VERIFI RESELLER DATA PROCESSING AGREEMENT
Updated: November 1, 2022
This Reseller Data Processing Agreement (“DPA”) is an agreement between you and the entity you represent or have the authority to bind such entity hereto (“Reseller” or “you”), on the one hand, and Verifi, Inc., a California corporation (“Verifi”), on the other hand. It forms part of any written or electronic agreement between you and Verifi under which Verifi Processes Personal Information on behalf of Reseller’s third party customers for Services, (each, a “Participating Seller”) (each, an “Agreement”), except with respect to any Agreement under which you and Verifi have entered data processing terms that address the subject matter hereof. Capitalized terms used herein but not defined in this DPA will have the meanings given to them in the Agreement.
1 Processing of Participating Sellers Personal Information
1.1 Processor designation. The parties acknowledge and agree that Verifi will Process Personal Information of Reseller’s Participating Sellers to provide the Services (as defined in the Agreement), which Processing may include, by way of example and for illustrative purposes, the Processing detailed on Details of Processing Seller Personal Information (Exhibit 2). For the purposes of the Applicable Data Protection Laws and the provisions of this Agreement, the Reseller’s Participating Sellers shall be considered as controllers (or equivalent term pursuant to Applicable Data Protection Laws), Reseller shall be considered a data processor, and Verifi (as the “Sub-Processor” herein) shall be considered a sub-processor engaged by Reseller to carry out specific processing activities for Reseller’s Participating Sellers.
1.2 Authorization to Process. Reseller instructs Sub-Processor to Process Seller Personal Information to provide such Services, and Sub-Processor is authorized to Process Seller Personal Information solely in connection with the following activities:
1.2.1 In accordance with the applicable Agreement(s), including, without limitation, any exhibits, schedules, and applicable price schedule(s), to provide the Services, and any Processing required under applicable law or regulations;
1.2.2 Based on the instructions of Reseller and in its use of the Services, Sub-Processor transfers Sellers Personal Information to Participating Sellers’ Data Subjects, acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers performing Services used by Reseller’s customers; and
1.2.3 As reasonably necessary to enable Sub-Processor to comply with any other directions or instructions provided by Reseller on behalf of Reseller’s Participating Sellers.
2 Compliance with Law. Reseller shall, in its use of the Services, Process Seller Personal Information in accordance with the requirements of Applicable Data Protection Laws. Sub-Processor shall, in its provision of the Transaction Services, Process Seller Personal Information in accordance with the requirements of Applicable Data Protection Laws.
3 Reseller obligations. With respect to the Processing of Seller Personal Information by Sub-Processor under this Schedule and Agreement, Reseller shall ensure that its Participating Sellers shall:
3.1 provide its Data Subject(s) with all privacy notices, information and any necessary choices under Applicable Data Protection Laws with respect to the use of Seller Personal Information in connection with the Transaction Services as set out in the Agreement and this DPA, including providing information to Data Subjects for fair, lawful and transparent Processing of Seller Personal Information when required and shall obtain any necessary consents to enable the parties to comply with Applicable Data Protection Law;
3.2 promptly inform Sub-Processor when Seller Personal Information must be corrected, updated, and/or deleted, where required by Applicable Data Protection Law; and
3.3 ensure that at the point of transferring Seller Personal Information to Sub-Processor, the Seller Personal Information is adequate, relevant and limited to what is necessary in relation to the Processing envisaged under the Agreement and this DPA; and
3.4 Reseller shall comply (and ensure that its third party auditors comply) with Sub-Processor’s relevant security policies and appropriate confidentiality obligations as set out in the Agreement.
4 Sub-Processor obligations
4.1 Applicable Data Protection Law. To the extent necessary to enable Reseller’s Participating Sellers to comply with their obligations under Applicable Data Protection Law, Sub-Processor further agrees to comply with any required provisions of the GDPR Schedule and/or CCPA Schedule, each, to the extent applicable.
4.2 Data Subject Rights. Sub-Processor will, to the extent legally permitted, provide reasonable assistance to Reseller to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law with respect to Seller Personal Information (e.g., rights to access or delete Seller Personal Information) in a manner that is consistent with the nature and functionality of the Services. Reseller shall submit such requests for assistance to Sub-Processor. Where Sub-Processor receives any such request, it shall notify Reseller without undue delay and Reseller shall ensure that its Participating Sellers are responsible for handling such requests by a Data Subject in accordance with Applicable Data Protection Law.
