be harassed even if the comments or behavior was not intended to cause harm or offense (i.e. if comments were meant to be a joke).
What is Bullying by a third party
Bullying is offensive, intimidating, malicious or insulting behavior involving the misuse of power that can make a person feel vulnerable, upset, humiliated, undermined or threatened. Power does not always mean being in a position of authority, but can include both personal strength and the power to coerce through fear or intimidation.
Bullying may include physical or psychological threats, overbearing and intimidating levels of supervision or inappropriate derogatory remarks about someone’s performance. Please be aware that harassment and bullying can take place in many forms, from face to face encounters to messages via text, social media platforms or through official communication channels or chats.
Preventing Harassment & Bullying
NMI takes a proactive approach to preventing harassment and bullying and as part of those efforts we offer regular training sessions to all employees about harassment and bullying, including what it is, how to recognise it and how to report it.
What should a third party expect
When we receive a report of Third-Party harassment, NMI’s People Team will carefully initiate an investigation to understand the situation fully. This will involve gathering important information, which may include conversations with the person making the report, any witnesses, and any other individual(s) involved in the incident. We will document all findings and consider any relevant evidence.
Once the investigation is complete, we will share the findings with the appropriate parties and take any necessary actions based on the outcome. Throughout this journey, our People Team is dedicated to creating a respectful and safe workplace for everyone.
Third Parties have a responsibility to conduct themselves in a manner that respects the rights and dignity of all NMI employees. If a Third Party is found to have engaged in harassment or bullying, NMI will take appropriate corrective actions, which may include:
- Issuing a formal written warning to the individual or entity. Banning the individual or entity from our premises or events.
- Termination of contracts or business relationships.
- Reporting the behavior to law enforcement authorities if it constitutes a criminal offense.
In cases where harassment or bullying by a Third Party leads to emotional distress or damages for our employees, NMI reserves the right to seek restitution from the offending party. This may include claims for damages related to lost wages, emotional distress, or any other applicable remedies under the law.
Retaliation against a complainant will not be tolerated and NMI will take appropriate action against anyone who subjects a complainant to retaliatory conduct. NMI will offer the necessary assistance and support to its employees to protect or enforce the complainant’s rights.
Conclusion
NMI is dedicated to maintaining a work environment free from harassment and bullying, including Third Party harassment. By following this policy and working together, we can create a safe and respectful workplace for all employees. This Policy will be reviewed at regular intervals and will be monitored for effectiveness.
For any inquiries related to the policy, or to report an incident of harassment or bullying, please email NMI’s People Team at peopleteam@nmi.com. We’re here to help and ensure you have all the information you need.
Legal Test
Legal Page
Extension Term
Extension Term
Extension Terms
Certain services and functionalities made available by or through NMI are classified as “Extensions,” including but not limited to those listed below. The individual or business signing up for an Extension (“Company”) agrees to the following terms and conditions and any other terms and conditions that may be specified for particular Extensions (collectively, “Extension Terms”).
1. Extensions are subject to additional fees, as set forth in an applicable fee schedule or order form.
2. Extensions may supplement or be connected with other products, services, platforms, or portals offered by NMI (collectively, “Services”), each of which may be subject to a separate agreement or terms and conditions of use (“Service Terms”). If an Extension is associated with one or more Services, then, in addition to the applicable Extension Terms, the Service Terms for such Services will also apply to and govern the use of the associated Extension. Except as expressly provided otherwise, Extensions Term do not replace or supersede any applicable Service Terms, which remain in full force and effect.
3. In the event of a conflict between these Extension Terms (which apply to all Extensions) and more specific Extension Terms identified for a particular Extension, the specific Extension Terms will control to the extent of the conflict. If there are any conflicting terms between the Service Terms and the applicable Extension Terms, the Extension Terms will control to the extent of the conflict. However, if Company is receiving Extensions in connection with other Services, then if the Service Terms governing the underlying Services terminate for any reason, Company’s right to use the associated Extensions will also automatically terminate.
4. Some Extensions may be provided by third parties (“Third Party Extensions”), which may be subject to additional terms and conditions set by those third parties (“Third Party Terms”). Any such Third Party Terms will constitute an agreement solely between Company and the relevant third party provider, even if the Third Party Terms are presented to Company by NMI or if Company’s acceptance of such Third Party Terms is recorded by NMI (and in such cases Company authorizes NMI to communicate such acceptance to the applicable third party provider). NMI will not be a party to any Third Party Terms and will not be responsible for the operation of any Third Party Extensions. NMI makes no representations or warranties regarding any Third Party Extensions and will have no liability for any losses incurred in connection with their use.
5. Extension Terms may be updated from time to time by NMI in its sole discretion. Third Party Terms may be updated by the applicable third party providers in accordance with such Third Party Terms.
6. If Company is an authorized reseller of NMI, then Company may select Extensions to be offered to its merchants and other customers or end users (each, a “Merchant”). If permitted by NMI, Company will have the ability to enroll its Merchants directly in the Extensions that Company has selected for them. Company will be responsible and fully liable for its Merchants’ use of the Extensions and their compliance with the applicable Extension Terms and/or Third Party Terms.
