for merchant
DATA PROCESSING AGREEMENT
March 15, 2024
Contractor and Contracted Party are hereinafter referred to jointly as “Parties” or individually as “Party”.
This Data Processing Agreement (“DPA”) applies to activities involving the Processing of Personal Data (as defined below) performed in connection with the Agreement and is an integral part of the Contract for all legal purposes.
Any capitalized terms not otherwise defined in this Agreement shall have the meaning given thereto in the Contract. Except as modified below, the terms of the Contract shall remain in full force and effect.
The provisions in clauses 2 to 9 are applicable when contracting EBANX Payment Services. Services in which EBANX acts as Processor, while the Contractor acts as Controller.
The provisions in clauses 10 to 18 are applicable when contracting EBANX Anti-Fraud Services, which are optional. Services in which EBANX and the Contractor act as sole controllers (i.e. independent controllers).
The provisions in clauses 1 and 19 to 21 are applicable regardless of the service contracted.
1. DEFINITIONS
In this Agreement, the following terms shall have the meanings defined below:
1.1. “Data Protection Laws and Regulations” means any law and regulation, including any decision published by any competent Government Authority, applicable to the Processing of Personal Data carried out within the context of the Contract.
1.2. “Controller’s Personal Data” means any Personal Data shared by the Controller to the Contracted Party or any of their Processors for processing purposes, including Sensitive Personal Data, in the context of the Agreement.
1.3. “Data Processing” means any operation carried out with Personal Data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.
1.4. “Services” means the services and other activities that will be provided or performed by or on behalf of the Processor for the Controller Party pursuant to the Contract;
1.5. “Subprocessor” means any natural or legal person who, on behalf of the Processor, will process Personal Data on behalf of the Controller under the Contract.
1.6. Employee(s)” means any employee, worker, including subcontractors or outsourced staff, representatives or designees, remunerated or not, under a full or partial regime, who act on behalf of the Parties and have access to the Personal Data.
1.7. “Government Authorities” means any authority, including judicial, vested with powers to inspect, judge and apply pertinent laws.
1.8. “Security Incident” means any adverse security event or set of events, confirmed or suspected that impacts the availability, integrity, confidentiality or authenticity of an information asset. In the case of this Agreement, the expression will refer to incidents involving Personal Data.
1.9. “End Date” has the meaning described in this Agreement/Schedule, where applicable.
PAYMENT SERVICES – PROCESSOR (EBANX) X CONTROLLER (CONTRACTOR) RELATIONSHIP
The clauses agreed below will solely be, and will be exclusively, applicable in the case of contracting EBANX Payment Services.
2. Processing of the Controller’s Personal Data
2.1. The performance of the Contract presupposes the sharing of Personal Data from the Controller to the Processor. With regard to activities involving the Processing of Personal Data pursuant to the context of the Contract, the Processor shall:
i. Ensure the confidentiality of the Controller's Personal Data, by itself and its Collaborators who may have access to it; and
ii. Process Personal Data in accordance with all applicable Data Protection Laws and Regulations, including those in force after the signing of this Agreement, and in accordance with the Controller's instructions, except in cases where the Processing is necessary for compliance with legal or regulatory obligations to which the Processor is subject, or for carrying out the Processor's business activities, in accordance with the Data Protection Laws and Regulations.
iii. The Processor will make available to the Controller, upon request, all information necessary to demonstrate compliance with its obligations under Data Protection Laws and Regulations, allowing the Controller to carry out audits of the Processor's processes.
iv. The Processor shall inform the Controller if it understands that a processing instruction violates Data Protection Laws and Regulations.
2.2. If the Processor performs any Processing activity unrelated to the performance of the Contract, said Processing activity shall occur outside the context of this Agreement. The Processor shall be deemed the sole Controller in relation to that activity, and the Controller shall be released from any obligation or liability derived therefrom.
2.3. The Processor shall notify the Controller of any requests for disclosure of Personal Data, even if legally required, and shall inform the Controller which Personal Data have been disclosed, to whom and when.
2.4. The Controller shall:
2.4.1. Make the Personal Data available so that the Processor can perform the contracted Services, ensuring that the Personal Data has been collected in accordance with the provisions and principles of the Data Protection Laws and Regulations, and especially that the processing intended by the Controller is duly grounded on one of the legal basis set out by Data Protection Laws and Regulations;
2.4.2. Provide the Processor with all the necessary instructions for carrying out the Personal Data Processing activities that need to be performed in the context of the Contract;
2.4.3. Promptly inform the Processor whenever there are changes or inaccuracies in the Personal Data; and
2.4.4. Cooperate with the Processor, where applicable, in the fulfillment of requests regarding the rights of data subjects provided for in the Data Protection Laws and Regulations and other applicable laws, and also to comply with any requests from Government Authorities.