4.3 Engaging with Sub-Processors. Sub-Processor shall ensure that when engaging with another data processor including any Affiliates (a “Sub-Sub-Processor”) for the purposes of carrying out specific Processing activities related to Reseller’s Participating Sellers, there is a written contract in place between Sub-Processor and the relevant Sub-Sub-Processor. Such written contracts, to the extent applicable to the nature of the Services provided by the relevant Sub-Sub-Processor, will provide at least the same level of protection for Seller Personal Information as set out in this DPA.
4.4 Staff. Sub-Processor shall ensure that persons authorized to Process Seller Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.5 Security of Processing. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sub-Processor shall implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Sub-Processor shall, in particular, take into account the sensitivity of the Personal Information and the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Seller Personal Information transmitted, stored or otherwise Processed. Sub-Processor shall provide reasonable assistance to Reseller in ensuring Reseller meets its own compliance obligations with respect to these same security measures.
4.6 Security Breach
4.6.1 In the event of an actual Security Breach (defined below) affecting Seller Personal Information contained in Sub-Processor’s systems, Sub-Processor shall (i) investigate the circumstances, extent and causes of the Security Breach and report the results to Reseller and continue to keep Reseller informed on a regular basis of the progress of Sub-Processor’s investigation until the issue has been effectively resolved; and (ii) cooperate with Reseller in any legally required notification by Reseller’s Participating Sellers of affected Data Subjects.
4.6.2 Sub-Processor shall notify Reseller without undue delay upon Sub-Processor or any Sub-Sub-Processor becoming aware of an actual Security Breach affecting Seller Personal Information, providing Reseller with sufficient information and reasonable assistance to allow Reseller’s customers to meet its obligations under Applicable Data Protection Law to (i) notify a Supervisory Authority (as defined under Applicable Data Protection Law) of the Security Breach; and (ii) communicate the Security Breach to the relevant Data Subjects.
4.6.3 Except as required by applicable law or regulation, the notifying party will not make (or permit any third party to make) any statement concerning the Security Breach that directly or indirectly references the other party, unless the other party provides its explicit written authorization.
4.6.4 To the extent that a Security Breach was caused by Reseller, Reseller’s Participating Sellers or Data Subjects, Reseller shall be responsible for the costs arising from the Sub-Processor’s provision of assistance under this clause 4.6.
4.7 Deletion and Retention. Sub-Processor shall, at the choice of Reseller, delete or return all Seller Personal Information upon termination of the Agreement and delete existing copies unless storage is required by applicable law.
5 Miscellaneous. The terms of this DPA shall apply only to the extent required by Applicable Data Protection Law. To the extent not inconsistent herewith, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term or condition of the DPA, the DPA does not apply to any data or information that does not relate to one or more identifiable individuals, that has been aggregated or de-identified in accordance with Applicable Data Protection Law, or to the extent that Sub-Processor and Reseller have entered separate data processing terms that address the subject matter hereof.
6 Definitions. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Law.
6.1 “Applicable Data Protection Law” means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, Applicable Data Protection Laws include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), UK Data Protection Laws, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), Swiss DP Laws, and any associated regulations or any other legislation or regulations that transpose or supersede the above;
6.2 “EEA Standard Contractual Clauses” means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as amended or replaced from time to time by a competent authority under the Applicable Data Protection Law.
6.3 “Data Subject” means any consumer that purchases goods or services of Reseller’s Participating Sellers, and whose information is submitted by Reseller’s Participating Sellers to Verifi during the course of Reseller’s Participating Sellers using the Services hereunder;
6.4 “Personal Information” means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household or that is regulated as “personal data,” “personal information,” or otherwise under Applicable Data Protection Law. For the avoidance of doubt, this includes any information relating to a Data Subjects as defined in the Agreement;
6.5 “Process” or “Processed” or “Processing” means any operation or set of operations which is performed upon Personal Information , whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction; and
6.6 “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system” or similar term (as defined in any other applicable privacy laws) as well as any other event that compromises the security, confidentiality or integrity of Personal Information.
6.7 “Seller Personal Information” means Personal Information originating from the Reseller’s Participating Sellers or their Data Subjects and provided to or accessed by Verifi pursuant to the Agreement.
6.8 “Swiss DP Laws” means the Federal Act on Data Protection of June 19, 1992 (as updated, amended and replaced from time to time), including all implementing ordinances;
6.9 “Transfer” means to transmit or otherwise make Seller Personal Information available across national borders in circumstances which are restricted by Applicable Data Protection law;
6.10 “UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR“), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions;
6.11 “UK IDTA“ means the International Data Transfer Addendum to the EEA Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
SCHEDULE A
CALIFORNIA CONSUMER PRIVACY ACT
This CCPA Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the CCPA applies to Reseller’s use of Verifi Services on behalf of its Participating Sellers, or to the extent Applicable Data Protection Law imposes a comparable requirement outlined under Schedule A. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this CCPA Schedule and the DPA, this CCPA Schedule shall prevail.