7. Company represents, warrants, and covenants that its (and if Company is a Reseller, its Merchants’) use of the Extensions and any information submitted in connection with the Extensions: (i) will be fully compliant with all applicable laws, payment network rules, and security requirements; (ii) will be in accordance with all documentation and specifications applicable to such Extensions; and (iii) will not be used for any purpose other than as authorized. In addition, Company agrees that (a) Company will be solely responsible for all transactions processed through Company’s account (including by its Merchants, if Company is a Reseller), regardless of whether such transactions are monitored by an Extension; (b) Company will be solely responsible for its (and, if Company is a Reseller, its Merchants’) use of the Extensions including, without limitation, configuring, maintaining, and updating any applicable settings; and (c) to the extent an Extension relates to transaction processing, Company is solely responsible for determining the appropriate action for each such transaction (i.e., approve, void, decline, reject), regardless of any data, analysis, or information generated or not generated by the Extensions, as applicable.
8. Under certain circumstances, it may be necessary for NMI or the applicable third party provider to adjust Company’s (or any Merchant’s) Extension security settings, with or without notice, to guard against fraudulent activity, and Company acknowledges that such actions may inadvertently cause legitimate transactions to expire, be rejected or delayed, and that NMI will have no liability for the foregoing.
9. As used in these Extension Terms, “NMI” refers to the affiliate of Network Merchants, LLC (each, an “NMI Affiliate”) that provides a given Extension. If no NMI Affiliate is named, then the applicable NMI Affiliate will be (and “NMI” will refer to) Network Merchants, LLC. If Company uses Extensions from multiple NMI Affiliates, Company will be deemed to have a separate agreement with each one. Each NMI Affiliate will be liable only for the Extensions and services that it provides and for its own obligations or any breaches by it, and no NMI Affiliate (including Network Merchants, LLC) will have any liability for the obligations of any other NMI Affiliate or for any breach or default by any other NMI Affiliate.
Available Extensions include the following (which list may be updated at any time):
- Fraud Prevention
- Customer Vault
- Automatic Card Updater
- Payer Authentication
- Card Present Device
- iProcess Mobile Payments
- Electronic Checks
- Electronic Invoicing
- QuickBooks® Plug-In
- Level III Advantage
- CertifyPCI
- DataDecryption /Encrypted Devices
- Invoicing
- Kount® Advanced Fraud Prevention (additional Extension Terms apply)
- Account Updater (additional Extension Terms apply)
- Authvia TXT2Pay (additional Extension Terms apply)
- Mastercard tap 2 mobile (T2M) (additional Extension Terms apply)
- Shopify (additional Extension Terms apply)
- Network Tokenization
Extension— Kount Advanced Fraud Prevention Terms
Definitions
1.1. Definitions. Capitalized terms used but not defined in these Extension Kount Advanced Fraud Prevention Terms (“Extension Kount Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension Kount Terms only.
“Merchant Communications” means the data exchanged among Company, Merchant (if applicable), NMI, and NMI’s Third Party Service Provider in connection with the provision of the Kount Services, which may include Personal Data.
“Kount Services” means the Kount Central fraud detection service.
“Merchant Order Form” means any webpage where Company (or Merchant) enters information for the purpose of: (a) initiating a payment; (b) submitting an application; (c) opening a new account; (d) accessing an existing account; or (e) initiating any action for which Company may request a risk control opinion.
“RIS Update” means updated transaction information transmitted by Company (or Merchant) for the Kount Services , which may include any data elements that are provided to NMI.
“Risk Inquiry” means any transaction initiated by NMI in which the Risk Inquiry System is queried, including, but not limited to, for the purposes of obtaining an authorization code or risk control opinion.
“Risk Inquiry System” means the primary Kount technical interface through which NMI initiates Risk Inquiries and RIS Updates on behalf of Company (and Merchants, if applicable), and through which Kount delivers an authorization code or risk control opinion as part of the Kount Services.
2. Services
2.1. NMI, along with its Third Party Service Provider, will provide the Kount Services, which allow Company to monitor the risk status of previously authorized transactions, in accordance with the Kount Technical Specification Guide provided for or associated with the Kount Services, as may be updated from time to time (“Kount Technical Specification Guide“).
3. Company Responsibilities
3.1. Company will initiate a real-time Risk Inquiry to NMI, who will use Kount’s Risk Inquiry System, as described in the Kount Technical Specifications Guide, for each Order Form for which a risk opinion is requested. If Company is a Reseller, then Company will initiate such Risk Inquiries on behalf of its Merchants.
3.2. If Company is a Reseller, or if Company is a Merchant receiving the Kount Services through a Reseller, then both the Reseller and the Merchant agree that the Reseller (and not NMI or another Third Party Service Provider) will provide the Merchant with first line Merchant-facing customer support with respect to the Kount Services.