3. Security
3.1. The Processor shall implement appropriate technical, administrative and organizational measures compatible with the Processing activities performed. To assess the appropriate level of security, the Processor shall consider the risks posed by the Processing activity, in particular those related to Security Incidents.
3.2. New RDS instances and snapshots are encrypted at rest by default. Encrypted DB instances use the AES-256 encryption algorithm.
3.3. Production domains are managed by Cloudflare, which has resources to protect endpoints and guarantee the use of HTTPS.
3.4. For the CDE environment, it is carried out via an HTTPS connection with external service providers, imposed through code.
4. Subprocessor
4.1. The Processor may, when necessary for the performance of the Personal Data Processing activities, hire Subprocessors to assist it in the performance of the Contract.
4.2. The Processor must, when carrying out any Processing activity through a Subprocessor, ensure, through a specific contract signed with the Subprocessor, a security level equivalent to this Agreement.
4.3. The Controller may request information about Subprocessors through the email privacy@ebanx.com.
5. International Data Transfers
5.1. If an international Data transfer, by the Processor, is necessary for performance of the Contract, and the country of destination does not have an appropriate level of protection for Personal Data in accordance with the Government Authorities determinations, then the Processor shall ensure that the International Data Transfer will be made pursuant to one of the mechanisms contemplated in the Data Protection Laws and Regulations applicable.
5.2. The Controller may request information about how the Processor carries out international transfers, via email at privacy@ebanx.com.
6. Rights of Data Subjects
6.1. The Processor undertakes to notify and support the Controller in the event of receiving a request from a Data Subject in connection with any Processing activity carried out on behalf of the Controller in the context of the Agreement, so that the Controller may take appropriate action.
7. Security Incident
7.1. The Processor shall notify the Controller with no unjustified delay when it identifies the existence of a Security Incident that may entail material risk or harm to the Data Subjects and, if necessary, will provide sufficient information to enable the Controller to comply with any requirements under Data Protection Laws and Regulations.
7.2. The Controller shall not disclose any information concerning the Security Incident, unless otherwise authorized by the Processor or required by determination of the Government Authorities or by Data Protection Laws and Regulations.
7.3. If the Controller is responsible for the Security Incident, it shall indemnify the Processor for all costs incurred during the investigation of the incident and in relation to all actions taken by the Processor to respond to or minimize the impacts of the Security Incident.
8. Government Authorities
8.1. The Processor shall inform the Controller if it receives requests for information or determinations by the Government Authorities in relation to any Processing activity carried out in the context of the Contract, so that the Controller may take the appropriate measures.
8.2. After proper evaluation, the Processor shall reject requests for the disclosure of Personal Data that are not mandatory by law.
9. Exclusion and Return of Personal Data
9.1. Upon termination of the Contract, the Processor shall, when requested in writing by the Controller, return or delete the Personal Data processed on behalf of the Controller, and may retain Personal Data that is necessary for compliance with legal or regulatory obligations to which the Processor is subject, or for carrying out the Processor's business activities, in accordance with the Data Protection Laws and Regulations.
ANTI-FRAUD SERVICES – CONTROLLER (EBANX) X CONTROLLER (CONTRACTOR) RELATIONSHIP
The clauses set out below will only be, and will be exclusively, applicable in the case of contracting EBANX Anti-Fraud Services.
10. Processing of Personal Data
10.1. The performance of the Contract presupposes the sharing of Personal Data between both Parties. The Parties agreed with regard to activities involving the Processing of Personal Data pursuant to the context of the Contract:
10.1.1. Process the Personal Data in accordance with all applicable Data Protection Laws and Regulations, including those coming into force after the signing of this Agreement, ensuring in particular that every Processing activity be duly justified on one of the legal bases established by Data Protection Laws and Regulations.
10.1.2. Process only the Personal Data necessary for execution of the Contract, in accordance with Appendix 1 (when filled out) and solely for the purposes of the Contract, except if the Processing is required for fulfillment of legal or regulatory obligations to which the Contracted Party is subject.
10.1.3. If the Contracted Party has access, in the context of the Contract, to Personal Data that it considers excessive or not necessary for the execution of the Contract, it shall immediately notify the other Party and disable such Personal Data.
