Terms of Service

These PCI Pal (U.S.) Terms of Service (this “Agreement”) apply to the PCI Pal Offering, as that term is hereinafter defined, and to any other website or application offered by us that references or links to this Agreement. The parties agree that no “click through,” “shrink wrap,” “browse wrap,” or other similar agreements will apply to the receipt and use of the PCI Pal Offering (defined below) by Customer (and shall be void and unenforceable against Customer, its affiliates, and its and their subcontractors, licensors, officers, directors, agents, employees, representatives, successors, and assigns).

Agreement.  PCI Pal (U.S.), Inc. (“PCI Pal,” “we,” “us” or “our”), operates an interactive PCI DSS compliant payment processing solution (the “Platform”), which provides the PCI Pal software and related implementation and support services (the “Services”; the Platform and the Services, and all updates and upgrades thereto, are sometimes referred to later in this Agreement as the “PCI Pal Offering”). Subject to the terms and conditions of this Agreement, PCI Pal offers Customer the PCI Pal Offering through online marketplaces (“Resellers”).  By accepting this Agreement, either by accessing the PCI Pal Offering or authorizing or permitting any individual to access or use the PCI Pal Offering, Customer (A) agrees to be bound by this Agreement and the PCI Pal Privacy Policy, and (B) represents that Customer is 18 years of age or older or otherwise legally competent to enter into a binding agreement.  If Customer is entering into this Agreement on behalf of a company or organization, Customer agrees to this Agreement on behalf of such company or organization, and represents and warrants that Customer has authority to bind such company or organization to this Agreement. If you do not agree to the terms of this Agreement, do not access the PCI Pal Offering.  The communications between Customer and PCI Pal use paper and email.  For contractual purposes, each party (a) consents to receive communications from the other party by paper or email; and (b) agrees that all agreements, notices, disclosures, and other communications that party provides to the other party by email satisfy any legal requirement that such communications would satisfy if it were in a writing.

1.                   License.  Subject to the terms and conditions of this Agreement, during the term of this Agreement PCI Pal will make the PCI Pal Offering available to Customer and Customer’s authorized users, and grants to Customer and Customer’s authorized users, a non-exclusive, non-transferable (except as set forth in Section 15), non-sublicensable, worldwide, royalty-free, revocable right and license to use the PCI Pal Offering solely in connection with your internal business operations and for no other purpose.  Customer accepts sole responsibility for the use of the PCI Pal Offering by Customer and Customer’s authorized users.  Customer will abide by the terms of this Agreement.  From time to time, you may choose to submit comments, questions, ideas, suggestions or other feedback relating to the PCI Pal Offering, any support provided or any other services provided to you in connection with your use of the PCI Pal Offering (“Feedback”) to PCI Pal.  By submitting any Feedback to PCI Pal, you hereby grant, to the extent you have the authority to so grant, PCI Pal the rights and license to freely use, copy, disclose, license, distribute and exploit such Feedback in any manner without any obligation, royalty or restriction based on intellectual property rights or otherwise.  Nothing in this Agreement limits PCI Pal’s right to independently use, develop, evaluate, or market products or services, whether incorporating Feedback or otherwise.  PCI Pal, through its Resellers, may also provide Customer any specifications, technical manuals and other materials provided by or made available by PCI Pal relating to the Software (“Documentation”) to be used by Customer in accessing and using the PCI Pal Offering. Customer shall only use the Documentation in connection with its permitted use of the PCI Pal Offerings.  Customer shall not copy, redistribute, transfer, modify, translate, adapt, publicly display, perform, create derivative works from, assign, or in any way use the Documentation except pursuant to this Agreement.