4. Company and Merchant Consent
4.1. The Kount Services requires access to the contents of Merchant Communications. Company expressly consents and grants NMI permission to access any Merchant Communication to the extent necessary to process a Risk Inquiry and return a response or report regarding Company or a Merchant (an “Indication“). If Company is a Merchant, then Company consents and grants NMI permission to provide the Indication to its Reseller.
4.2. Company shall obtain any and all consents necessary disclosures for NMI and its Third Party Service Provider to access the pertinent Merchant Communication to which Company (and its Merchants, if applicable) are a party. If Company is a Reseller, Company shall be solely liable for the legal adequacy of and the means used to obtain each Merchant consent.
5. No Guarantee of Kount Services
5.1. Company acknowledges and agrees that Kount Services do not constitute a guarantee, warranty or representation that a particular transaction is: (a) entered into by the actual authorized account holder; or (b) enforceable against the actual authorized account holder. Neither NMI nor its Third Party Service Provider will have any liability to Company (or any Merchant, if applicable) for any reversals, refunds, fraud losses or chargebacks related to the Kount Services.
6. Indications
6.1. Company acknowledges and agrees that Indications: (a) do not constitute consumer reports as defined within the Fair Credit Reporting Act (“FCRA”) or credit references; (b) are only to be used in relation to determining the likelihood of a customer’s identity and not in any determination of a customer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; (c) represent a combination of factors that refer to a customer’s possible identity and not a representation that a particular transaction is (i) entered into by the actual authorized account holder; or (ii) enforceable against the actual authorized account holder.
Extension – Account Updater Terms
1. Definitions
1.1. Definitions. Capitalized terms used but not defined in these Extension Account Updater Terms (“Extension Account Updater Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension Account Updater Terms only.
“Account Updater Services” or “AUS” means the updating services provided pursuant to these Extension Account Updater Terms to be provided through NMI’s third party’s relationship with the Payment Networks.
2. Scope of Services
2.1. NMI, along with its Third Party Service Provider, will provide Account Updater Services by which Company (and if Company is a Reseller, its Merchants) may submit to NMI a file of current limited and permitted cardholder information so that such cardholder information may be transmitted by NMI to the Payment Networks to allow such cardholder information to be matched and verified against information currently on file with the Payment Networks. Company shall, at its sole expense, provide all inquiry files to NMI in a format designated by NMI and in accordance with NMI’s standards and timeframes, and Company will cooperate with NMI in connection with any Payment Network third party registration requirements related to the AUS.
3. Representations and Warranties, and Disclaimers
3.1. Company represents and warrants that its (and if Company is a Reseller, its Merchants’) use the AUS solely for the purpose of updating applicable cardholder information in order to complete future pre-authorized applicable transactions in accordance with the Rules and Laws, and shall not use AUS data for any other purpose
3.2. If Company is a Reseller, Company shall enter into a Merchant Agreement with each Merchant that authorizes the Merchant to use AUS and obligates the Merchant to comply with the merchant requirements of these Extension Account Updater Terms, including the Agreement.
3.3. Company hereby assumes all risk associated with its (and if Company is a Reseller, its Merchants’) use of the AUS, and neither NMI nor its third parties shall have any liability whatsoever to NMI for any liability associated with the AUS or these Extension Account Updater Terms and the Agreement, including but not limited to the accuracy or completeness of the information provided via the AUS.
3.4. Neither NMI nor its Third Party Service Provider make any guarantee for any rate or number of matched transactions or verified transactions.
3.5. Company understands and agrees that only merchants who are located in the United States and who do not have excessive chargebacks (as determined in NMI’s sole discretion) may participate in and receive the Account Updater Services. NMI reserves the right to decline or terminate Company’s (or any Merchant’s, as applicable) participation in and use of the Account Updater Services for excessive chargebacks or for any other reason, in NMI’s sole discretion.
Extension — TXT2Pay Terms
1. Definitions
1.1. Definitions. Capitalized terms used but not defined in these Extension TXT2Pay Terms (“Extension TXT2Pay Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension TXT2Pay Terms only.
“Company Data” means all data provided to NMI by Company, including Merchant Data.
“End User” means Company’s (or, if applicable, a Merchant’s) end-user customers who (a) may use the Services to make electronic payments to Company or its Merchants (as applicable), and (b) are identifiable by a unique identifiable number, such as a mobile phone number.
“Merchant Data” means all data, information and other content of any type and in any format, medium or form, including Personal Information, that is (i) uploaded, submitted, posted, transferred, transmitted, or otherwise provided or made available, by or on behalf of Company, a Merchant (if applicable) or its End Users to NMI and its Third Party Provider through their use of the Services, or (ii) collected, downloaded, or otherwise received by NMI and its Third Party Provider from Company, a Merchant (if applicable) or its End Users pursuant to their use of the Services. Merchant Data may include, but is not limited to, name, email address, phone number, financial account information, transaction value and volume, and invoice data.