1 Verifi shall not:
1.1 sell Seller Personal Information; or
1.2 retain, use or disclose Seller Personal Information other than as set forth in the body of the DPA, except as required or permitted by Applicable Data Protection Law.
2 When providing or making available Personal Information to Verifi, Reseller shall ensure that its Participating Sellers shall only disclose or transmit that Personal Information which is necessary for Verifi to perform its obligations under the applicable Agreement(s).
3 To the extent required by Applicable Data Protection Law, this CCPA Schedule constitutes its certification to the Processing restrictions herein.
SCHEDULE B
GENERAL DATA PROTECTION REGULATION
This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR applies to Reseller’s Participating Sellers’s use of Verifi Services, or to the extent Applicable Data Protection Law imposes a comparable requirement outlined under Schedule B. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.
1 Sub-Processor Obligations
1.1 Processing of Seller Personal Information. Sub-Processor shall Process Seller Personal Information only on documented reasonable instructions from Reseller (including instructions with respect to transfers of Seller Personal Information to a third country or territory, if applicable) unless required to do so by Applicable Data Protection Law. In such circumstances, Sub-Processor shall inform Reseller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Sub-Processor shall immediately inform Reseller if, in Sub-Processor’s opinion, Reseller’s instructions would be in breach of Applicable Data Protection Law. Reseller agrees that Sub-Processor shall be under no obligation to take actions designed to form any such opinion.
1.2 Use of Sub-Sub-Processor
1.2.1 Sub-Processor reserves the right to maintain its Sub-Sub-Processor list through means such as publication of its Sub-Sub-Processor list online and also update it accordingly. In accordance with Section 1.2.1 of this GDPR Schedule, Reseller provides authorization for Sub-Processor to engage with the Sub-Sub-Processors listed. Sub-Processor currently engages the Sub-Sub-Processor as listed at Exhibit 3 to this DPA.
1.2.2 Sub-Processor shall inform Reseller of any intended changes concerning the addition or replacement of other Sub-Sub-Processors to give Reseller the reasonable opportunity to object to such changes. In the event Reseller objects to Sub-Processor’s change or addition of Sub-Sub-Processor, Reseller shall promptly notify Sub-Processor of its objections in writing within 10 business days after receipt of Sub-Processor’s notice of such change or addition.
1.2.3 Sub-Processor may, at its option, undertake reasonable efforts to make available to Reseller a change in the Services or recommend a commercially reasonable change to Reseller’s configuration or use of the Services to avoid Processing of Seller Personal Information by the objected-to new Sub-Sub-processor. If Sub-Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Reseller may terminate the Agreement with respect to only those aspects of the Services, which cannot be provided by Sub-Processor without the use of the objected-to new Sub-Sub-Processor by providing written notice to Sub-Processor. If the Services as a whole cannot be performed without the objected-to new Sub-Sub-Processor, Reseller may terminate the entire Agreement provided that Reseller’s objections to the new Sub-Sub-Processor are commercially reasonable.
1.2.4 Sub-Processor agrees not to impose a penalty for any termination under Section 1.2.3 of this GDPR Schedule on Reseller.
1.2.5 Data Protection Impact Assessments and Prior Consultation with Regulator. Sub-Processor shall provide reasonable assistance to Reseller with any legally required (a) data protection impact assessments; and (b) prior consultations initiated by Reseller with its regulator in connection with such data protection impact assessments. Such assistance shall be strictly limited to the Processing of Seller Personal Information by Sub-Processor on behalf of Reseller’s Participating Sellers under the Agreement taking into account the nature of the Processing and information available to Sub-Processor.
2 Demonstrating Compliance with this DPA
2.1 Sub-Processor shall make available to Reseller all information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by Reseller or another auditor under the instruction of the Reseller for the same purposes of demonstrating compliance with obligations set out in this DPA.
2.2 Reseller’s right under Section 2.1 of this GDPR Schedule is subject to the following:
2.2.1 if Sub-Processor can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification or by providing Reseller with an audit report issued by an independent third party auditor (provided that Reseller will comply with appropriate confidentiality obligations as set out in the Agreement and shall not use such audit report for any other purpose), Reseller agrees that it will not conduct an audit or inspection under Section 2.1 above;
2.2.2 in acknowledgement of the time, expense and disruption to business associated with performing audits and inspections involving interviews and onsite visits, Reseller agrees to only conduct such audits and inspections on condition that Reseller can demonstrate such audit or inspection is necessary beyond the information made available by Sub-Processor under Section 2.1 above. Such audits and inspections, shall be at reasonable intervals (but not more than once per year) upon not less than 60 days’ notice and at a date mutually agreed by the Parties, provided that the audit will (i) not disrupt Sub-Processor’s business; (ii) be conducted during business hours and at the Reseller’s expense; (iii) not interfere with the interests of Sub-Processor’s other customers; and (iv) not exceed a period of two successive business days.