 

2.                   Obligations.  Each party will comply with all applicable laws, regulations, and third-party rights (including, without limitation, laws regarding the import or export of data or software, privacy and local laws) in its provision or use of the Services.  Customer will not use the Services to encourage or promote illegal activity or violation of third-party rights.  Customer may not (a) decompile, disassemble, or reverse engineer the Services or any portion thereof or otherwise attempt to derive Source Code from any encrypted or encoded portion of the Software; (b) attempt to gain unauthorized access to the Services, any portion thereof, including content accessible via the Platform, or any other system or platform through the Services; (c) use illegally any automatic device, program, algorithm, or methodology, or engage in harvesting of email addresses or other personal information, unsolicited emailing, phone calls or mailings, spoofing, flooding, overloading, spidering, screen scraping, database scraping, or any similar or equivalent manual process to access, acquire, copy or monitor any portion of the Services or any content on the Services; (d) modify or create a derivative work of any encrypted or encoded portion of the Software, or any other portion of the Software; (e) publicly disseminate performance information or analysis (including, without limitation, benchmarks) from any source relating to the Software; (f) merge the Software with other software except to the extent such Software will interoperate with other software as specifically contemplated by the Documentation (and in this case, with the Reseller platform); (g) distribute, digitally transmit, publicly perform, sublicense, lease, rent, loan, pledge, permit a lien upon, or otherwise transfer or assign (except in compliance with Section 15) to any third party the Software or any of your rights under this Agreement; (h) permit third parties to benefit from the use or functionality of the Software via a timesharing, service bureau or other similar arrangement, nor provide access to the Software to any third party in the nature of an application service provider, except to the extent such use is expressly specified in this Agreement, including the right to use the Software incidental to the offering of your own services to your customers; or (i) use the Software in any manner that violates this Agreement.  Customer will not use the Services in any manner that is intended to damage, disable, overburden or impair the Services or interfere with any other party’s use and enjoyment of the Services.  Customer may not obtain or attempt to obtain any materials or information through any means not intentionally made available or provided for through the Services.  For purposes of this Agreement, “Source Code” means a fully documented human-readable source code form of the Software sufficient to allow a reasonably skilled programmer to understand the design, logic, structure, functionality, operation and features and to use, operate, maintain, modify, support and diagnose errors. PCI Pal represents and warrants that the PCI Pal Offering will be free from material workmanship defects and conform in all material respects with the Documentation, and will operate in accordance with the service levels described in the Service Level Agreement attached hereto as Exhibit B and incorporated herein by this reference (the “Service Level Agreement”). PCI Pal will use commercially reasonable measures to ensure that the PCI Pal Offering is and will remain free from Malicious Code, and PCI Pal shall promptly provide to Customer written notice in reasonable detail upon becoming aware of the existence of any Malicious Code in the PCI Pal Offering or any of the features or functions that pose a risk to Customer, any user, or Customer’s Confidential Information and PCI Pal shall cooperate as is reasonably necessary with any efforts that Customer makes to contain and remediate the situation. “Malicious Code” means any technique, software, computer instruction, code or device or method, that is designed or intended to damage, delete, corrupt, impair, gain unauthorized access to or take over the operation of, or prevent or hinder access to any computer or other hardware, network, software, any storage medium or device, data, or database or which does any of the same (whether by, in whole or in part, installing itself, enabling remote unauthorized access, or altering, erasing, duplicating, rearranging within or bombarding the computer or other hardware, network, software, any storage medium or device, data, or database or otherwise), including computer viruses, worms, Trojan horses, logic bombs, trapdoors, backdoors, sniffers, ransomware and all other so-called “malware” and any other similar things of like intent, use or purpose.

 

3.                   Account.  When Customer orders the PCI Pal Offering through a Reseller, Customer represents to PCI Pal that the information Customer provides PCI Pal about Customer is to its knowledge truthful, accurate, complete, and current.  Submission of materially false, misleading, inaccurate, incomplete, obsolete, or other information prohibited under this Agreement may result in temporary suspension of your account on the Services until such inaccuracies are resolved.  Customer is responsible for implementing reasonable measures to maintain the confidentiality of its account information, including, without limitation, account password and restricting access to that account.  Customer is responsible for any and all of Customer’s activities under its account, including, without limitation, any activity that occurs solely as a direct result of its failure to keep secure and maintain the confidentiality of its account credentials.  Customer must notify PCI Pal promptly upon becoming aware of any breach of security or unauthorized use of its account.  It is Customer’s sole responsibility to control the dissemination and use of its password by Customer’s authorized users, and control access to and use of its account by its authorized users.  PCI Pal will not be responsible or liable for any loss or damage arising from Customer’s failure to secure its account credentials.