2. Services Offered:
2.1. Authvia APIs (Application Programing Interfaces): Services include the following primary functions documented at https://developer.authvia.com:
(a) Messaging And Conversations – used to create and deliver message-based conversations of an advisory or transactional nature. Conversations shall fall into one of the following categories:
-
Payment Conversations
-
Approval Conversations
-
Welcome Conversations
-
Card Capture Conversations
-
Additional Conversation types as available in the portal listed above
(b) Platform And Application Management – used to manage Company’s account and sub-accounts (and if Company is a Reseller, those of its Merchants). This includes boarding, account configuration, authentication and sending and receiving API requests.
(c) Data And Analytics – offers the capability of collecting and reporting certain transactional and conversation data through APIs, documented in the portal listed above.
(d) Hosted Payment Page – allows Company (or its Merchants, if applicable) to manage and customize a hosted payment page which allows End Users to complete secure credit card, debit card and ACH transactions on a website or mobile application environment.
2.2. Authvia TXT2PAY
(a) TXT2PAY – mobile optimized HTML application that allows businesses or organizations to send text-based payment requests to their customers, receive payments, and report results. Each user or agent of TXT2PAY requires a license, internally defined as an agent account. Agents can be grouped together inside of a company or organization.
3. Company Responsibilities
3.1. Company hereby acknowledges and agrees that it shall (i) provide or obtain all consents that may be required in order for NMI and its Third Party Service Provider to provide the Service hereunder (including consents from Company’s Merchants, if Company is a Reseller); (ii) be solely responsible for all Company Data that Company provides to NMI and the means by which Company acquired such data, and ensure it has all rights to make available, transfer and provide any Merchant Data to NMI and its Third Party Provider for the purposes hereunder, including under applicable data privacy and data security laws; (iii) to the extent applicable, employ physical administrative and technical controls, screening and security procedures and other safeguards designed to maintain and protect any Merchant Data that is processed via the Services from unauthorized access or use; (iv) promptly document and report any known issues with the Service and any known misuse of the Service; (v) cooperate with NMI where reasonably required in order to facilitate the provision of the Services.
3.2. Company may use the Services provided under Extension TXT2Pay Terms only for Company’s own internal business purposes (which would include any provisioning to its End Users). Company shall not be permitted to resell or otherwise market or make commercially available the Services to any other third party.
3.3. If Company is a Reseller, Company must enter into a Merchant Agreement with each Merchant for the Services hereunder and Company agrees that the Merchant Agreement will be at least as restrictive as those hereunder. Company will ensure that its Merchant Agreements require Merchants only use the Services for Merchant’s own internal business purposes (which would include any provisioning to its End Users) and state that Merchants shall not be permitted to resell or otherwise market or make commercially available the Services to any other third party.
3.4. If Company is a Reseller, or if Company is receiving the Services through a Reseller, then both the Reseller and the Merchant agree that the Reseller (and not NMI or another Third Party Service Provider) shall provide first level support to the Merchant for the Services hereunder.
Extension — T2M Terms
1. Definitions; Interpretation
1.1. Definitions. Capitalized terms used but not defined in these Extension T2M Terms (“Extension T2M Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension T2M Terms only.
“Third Party Technology” means the products, services or software provided to Payment Networks by Third Party Technology Providers in connection with the provision of the T2M Solution.
“Third Party Technology Providers” means any third-party technology company that any Payment Network may independently contract with to provide services for the purpose of enabling and providing the T2M Solution.
2. Scope of Services
2.1. NMI, in connection with various Payment Networks, will provide a contactless tap to mobile payment solution and associated services (“T2M Solution“) to Company (and its Merchants, if applicable). Company acknowledges and agrees that NMI is reliant on the Payment Networks, Third Party Technology and Third Party Technology Providers to provide this T2M Solution.
2.2. NMI will provide, in combination with the Payment Networks, the T2M Solution to Company (and its Merchants, if applicable).
2.3. If Company is a Reseller, Company shall refer its Merchants to NMI for the T2M Solution, and Company will be responsible for training its Merchants. Upon reasonable written request, NMI will provide training to Company to enable it to resell the T2M Solution to Merchants. The scope of the training provided shall be at NMI’s sole discretion (acting reasonably and in good faith). Company will assist potential Merchants in completing all documentation required to receive the T2M Solution, including (where applicable) providing reasonable training to Merchants on the use of the T2M Solution. For the avoidance of doubt, NMI shall not be required to provide additional training to Merchants.
3. Third Party Technology
3.1. Company acknowledges the T2M Solution is designed for use with certain third party programs, including, without limitation, certain Internet browser software programs. Company will look solely to the developers and manufacturers of such programs with regard to warranty, maintenance or other support regarding the same. NMI makes no warranty, express or implied, with regard to any such third party software or services. Without limitation, NMI specifically disclaims all representations and warranties, express or implied, with respect to any Third Party Technology Provider or Third Party Technology. NMI shall have no express or implied obligation to provide, or continue to provide, support or maintain any or all Third Party Technology. Company acknowledges and agrees that at any time, all or any portion of Third Party Technology may be subject to modifications, suspension or termination by the Payment Networks or Third Party Technology Provider, with or without notice, and with immediate effect. NMI may be required to implement any such modifications, suspension or termination of the T2M Solution, and as this is outside of NMI’s reasonable control, (to the fullest extent permitted by law) NMI shall not be liable for any actions required by a Payment Networks or Third Party Technology Provider.