10.1.4. If the Contracted Party performs any Processing activity unrelated to the performance of the Contract, said Processing activity shall occur outside the context of this Agreement. The Party which executes the processing shall be deemed the sole Controller in relation to that activity, and the other Party shall be released from any obligation or liability derived therefrom.
10.1.5. Mutually cooperate to ensure proper compliance with the obligations relating to the exercise of Data Subject's rights under the Data Protection Laws and Regulations applied and fulfillment of any requests from the Inspection Authorities, within the limit of their activities.
10.1.6. The Parties shall not use any type of tool, technology, reverse engineering or other method intended to identify the Data Subjects, where Personal Data was shared in a manner that does not permit direct identification of the Data Subjects without cross-checking with other information or with access to the identification key.
11. Employees
11.1. The Parties shall ensure that the Processing of Personal Data performed in the context of the Contract will be restricted to the Employees responsible for the Processing, in accordance with section 10.1.2 of this Agreement, and that such Employees:
11.1.1. Have received training in connection with Data Protection principles and processing laws; and
11.1.2. Know the obligations of the Parties, including the obligations contemplated in this Agreement.
11.1.3. The Parties shall ensure that all Employees are subject to confidentiality agreements or professional or statutory obligations of confidentiality and data protection.
12. Security
12.1. Each Party shall implement appropriate technical, administrative and organizational measures compatible with the Processing activities performed. To assess the appropriate level of security, the Parties shall consider the risks posed by the Processing activity, in particular those related to Security Incidents.
12.2. The Parties may establish, in writing, minimum security criteria which they deem necessary for performance of the Contract and which shall be adopted by the Parties.
12.3. The Parties undertake to regularly test, assess and evaluate the effectiveness of the technical, administrative and organizational measures for ensuring security of the operations involving the Processing of Personal Data.
13. Subcontractors
13.1. When any Processing Activity is carried out through a Subcontractor, whether Controller or Processor, the Parties must, in relation to this Subcontractor:
13.1.1. Preserve the integrity and accuracy of Personal Data, and must update, correct or delete such data at the request of the other Party;
13.1.2. Verify, through due diligence or equivalent procedure, that each Subcontractor is able to guarantee a level of Personal Data protection, at least, equivalent to this Term and provide evidence of this verification;
13.1.3. Enter into a formal Agreement with each Subcontractor, which the content must include provisions, at least, equivalent to this Term; and
13.1.4. Be responsible for all actions and omissions of the Subcontractor in relation to the processing of Personal Data.
13.1.5. Any information regarding the Subcontractors must be formalized by the Parties.
14. International Data Transfers
14.1. If an international Data transfer, by the Contracted Party, is necessary for the performance of the Contract, and the country of destination does not have an appropriate level of protection for Personal Data in accordance with the Government Authorities determinations, then the Contracted Party shall ensure that the international Data transfer will be made pursuant to one of the mechanisms contemplated in the Data Protection Laws and Regulations.
15. Rights of Data Subjects
15.1. The Parties shall mutually cooperate with in complying with the obligations related to the exercise of Data Subject's rights, in consonance with Data Protection Laws and Regulations.
15.2. The Parties shall:
15.2.1. Immediately notify the other Party upon receiving a request from the Data Subject, when related to any Processing activity performed under the Contract; and
15.2.2. Refrain from responding to any Data Subject's request related to the Personal Data of the other Party until this Party provides its written agreement with the contents of the response to be presented to the Data Subject, except where the timeframe for responding to the request is shorter than 48 hours, in accordance with the Data Protection Laws and Regulations.
16. Security Incident
16.1. When a Party identifies the occurrence of a Security Incident that may cause material damage to the Data Subject, in accordance with the Data Protection Laws and Regulations and any regulations that may be issued by the Government Authorities, this Party shall immediately notify the other Party. This notice shall include sufficient information (containing at least a description of the event, date, cause, possible impacts on the Data Subjects to whom the Personal Data relate, mitigation actions adopted, and next steps) so that the interested Party can comply with any requirements imposed by Data Protection Laws and Regulations.
16.2. The Parties shall at its own expense investigate the causes and consequences of the Security Incident, and take the necessary measures to remedy its consequences, promptly informing the Parties about all measures so taken.
16.3. The Parties shall maintain records on the Security Incident, including at least (a) a description of the nature of the Security Incident, (b) a description of the consequences of the Security Incident, and (c) a description of the measures taken or proposed by the other Party to cope with the Security Incident.
16.4. The Parties shall not disclose any information concerning the Security Incident, unless otherwise authorized by the Contracting Party or required by determination of the Government Authorities, pursuant to the applicable law.