2.3 With regard to Section 2.1 of the GDPR Schedule, Sub-Processor shall immediately inform Reseller if, in Sub-Processor’s opinion, Reseller’s instructions would be in breach of Applicable Data Protection Law. Reseller agrees that Sub-Processor shall be under no obligation to take actions designed to form any such opinion.
3 Cross-Border Transfers
3.1 Sub-Processor shall comply with Reseller’s documented instructions concerning the Transfer of Seller Personal Information to a third country.
3.2 The Sub-Processor shall only Transfer any Seller Personal Information outside the Seller’s applicable jurisdiction or the Data Subjects’ resident jurisdiction, including, without limitation, outside the European Economic Area (“EEA”), the UK or Switzerland, only in compliance with the Applicable Data Protection Law.
3.3 Reseller agrees and acknowledges that Sub-Processor transfers and stores certain Seller Personal Information (including relating to individuals located in the EEA, Switzerland and/or the UK) in the United States.
3.4 Transfers subject to the GDPR, UK GDPR, or Swiss DP Laws: Module 3 (transfer processor to processor) of the EEA Standard Contractual Clauses shall apply with respect to any Transfer of Seller Personal Information from the EEA or Switzerland to Verifi and any of its affiliated entities in the United States or other third countries (“Verifi Entities“). The parties acknowledge and agree that Module 3 (transfer processor to processor) of the EEA Standard Contractual Clauses is hereby incorporated by reference and;
3.4.1 Reseller and any of its commonly owned or controlled affiliates that have signed an Agreement for Verifi Products and Services (“Reseller Entities“) shall be deemed to be “data exporters” and the Verifi Entities shall be the “data importers”;
3.4.2 Clause 7 – Docking clause shall apply;
3.4.3 Clause 9 – Use of subprocessors Option 2 shall apply and the “time period” shall be 10 business days;
3.4.4 Clause 11(a) – Redress the optional language shall not apply;
3.4.5 Clause 13(a) – Supervision
a) Where the data exporter is established in an EU Member State the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C , shall act as competent supervisory authority.”
b) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.”
c) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of the GDPR, the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.”
3.4.6 Clause 17 – Governing law Option 1 shall apply and the “Member State” shall be Ireland;
3.4.7 Clause 18 – Choice of forum and jurisdiction the Member State shall be Ireland; and
3.4.8 the information in Exhibit 1 (Table 1) of this GDPR Schedule is incorporated into Annexes 1, 2 and 3 of the EEA Standard Contractual Clauses.
3.5 Transfers subject to the UK GDPR where the Transfer is subject to the UK GDPR, the EEA Standard Contractual Clauses shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA. For the purposes of Table 4 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option. Otherwise, the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Exhibit 1.
3.6 If there is any conflict or inconsistency between a term in the body of this DPA, an Agreement and a term in Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses (or, as applicable the UK C2P SCCs), incorporated into this DPA, the term in Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses (or, as applicable, the UK C2P SCCs) shall take precedence.
2.1.1
EXHIBIT 1
INFORMATION REQUIRED FOR THE EEA AND UK STANDARD CONTRACTUAL CLAUSES
Table 1: Information to be incorporated into the EEA Standard Contractual Clauses
ANNEX I A. LIST OF PARTIES |
|
Data EXPORTER identity and contact details |
|
Name |
Seller Entities |
Address |
To be provided on request |
Contact person’s name, position and contact details: |
To be provided on request |
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing“. |
Role (controller/processor): |
Controller |
Data IMPORTER identity and contact details |
|
Name |
Verifi Entities |
Address |
900 Metro Center Boulevard Foster City, CA 94404 U.S.A. |
Contact person’s name, position and contact details: |
privacy@visa.com |
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing“. |
Role (controller/processor): |
Processor |
ANNEX I B. DESCRIPTION OF TRANSFER |
|
Categories of data subjects whose personal data is transferred |
As set out in the table in Exhibit 2 under “Categories of Data Subjects“. |
Categories of personal data transferred |
As set out in the table in Exhibit 2 under “Types of Personal Information“. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
Not Applicable |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
Continuous |
Nature of the processing |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing“. |
Purpose(s) of the data transfer and further processing |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing“. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
Personal data will be retained in accordance with Verifi’s retention policies, for only as long as is required to meet Verifi’s legal, regulatory and operational requirements and as necessary to perform services. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing“. |
Annex I C. Competent Supervisory Authority |
|
Competent supervisory authority/ies |
To be provided by the data exporter on request. |
ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA |
|
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. |
Verifi is certified as compliant with all standards established by the Payment Card Industry Data Security Standards (together with any successor organization thereto, “PCI DSS”) that are applicable to Verifi and its affiliates (such standards, the “PCI Standards”). As evidence of compliance, Verifi will provide its current Attestation of Compliance signed by a Payment Card Industry Qualified Security Assessor upon Seller’s written request.