Extension — Shopify Terms
Definitions; Interpretation
1. Definitions. Capitalized terms used but not defined in these Extension Shopify Terms (“Extension Shopify Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension Shopify Terms only.
“Customer” means any individual that visits or transacts via the Merchant Store.
“Customer Data” means information (including Personal Information) relating to a Customer, including order information, payment information, or account information.
“Merchant Data” means information (including Personal Information) relating to a Merchant Store, including business, financial, and product information and any Customer Data.
“Merchant Store” means Company’s or a Merchant’s (as applicable) commerce presence hosted by Shopify, including their online store and Point of Sale (POS). For clarity, Company or a Merchant may have more than one Merchant Store.
2. Scope of Services
a. NMI will provide a payments application service by which Company (and if Company is a Reseller, its Merchants) may facilitate transactions through Shopify’s payments platform (“Shopify Application“).
3. Representations and Warranties, and Disclaimers
a. NMI represents and warrants that:
i. NMI is solely responsible for the Shopify Application;
ii. Shopify is not liable for any fault in the Shopify Application or any harm that may result from its installation or use;
iii. Except where expressly stated by Shopify, Shopify cannot provide assistance with the installation or use of the Shopify Application; and
iv. NMI is solely responsible for any liability which may arise from Company’s (or, as applicable, its Merchant’s) access to or use of the Shopify Application, including: (A) the development, use, marketing or distribution of or access to the Shopify Application, including support of the Shopify Application; or (B) NMI’s access, use, distribution or storage of Merchant Data.
b. NMI maintains a Privacy Policy located at Privacy Policy that discloses how and why customers’ Personal Data are collected and used in accordance with applicable law, including the uses governed by this Agreement.
Historical Terms and Conditions
Data Processing Addendum
This Data Processing Addendum (“Addendum”) supplements the Agreement entered into by and between NMI and Company. Any terms not defined in this Addendum will have the meaning set forth in the Agreement. To the extent NMI receives Personal Data from Company, the terms of this Addendum will apply to the parties.
1. Definitions
1.1 “Addendum” means any person or entity that controls, is controlled by, or is under common control with, such party.
1.2 “Applicable Laws ” means any applicable laws, rules, and regulations in any relevant jurisdiction applicable to the Addendum, the Agreement, or the use or Processing of Personal Data, including those concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling of Personal Data. Applicable Laws expressly include, as applicable: (i) the California Consumer Privacy Act (and its successor/amending statute the California Privacy Rights Act)(the “CPRA”; (ii) the Virginia Consumer Data Protection Act (the “VCDPA”); (iii) the Colorado Privacy Act (the “”CPA”); (iv) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (v) the EU GDPR as it forms part of the law of England and Wales by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (vi) the UK Data Protection Act 2018; and (vii) the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case, as updated, amended or replaced from time to time.
1.3 “Authorized Person” means an employee of either Party or an employee of a Party’s Affiliate who has a need to know or otherwise access Personal Data to enable a Party to perform its obligations under this Addendum or the Agreement and who has been apprised of the confidential nature of Personal Data before they may access such data and who has undergone appropriate background screening and training.
1.4 “Business or Data Controller” means the Company which alone determines the purposes and means of the Processing of Personal Data
1.5 “Consumer or Data Subject” means a natural person about whom a Data Controller holds Personal Data pursuant to the Agreement and who can be identified, directly or indirectly, by reference to that Personal Data.
1.6 “Consumer Rights or Data Subject Rights” means the rights recognized and granted to Data Subjects with respect to their Personal Data under Applicable Laws
1.7 “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission; available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as amended and updated from time to time).
1.8 “ex-EEA Transfer” means the transfer of Personal Data, which is Processed in accordance with the GDPR, outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.9 “ex-UK Transfer” means the transfer of Personal Data, which is Processed in accordance with the UK GDPR and the Data Protection Act 2018, outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in the UK in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.10 “Personal Data” means any information relating to an identified or identifiable living individual that is transmitted, uploaded, created, processed or stored by NMI as part of the provision of the Services provided by NMI under the Agreement. An identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Tokenized data or encrypted data that NMI cannot reidentify is not considered Personal Data.
1.11 “Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data other than (a) through the use of a Company’s or any Users’ generated password that, consistent with the settings and permissions in the respective Service, has rights to access such Personal Data, or (b) access by NMI personnel or Subprocessor personnel whose access to or use of such Personal Data is for the purpose of performance of the Services as permitted under this Agreement and applicable law.
1.12 “Process or Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.13 “Service Provider or Data Processor or Processor” means NMI, which Processes Personal Data on behalf of and pursuant to the instructions of Company.
