This Data Processing Agreement (“DPA”) is an agreement between you and the entity you represent (“Customer” or “you”), on the one hand, and CardinalCommerce Corporation and/or any other applicable affiliated CardinalCommerce contracting entity(ies) (“Cardinal” or “CardinalCommerce”), on the other hand. It forms part of any written or electronic agreement between you and Cardinal under which Cardinal Processes Personal Information on your behalf (each, an “Agreement”), except with respect to any Agreement under which you and Cardinal have entered data processing terms that address the subject matter hereof. Each of Cardinal and Customer may be referred to herein as a “party” and collectively as the “parties.”
Notwithstanding the foregoing, Customer acknowledges and agrees that Cardinal may use Customer Personal Information in Cardinal’s capacity as independent controller to evaluate, analyze, develop, improve, and enhance the fraud, risk and identity capabilities and offerings of Cardinal.
Cardinal may share certain Personal Information received from Customer with third parties who use that Personal Information to help Cardinal to detect and prevent fraud. These third parties are responsible for their own use of Customer’s Data Subjects’ Personal Information as described in their notices included in Exhibit 3 of this DPA.
Cardinal shall pay reasonable costs related to a Security Incident, but only to the extent (i) that Customer is a direct licensee of Cardinal (as opposed to a customer of a reseller of, or other third party offering Cardinal’s products and services) and (ii) such Security Incident is caused by or attributable to Cardinal’s negligence or breach of this DPA, including reasonable costs of breach notifications and any credit monitoring for Data Subjects required by Customer, up to an amount not to exceed one (1) million US dollars ($1,000,000.00), or such amount otherwise expressly mandated by Applicable Data Protection Law, solely to the extent such mandated amount exceeds one million US dollars.
|
“Applicable Data Protection Law” |
means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, “Applicable Data Protection Laws” include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), UK Data Protection Laws, the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 and its implementing regulations (collectively, the “GLBA”), Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), Swiss DP Laws and any associated regulations or any other legislation or regulations that transpose or supersede the above or are deemed substantially similar to the above. |
|
|
|
|
“EEA Standard Contractual Clauses” |
means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as amended or replaced from time to time by a competent authority under the Applicable Data Protection Law, including the Swiss amendments to the EU Standard Contractual Clauses required by the Swiss Federal Data Protection Information Commissioner (the "Swiss Addendum") to the extent applicable. |
|
“Personal Information” |
means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household or that is regulated as “personal data,” “nonpublic personal information” or “personal information,” or otherwise under Applicable Data Protection Law. For the avoidance of doubt, this includes any information relating to a Data Subjects as defined in the Agreement, and includes data relating to legal entities, if and as long as they are protected under the Swiss DP Laws as well as any information relating to an End-User as defined in the Agreement. |
|
“Process” or “Processed” or “Processing” |
means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction. |
|
“Security Incident” |
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Incident includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system”, a “breach of security safeguards” (as defined in PIPEDA) or similar term (as defined in any other Applicable Data Protection Law) as well as any other event that compromises the security, confidentiality or integrity of Personal Information. |
|
“Swiss DP Laws” |
means the Federal Act on Data Protection of September 25, 2020 (as updated, amended and replaced from time to time), including all implementing ordinances. In this DPA, in circumstances where and solely to the extent that the Swiss DP Laws apply, references to the GDPR and its provisions shall be construed as references to the Swiss DP Laws and their corresponding provisions. |
|
“Transfer” |
means to transmit or otherwise make Customer Personal Information available across national borders in circumstances which are restricted by Applicable Data Protection law. |
|
“UK Data Protection Laws” |
means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, the Data Use and Access Act 2025, and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions. |
|
“UK IDTA” |
means the International Data Transfer Addendum to the EEA Standard Contractual Clauses issued by the UK Information Commissioner under section 119A (1) Data Protection Act 2018 |
Schedule A: General Data Protection Regulation, UK GDPR and Swiss DP Laws
This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR, UK GDPR and/or the Swiss DP Laws applies to your use of the Service or to the extent Applicable Data Protection Law imposes a comparable requirement outlined under this Schedule. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.
behavior is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory
authority.”
Details of Processing Customer Personal Information
The table below includes additional details of the Processing of Customer Personal Information in respect of the Services.
|
Nature and purpose of processing |
Types of Personal Information |
Categories of data subjects related to the Personal Information |
|
The Service is a 3-D Secure based consumer-authentication solution that uses a data-driven approach for transaction fraud prevention and enables real-time risk assessment of online 3-D Secure transactions. The Service provides users with a rules portal as a means for users to make their own risk decision. This includes the generation of a risk score through the Service’s proprietary model. Customer Personal Information is used to support the creation and enhancement of the Service, including tools and models.