 

4.                   Modifications.  Customer acknowledges that PCI Pal may modify the Services, as the case may be, from time to time, provided the modification does not result in a material reduction of the functionality, performance, availability, or security of the Services.  Customer acknowledges that the PCI Pal Offerings are online, subscription based products, and that PCI Pal may issue changes to the PCI Pal Offerings, including Improvements, as that term is defined later in this Agreement, and PCI Pal may update the Documentation accordingly.  Subject to any existing obligations including Section 12, PCI Pal can discontinue any PCI Pal Offerings or any portion or feature of any PCI Pal Offerings upon ninety (90) days’ prior notice to Customer for any reason at any time.

 

5.                   Ownership.  The Services, including, without limitation, the software to operate and provide the Platform, including all Source Code thereof (the “Software”) and the information contained therein contain copyrighted materials, trademarks, proprietary data, research and other information belonging to PCI Pal or used with permission of licensors of PCI Pal.  The Services and all content and materials on the Services, including, without limitation, all graphics, interfaces, features, functions, text, button icons, data compilations, software, code and materials thereon, the “look and feel”, selection and arrangement, design and organization of the Services, trademarks and logos, audio and video clips, are owned by, or licensed to, us.  PCI Pal and its licensors and service providers reserve and shall retain their entire right, title, and interest in and to the PCI Pal Offering, including, without limitation, all copyrights, trademarks, and other intellectual property rights therein or relating thereto, except as expressly granted to you under this Agreement.  Customer acknowledges and agrees that the PCI Pal Offering are provided under limited license and access rights and not sold to Customer.  Customer does not acquire any ownership interest in the PCI Pal Offering under this Agreement, or any other rights thereto other than to use the PCI Pal Offering in accordance with the limited license and rights granted under this Agreement, and subject to all terms, conditions, and restrictions, under this Agreement.  No copying, redistribution, retransmission, publication or commercial exploitation of any material available on or through the Services is permitted without the express permission of PCI Pal or the copyright owner, as the case may be, or except as may be expressly authorized by applicable copyright laws.  You shall not (a) intentionally remove, delete, alter, or obscure any trademarks or any notices of copyright, trademark, patent or other intellectual property or proprietary rights from the PCI Pal Offering, including any copy thereof; or (b) rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer or otherwise make available the Services, or any features or functionality of the PCI Pal Offering, to any third party for any reason except as necessary to use the PCI Pal Offering and as set forth in this Agreement (including Section 15).  As between the parties, Customer reserves and shall retain Customer’s entire right, title, and interest in and to all Customer  Information and confidential and proprietary information and materials made available by or on behalf of Customer under this Agreement.

 

6.                   Support.  PCI Pal agrees to provide maintenance of the PCI Pal Offering to ensure continued operation of the PCI Pal Offering in accordance with the Service Level Agreement.

 

7.                   Fees. PCI Pal acknowledges and agrees that Customer does not pay fees to PCI Pal directly as Customer pays Reseller, which shall make corresponding payment to PCI Pal.  If PCI Pal is not paid on time by Reseller for the fees associated with the PCI Pal Offering provided to Customer, PCI Pal shall notify Customer and Customer shall make payment for the fees due for the PCI Pal Offering provided to Customer within ten (10) days.  PCI Pal may suspend or terminate providing the PCI Pal Offering to Customer only if Customer does not make such payment within such ten (10) day period.