1.14 “Services” shall have the meaning set forth in the Agreement.
1.15 “Sensitive Personal Data” means data that is also Personal Data but includes a subsect of Personal Data that constitutes: “sensitive personal information,” “sensitive data,” or any similar category of information subject to Applicable Laws.
1.16 “Subprocessor” means any third party appointed by or on behalf of NMI to process Personal Data. A Subprocessor may also be referred to as a Third-Party Service Provider.
1.17 “UK Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0, in force 21 March 2022 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018, available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
2. Processing of Data and Compliance with Applicable Laws
2.1 The Parties shall comply with this Addendum at all times during the term of the Agreement and for any period post termination where the Parties process Personal Data in accordance with the Agreement. Any failure by either party to comply with the obligations set forth in this Addendum will be considered a material breach of the Agreement, and the other party will have the right, without limiting any of the rights or remedies under this Addendum or the Agreement, or at law or in equity, to immediately terminate the Agreement for cause.
2.2 The rights and obligations of NMI with respect to Processing are described herein and in the Agreement. The subject matter, nature, purpose and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects involved, are described in Exhibit 1 to this Addendum.
2.3 NMI shall only Process Personal Data for the limited and specified purposes described in Exhibit 1, the terms set forth in this Addendum and in any written instructions provided by Company.
2.4 Company represents and warrants that it will: (i) comply with all Applicable Laws; (ii) any written instructions it provides to NMI will comply with all Applicable Laws; and (iii) shall make the required disclosures and obtain the necessary consents for NMI to process Personal Data. Company shall notify NMI if an instruction it gave NMI violates Applicable Laws.
2.5 If Company cannot comply with Applicable Laws in the performance of its obligations to NMI, Company agrees to promptly inform NMI in writing of its inability to comply, in which case NMI may (at its discretion) suspend the processing of Personal Data, terminate the Agreement, or otherwise stop processing Personal Data and remediate any issues that arise as a result of Company’s failure to comply with Applicable Laws.
2.6 NMI acknowledges and confirms that it does not receive any Personal Data from Company as consideration for any services or other items provided to Company. Except as expressly set forth in the Agreement, NMI shall not have, derive or exercise any rights or benefits regarding data provided by Company (“Consumer Data”) and NMI shall not sell any Consumer Data, as defined by Applicable Laws. NMI shall not retain, use or disclose any Consumer Data except as necessary for the specific purpose of performing the Services for Company pursuant to the Agreement, for the benefit of the Company (such as, but not limited to, providing insight information or to offer the Company additional products or services), or otherwise for its internal business purposes. Company agrees that NMI may anonymise Consumer Data to use for its internal business purposes and to develop its products and services. NMI understands the rules, restrictions, requirements and definitions of the CPRA and agrees to refrain from taking any action that would cause any transfers of Consumer Data to or from NMI to qualify as a sale of personal information under the CPRA. The terms “personal information,” “sale,” and “sell” for the purposes of this Section 8 are as defined in Section 1798.140 of the California Consumer Protection Act (“CCPA”).
2.7 Company hereby instructs NMI to transfer Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with this Addendum.
3. Security of Personal Data.
3.1 NMI shall in relation to the Personal Data implement the Security Requirements attached hereto as Exhibit 3 and any additional measures required pursuant to Applicable Laws.
3.2 After termination or expiry of the Agreement, upon Company’s written request , , NMI shall, and shall ensure that all Authorized Persons, promptly and securely dispose of or return to Company , at Company’s choice, all copies of Personal Data, unless NMI is otherwise required to retain the Personal Data in accordance with Applicable Law.
3.3 Where and to the extent disposal of Personal Data in accordance with Section 3.2 is explicitly prevented by Applicable Law(s) or technically infeasible, NMI or Authorized Persons, as applicable, shall (i) take measures to block such Personal Data from any further Processing (except to the extent necessary for continued Processing explicitly required by Applicable Law(s)), and (ii) continue to exercise appropriate Technical and Organizational Security Measures to protect such Personal Data until it may be disposed of in accordance with Section 3.2.
4. Subprocessing and Authorized Personnel
4.1 MI shall take reasonable steps to ensure that access to Personal Data is limited to those individuals who need to know/access the Personal Data to provide the Services, and (ii) ensure that all individuals it authorizes to process Personal Data are bound by confidentiality obligations (whether by contract or under Applicable Law) in respect of the processing of Personal Data.
4.2 Company acknowledges that NMI may engage Subprocessors in connection with providing the Services. Company consents to NMI’s use of Subprocessors subject to compliance with the terms in this Section 4. A copy of the list of Subprocessors who are involved in processing of Personal Data can be found here NMI has entered, and for new Subprocessors will enter, into a written agreement with each Subprocessor that complies with the relevant Applicable Laws applicable to the Subprocessor or the processing.
4.3 NMI will notify Company (for which email shall suffice) if NMI intends to add additional Subprocessors to the above mentioned list, at least fourteen (14) days before the changes come into effect.