17. Government Authorities
17.1. The Parties shall mutually cooperate in complying with obligations or requests imposed by any competent Government Authority.
17.2. The Parties shall forthwith inform the other Party upon receiving requests for information or determinations from the Government Authorities relating to any Processing activity performed within the context of the Contract. If such requests or determinations are related to the Personal Data shared by the other Party, then the Party subpoenaed shall submit a suggestion of answer for the other Party's validation within the time period prescribed by law or determined by the Government Authorities.
18. Exclusion and return of Personal Data
18.1. Each Party, when the activities involving the Processing of Personal Data within the context of the Contract are finished (“End Date”), the shall interrupt the processing of the Personal Data of the other Party and, upon written request, shall delete the Personal Data relating to the completed activities, as well as all existing copies (in digital or physical form), unless maintenance of the Personal Data is necessary for complying with a legal or regulatory obligation.
18.2. The Parties may, at its sole discretion, by giving written notice to the other Party, within 30 calendar days from the End Date, require that the other Party return a full copy of all Personal Data processed under the Contract, via a secure transfer and interoperable or proprietary format for the other Party.
18.3. The Parties shall provide the other Party with written certification that they have fully complied with this section within 30 calendar days from the End Date.
GENERAL CLAUSES APPLICABLE FOR ANY SERVICES PROVIDED BY EBANX
The provisions in clauses 1 and 19 to 21 are applicable regardless of the service contracted.
19. Indemnification
19.1. The Parties shall indemnify, defend and exempt the other Party and/or its affiliates from and against any liability, loss, claim, damage, fine, penalty and expense (including, without limitation, fines, compensation for damage, costs incurred with reparation efforts, and attorneys' fees and costs resulting from or relating to any suit, claim or allegation of third parties, including, without limitation, any regulatory or governmental authority) arising out of noncompliance with this Agreement and/or with the Data Protection Laws and Regulations.
19.2. If the Government Authorities imposes sanctions to the Parties in connection with this Agreement, and if verified negligence, willful misconduct or other liability of the other Party, then this Party shall pay the financial penalty – when applicable - and/or indemnify the innocent Party, including for damage to reputation suffered, in addition to costs and expenses incurred in the course of the administrative proceeding.
19.3. This Agreement does not create joint liability between the Parties for any penalties relating to the Processing activities performed under the Contract, so each Party shall be held severly liable within the limit of its activities.
20. Liability
20.1. The indemnification obligations agreed on this Term, shall be additional to, and not in exclusion of, any indemnification obligation appearing in the Contract.
20.2. It is also established that this Agreement: (i) does not result in any limitation of liability or obligation to indemnify of the Contracted Party by reason of the Processing of Personal Data performed under the Contract; and (ii) does not prevent the Contracting Party from exercising any rights it may have in relation to this Agreement.
21. General Provisions
21.1. Without prejudice to any provisions regarding mediation and jurisdiction:
21.1.1. The Parties hereto submit to the choice of the jurisdiction stipulated in the Contract in connection with any disputes or claims that may in any way result from this Agreement, including disputes relating to its existence, validity or termination or the consequences of its nullity; and
21.1.2. This Agreement and all extracontractual obligations or other obligations arising out of or relating to this Agreement shall be governed by the laws of the country or territory stipulated for this purpose in the Contract.
21.1.3. In the event of conflict between the provisions of this Agreement and the Contract or any other document performed between the parties, specifically in connection with activities involving the Processing of Personal Data, the provisions of this Agreement shall prevail, except where a supervening document is executed between the parties, expressly declaring the subsidiary nature of this Agreement.
21.1.4. This Agreement may be amended at the discretion of the Parties or in the event of a supervening law or regulation or determinations by the Government Authority requiring a change in its provisions. The new provisions shall be agreed upon in good faith by the Parties and always in writing in the form of an amendment to this Agreement.
21.1.5. If any provision of this Agreement is held void, invalid or unenforceable, the remaining provisions hereof shall remain in full force and effect. The void, invalid or unenforceable provision shall be amended to ensure its validity and effectiveness, while preserving the intention of the Parties.
21.1.6. This Agreement shall remain in effect until termination of the Contract for any reason.
21.1.7. This Agreement shall survive the expiration of the Contract and continue to bind the Contracted Party in relation to activities involving the Processing of Personal Data of the Contracting Party which originate from the Contract and continue to be performed, though only for purposes of complying with a legal or regulatory obligation.
This Agreement is performed and becomes an integral and mandatory part of the Contract, with effects as from the date hereof, applying, however, to all activities regarding the processing of Personal Data performed since the date of performance of the Contract.