To provide the Service, Cardinal transfers Customer Personal Information to acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers. |
Cardinal will use required transaction information, including, without limitation, card number, cardholder name, billing address, shipping address email address, phone number, IP address, device characteristics, transaction amount, for Processing the authentication request with the Customer.
Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Data Subjects as defined under the Agreement, including: credit card holders, debit card users and all consumers whose cardholder or bank account data is submitted to the Service. |
INFORMATION REQUIRED FOR THE EEA STANDARD CONTRACTUAL CLAUSES, THE UK IDTA AND SWISS DP LAWS
|
|
|
|
ANNEX I A. List of Parties |
|
|
Data EXPORTER identity and contact details |
|
|
Name |
Customer Entities |
|
Address |
To be provided on request |
|
Contact person’s name, position and contact details: |
To be provided on request |
|
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 1 under "Nature and Purpose of the Processing". |
|
Role (controller/processor): |
Controller |
|
Data IMPORTER identity and contact details |
|
|
Name |
Cardinal Entities |
|
Address |
900 Metro Center Boulevard Foster City, CA 94404 U.S.A. |
|
Contact person’s name, position and contact details: |
|
|
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 1 under "Nature and Purpose of the Processing". |
|
Role (controller/processor): |
Controller |
|
ANNEX I B. Description of Transfer |
|
|
Categories of data subjects whose personal data is transferred |
As set out in the table in Exhibit 1 under "Categories of Data Subjects". |
|
Categories of personal data transferred |
As set out in the table in Exhibit 1 under "Types of Personal Information". |
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
Not Applicable |
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
Continuous |
|
Nature of the processing |
As set out in the table in Exhibit 1 under "Nature and Purpose of the Processing". |
|
Purpose(s) of the data transfer and further processing |
As set out in the table in Exhibit 1 under "Nature and Purpose of the Processing". |
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
Personal data will be retained in accordance with Cardinal’s retention policies, for only as long as is required to meet Cardinal’s legal, regulatory and operational requirements and as necessary to perform services. |
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
As set out in the table in Exhibit 1 under "Nature and Purpose of the Processing". |
|
Annex I C. Competent Supervisory Authority |
|
|
Competent supervisory authority/ies |
To be provided by the data exporter on request. |
|
ANNEX II Technical and Organizational Measures Including Technical and Organizational Measures to Ensures Security of the Data |
|
|
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. |
CardinalCommerce is certified as compliant with all standards established by the Payment Card Industry Data Security Standards (together with any successor organization thereto, “PCI DSS”) that are applicable to Cardinal Corporation and its affiliates (such standards, the “PCI Standards”). As evidence of compliance, Cardinal will provide its current Attestation of Compliance signed by a Payment Card Industry Qualified Security Assessor upon Customer’s written request. CardinalCommerce maintains and enforces commercially reasonable information security and |
|
|
physical security policies, procedures and standards, that are designed (i) to insure the security and confidentiality of Customer’s records and information, (ii) to protect against any anticipated threats or hazards to the security or integrity of such records, and (iii) to protect against unauthorized access to or use of such records or information which could result in substantial harm (the “Visa Information Security Program”). At a minimum, the Visa Information Security Program is designed to meet the standards set forth in ISO 27002 published by the International Organization for Standardization, as well as any revisions, versions or other standards or objectives that supersede or replace the foregoing.
CardinalCommerce engages its independent certified public accountants to conduct a review of Cardinal Corporation’s operations and procedures at Cardinal Corporation’s cost. The accountants conduct the review in accordance with the American Institute of Certified Public Accounts Statement on Standards for Attestation Engagements No. 18 SOC I Type II (“SSAE 18”) and record their findings and recommendations in a report to Cardinal Corporation. Upon request, and subject to standard confidentiality obligations, Cardinal will provide its most recent SSAE 18 and, in Cardinal’s s reasonable discretion, additional information reasonably requested to address questions or concerns regarding the SSAE 18’s findings. |
|
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter |
Not applicable. |
|
ANNEX III LIST OF SUB-PROCESSORS The controller has authorized the use of the following sub-processors: |
|
|
Not applicable to Module 1. |
|
EXHIBIT 3
THIRD PARTY FRAUD PROVIDER PRIVACY NOTICES
|
Provider |
Notice |
|
ThreatMetrix |
https://risk.lexisnexis.com/group/processing-notices/threatmetrix |