4.4 Company may reasonably object to NMI’s use of a new Subprocessor by notifying NMI promptly in writing within fourteen (14) days after receipt of NMI’s notice. If Company reasonably objects to a new Subprocessor and NMI does not resolve Company’s reasonable objection within a reasonable period of time not to exceed fourteen (14) days, either Party may terminate the portion of the Agreement relating to the Services involving the new Subprocessor (which may involve termination of the entire Agreement) by providing written otice to the other Party. Termination under this Section 4.4 will be without fault to either party.
4.5 Each party shall remain responsible and liable for its compliance with Applicable Laws and any obligations ensuing from the Agreement and this Addendum.
5. Personal Data Breach
5.1 NMI shall notify Company of a Personal Data Breach as soon as reasonably practicable, but in any event, not more than forty-eight (48) hours after confirming such Personal Data Breach.
5.2 In the event of a Personal Data Breach, NMI will provide Company with such details as Company reasonably requires (to the extent that such information is known or available to NMI) regarding: (i) the nature of the Personal Data breach, including the categories and approximate numbers of data subjects and Personal Data records concerned; (ii) any investigations into such Personal Data Breach; (iii) the likely consequences of the Personal Data Breach; and (iv) any measures taken, or that NMI recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects and prevent the re-occurrence of the Personal Data Breach.
5.3 NMI may give Company phased updates as additional information regarding the Personal Data Breach becomes available to NMI; and provide reasonable cooperation and assistance to Company in relation to any remedial action to be taken in response to a Personal Data Breach, but will not notify any data subjects of the Personal Data Breach, except pursuant to the Company’s explicit instruction or as required by any law, rule, regulation or binding court order to which NMI is subject.
5.4 Company may share any notification and details provided by NMI under this Section 5 with the appropriate governmental/supervisory authority if required to do so under Applicable Laws.
6. Transfers of Personal Data
6.1 If NMI transfers Personal Data protected under this Addendum to a jurisdiction for which the United Kingdom or European Commission (as applicable) has not issued an adequacy decision (each, (“Restricted Transfer”)), NMI shall ensure that (i) a Restricted Transfer by NMI may only be made to Subprocessors as approved by Company in accordance with Section 4 of this Addendum; (ii) any Restricted Transfer conducted by NMI or any Authorized Person shall be undertaken in accordance with the appropriate Standard Contractual Clauses entered into in accordance with Applicable Law (as applicable); and (iii) that each Restricted Transfer will be made after appropriate safeguards have been implemented for the Restricted Transfer of Personal Data in accordance with Applicable Laws.
6.2 Ex-EEA Transfers. If applicable, Ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this Addendum by reference. For the purposes of the EU SCCs, the appropriate module shall be:
(i)Module Two (Controller to Processor), where the Company engages with NMI as a Merchant, with the following options:
a. Clause 7 (Docking Clause) shall apply;
b. In Clause 9 (use of sub-processors) option 2 (general written authorisation) shall apply and the time period shall be that specified in clause 4.2 of this Agreement.
c. In Clause 11, the optional language does not apply;
d. All square brackets in Clause 13 are hereby removed;
e. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the Republic of Ireland;
f. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
g. Exhibit 2 to this Addendum contains the information required in Annex I of the EU SCCs;
h. Exhibit 3 to this Addendum contains the information required in Annex II of the EU SCCs; and
i. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including its Annexes.
(ii) Module Three (Processor to Processor), where the Company engages with NMI as a Reseller acting on behalf of a Merchant(s) as controller of the Personal Data, with the following options:
a. Clause 7 (Docking Clause) shall apply;
b. In Clause 9 (use of sub-processors) option 2 (general written authorisation) shall apply and the time period shall be that specified in clause 4.2 of this Agreement.
c. In Clause 11, the optional language does not apply;
d. All square brackets in Clause 13 are hereby removed;
e. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the Republic of Ireland;
f. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
g. Exhibit 2 to this Addendum contains the information required in Annex I of the EU SCCs;
h. Exhibit 3 to this Addendum contains the information required in Annex II of the EU SCCs; and
i. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including its Annexes.
6.3 Ex-UK Transfers. If applicable, Ex-UK Transfers are made pursuant to the UK Data Transfer Addendum, which is deemed entered into and incorporated into this Addendum by reference. For the UK Data Transfer Addendum, where applicable the following applies:
(i) Exhibit 4 to this Addendum contains the information required in Part 1 – Tables, of the UK Data Transfer Addendum; and
(ii) By entering into this Addendum, the parties are deemed to have signed the UK Data Transfer Addendum incorporated herein.
7. Rights of Data Subjects.
NMI will provide such assistance as is reasonably required to enable Company to comply with Data Subject Rights requests within the time limits imposed by Applicable Laws.
8. Recordkeeping.
8.1 Recordkeeping. NMI shall maintain records and information in accordance with Applicable Laws to demonstrate its compliance with this Addendum (“Records”).