Verifi maintains and enforces commercially reasonable information security and physical security policies, procedures and standards, that are designed (i) to insure the security and confidentiality of Seller’s records and information, (ii) to protect against any anticipated threats or hazards to the security or integrity of such records, and (iii) to protect against unauthorized access to or use of such records or information which could result in substantial harm (the “Verifi Information Security Program”). At a minimum, the Verifi Information Security Program is designed to align with the standards set forth in ISO 27002 published by the International Organization for Standardization, as well as any revisions, versions or other standards or objectives that supersede or replace the foregoing.
Verifi engages its independent certified public accountants to conduct a review of Verifi’s operations and procedures at Verifi’s cost. The accountants conduct the review in accordance with the American Institute of Certified Public Accounts Statement on Standards for Attestation Engagements No. 18 SOC I Type II (“SSAE 18”) and record their findings and recommendations in a report to Verifi. Upon request, and subject to standard confidentiality obligations, Verifi will provide its most recent SSAE 18 and, in Verifi’s reasonable discretion, additional information reasonably requested to address questions or concerns regarding the SSAE 18’s findings. |
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter |
In respect of Transaction Services: initiatives, products, processes and supporting technology are assessed from a data privacy perspective, allowing Verifi to embed privacy controls to mitigate risks at early stages (privacy by design). Verifi has a robust privacy risk assessment framework (including privacy impact assessments), embedding this process in our change vehicles across the business, to ensure that both new and changed personal data processing activities are reviewed. Where Customer requires specific assistance, Customer may submit such requests for assistance to privacy@verifi.com |
ANNEX III LIST OF SUB-PROCESSORS The controller has authorised the use of the following sub-processors: |
|
As set out in Exhibit 3 of this DPA. |
|
EXHIBIT 2 – DETAILS OF PROCESSING SELLER PERSONAL INFORMATION
Service |
Nature and purpose of the processing |
Types of personal information |
Categories of data subjects to whom the personal information relates to |
Issuers access detailed transaction information from Participating Sellers via a global data-sharing network to prevent disputes at first Consumer inquiry. Consumers access and view detailed transaction information from Participating Sellers via Issuers in the Issuer mobile app or online banking website for the Consumer, to prevent disputes at first Consumer inquiry.
Verifi transfers (in accordance with the instructions of the Controller) Seller Personal Information to issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers providing the Order Insight service used by Participating Sellers. |
If the Participating Seller opts to use the Order Insight service, Verifi will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Order Insight request with the issuer. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; and/or Consumers.
|
|
CDRN |
CDRN allows Participating Sellers to actively process non-fraud and confirmed fraud pre-dispute cases with a refund or cancellation avoiding a Dispute. |
If the Participating Seller opts to use CDRN, Verifi will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Participating Seller’s decisioning as it relates to a pre-dispute case to Issuer. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; and/or Consumers.
|
RDR (Rapid Dispute Resolution) |
RDR allows Participating Sellers to process non-fraud pre-dispute and confirmed fraud pre-dispute with an acquirer-initiated funds reversal thereby avoiding a Dispute. |
If the Participating Seller opts to use RDR, Verifi will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Participating Sellers automatic rules as it relates to a Dispute to Issuer. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; and/or Consumers.
|
Fraud and Dispute Services |
Fraud and Dispute Services provides a Participating Seller with direct delivery of fraud and dispute notifications to reduce payment risk.
|
If the Participating Seller opts to use the Fraud and Dispute service, Verifi will use required transaction information, to provide real-time, transaction level notification, to enhance and inform fraud detection and modeling to the Participating Seller. Participating Sellers can also stop order fulfillment/shipment when possible. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; and/or Consumers.
|
EXHIBIT 3 – LIST OF SUB-SUB PROCESSORS
Company |
Functions Performed |
Location |
Applicable Service |
Visa U.S.A., Inc. |
Security and fraud management |
U.S.A. |
All |