8.2 Verification Requirements. On reasonable written request, no more than once per calendar year, NMI shall make available to Company all Records necessary to demonstrate compliance with the Applicable Laws. NMI reserves the right to charge reasonable expenses for any additional requests by Company.
9. Miscellaneous
9.1 NMI may modify or amend this Addendum ma to ensure that it complies with Applicable Laws, providing that it gives the Company reasonable written notice of such changes. Both parties may disclose this Addendum to third parties (including other businesses, Consumers and regulators) for purposes of demonstrating compliance with Applicable Laws.
9.2 If an amendment to this Addendum is required to comply with Applicable Laws, both parties shall work together in good faith to promptly execute a mutually agreeable amendment.
9.3 If any individual provisions of this Addendum are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum shall not be affected.
9.4 This Addendum may be executed in one or more counterparts, each of which shall be deemed to be an original executed copy of the Addendum.
9.5 Addendum shall automatically terminate upon the termination or expiration of the Agreements under which the Services are provided, but the provisions of this Addendum shall survive beyond termination where NMI is required to process Personal Data after termination or expiry of the Agreement, and in such case the provisions shall continue to apply to the extent that NMI processes the Personal Data.
9.6 In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) Applicable Laws; (2) the terms of this Addendum; and (3) the Agreement.
9.7 Notwithstanding anything contrary to this Addendum or Agreement between the parties, NMI will not be liable to any Data Subject for a claim arising from NMI’s acts or omissions, to the extent that NMI was acting in line with Company’s written instruction and consent.
Exhibit 1
Details of Processing
Nature and Purpose of Processing: Each Party will Process Company’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement, the Data Processing Addendum, and in accordance with Company’s instructions as set forth in this Exhibit 1. The nature of Processing shall include:
- The Parties will process Personal Data as necessary to fulfil the Party’s obligations under the Agreement and as otherwise set forth in this Addendum
Duration of Processing:
- The term of the Agreement.
Categories of Data Subjects: Categories of data subjects whose personal data is transferred include:
- the end-users of a the Company or its customers (as applicable) who’s payment information is processed through the Services in accordance with the Agreement
Categories of Personal Data:
General Personal Data
- Cardholder data (including but not limited to cardholder name, expiration date, account numbers, service codes)
- Bank account details
- Contact information (including but not limited to name, email, mobile number, address, email address)
- IP address/ location
- Tax ID
Special categories of data / Sensitive Personal Data
- None
Exhibit 2
This Exhibit 2 shall apply in accordance with clause 6.2, where applicable.
A LIST OF PARTIES
For transfers of EU Personal Data :
Data exporter(s):
Name: |
Company |
Address: |
As specified in the Order Form |
Contact person’s name, position and contact details: |
|
As specified in the Order Form |
|
Activities relevant to the data transferred under these Clauses:
|
|
Role: |
controller |
Data importer(s):
Name: |
NMI |
||
Address: |
As specified in the Order Form |
||
Contact person’s name, position and contact details: |
|||
As specified in the Order Form |
|||
Activities relevant to the data transferred under these Clauses:
|
|||
Role: |
processor |
DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred:
- As described in Exhibit 1
Categories of Personal Data transferred
- As described in Exhibit 1.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous, for any period that the data importer provides Services under this Agreement.
Nature of the processing
- As described in Exhibit 1
Purpose(s) of the data transfer and further processing
- As described in Exhibit 1
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
- As described in Exhibit 1
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- As described in Section D below.
COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13.
For transfers of EU Personal Data:
Name: |
Data Protection Commission, Ireland |
Address: |
21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland |
For transfers of UK Personal Data:
Name: |
UK Information Commissioner’s Office |
Address: |
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors: As detailed in clause 4.2 of this Data Processing Addendum.
Exhibit 3
Description of the Technical and Organizational Security Measures implemented by the NMI
NMI maintains the following administrative, physical and technical safeguards (“Security Requirements”) for the protection of Personal Data, as described in Section 3 of the Addendum and outlined here.
Exhibit 4 UK Addendum (as applicable)
For transfers of Personal Data from Company to NMI which are subject to the UK GDPR (as amended or replaced from time to time), the parties agree to be bound by the terms of the UK Addendum, which shall be completed and entered into as follows:
Part 1:
Table 1: Parties: As set out in the EU SCCs contained in Exhibit 2 of this Addendum.
Table 2: Selected SCCs, Modules and Selected Clauses:
Addendum EU SCCs |
The version of the Approved EU SCCs as specified in clause 6.2 of this Agreement and to which this Addendum is appended to. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As set forth in Annex 1A of the EU SCCs. |
Annex 1B: Description of Transfer: As set forth in Annex 1B of the EU SCCs. |
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set forth in Annex II of the EU SCCs. |
Annex III: List of Sub processors (Modules 2 and 3 only): As set forth in Annex 3 to the EU SCCs. |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes |
Which Parties may end this Addendum as set out in Clause 19 of this Exhibit: [X] Importer [X] Exporter ☐ neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 . |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications, in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Alternative Part 2 Mandatory Clauses:
|
|