 

8.                   Disclaimer.  THE PCI PAL OFFERING, INCLUDING, WITHOUT LIMITATION, ANY SERVER AND NETWORK COMPONENTS, ANY MATERIALS, INFORMATION, CONTENT, FUNCTIONS, PRODUCTS, TEXT, GRAPHICS AND LINKS, ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, AND ARE PROVIDED WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INTERFERENCE, SYSTEM INTEGRATION, AND WARRANTIES ARISING FROM TRADE USAGE, COURSE OF DEALING OR COURSE OF PERFORMANCE.  WE DO NOT WARRANT THAT (A) THE SERVICES WILL FUNCTION UNINTERRUPTED OR BE AVAILABLE AT ANY PARTICULAR TIME OR LOCATION; (B) ANY ERRORS OR DEFECTS WILL BE CORRECTED; (C) THE SERVICES ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS; OR (D) THE RESULTS OF USING THE SERVICES WILL MEET YOUR REQUIREMENTS.  WE DO NOT MAKE ANY WARRANTIES OR REPRESENTATIONS REGARDING THE USE OF CONTENT ON THE SERVICES OR WITH RESPECT TO ITS COMPLETENESS, ACCURACY, TRUTHFULNESS, AVAILABILITY, ADEQUACY, USEFULNESS, TIMELINESS, RELIABILITY OR OTHERWISE.

 

9.                   Limitation of Liability.  TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOSS OF GOODWILL, BUSINESS INTERRUPTION, OR ANY OTHER CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, OR PUNITIVE DAMAGES.  THE FOREGOING LIMITATIONS WILL APPLY WHETHER SUCH DAMAGES ARISE OUT OF BREACH OF CONTRACT, TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE), OR OTHERWISE AND REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR COMPANY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.  NEITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY SHALL EXCEED AN AMOUNT EQUAL TO $30,000.  EACH PARTY ACKNOWLEDGES THAT THIS PARAGRAPH IS AN ESSENTIAL PART OF THIS AGREEMENT, ABSENT WHICH THE ECONOMIC TERMS AND OTHER PROVISIONS OF THIS AGREEMENT WOULD BE SUBSTANTIALLY DIFFERENT. Some jurisdictions do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages, which means that some of the above limitations may not apply. In those jurisdictions, each party’s liability will be limited to the maximum extent permitted by applicable law.  TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, THE FOREGOING LIMITATIONS IN THIS SECTION 10 SHALL NOT APPLY TO (A) EITHER PARTY’S INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT, (B) BREACH OF EITHER PARTy’s CONFIDENTIALITY OBLIGATIONS , (B) PCI Pal’s VIOLATION OF LAW, OR (C) EITHER PARTY’s GROSS NEGLIGENCE; PROVIDED HOWEVER, NOTWITHSTANDING ANY OF THE FOREGOING THAT MAY BE TO THE CONTRARY, THE ENTIRE LIABILITY OF PCI PAL HEREUNDER SHALL NEVER EXCEED, INDIVIDUALLY OR IN THE AGGREGATE, UNDER ANY THEORY WHATSOEVER, THE AMOUNT OF $100,000 usD. The limitations set forth in this Section will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose.

 

10.               Indemnification; Injunctive Relief.  Customer will indemnify, defend and hold harmless PCI Pal from and against any third-party claim to the extent arising solely from Customer’s violation of applicable law; provided that, the foregoing does not obligate Customer to the extent the claim arises out of PCI Pal’s willful misconduct, fraud, or negligence.  PCI Pal agrees to indemnify, defend, and hold Customer, Customer’s affiliates, and its and their subcontractors, licensors, officers, directors, agents, employees, representatives, successors, and assigns from and against any and all damages, liabilities, losses, fines, awards, penalties, obligations, judgments, and costs and expenses (including reasonable attorneys’ fees) related to a third party claim, demand, allegation, suit, proceeding, or other cause of action arising out of or related to (a) actual or alleged infringement, misappropriation or violation of the intellectual property or other rights of any other person or entity by the PCI Pal or the PCI Pal Offering, in whole or in part (b) PCI Pal’s material breach of this Agreement, (c) PCI Pal’s violation of applicable law, or (d) PCI Pal’s negligence, gross negligence, fraud, or willful misconduct. The parties acknowledge that a breach by a party of any confidentiality or proprietary rights provision of this Agreement may cause the other party irreparable damage, for which the award of damages may not be adequate compensation.  Consequently, non-breaching party may institute an action to enjoin the breaching party from any and all acts in violation of those provisions, which remedy shall be cumulative and not exclusive, and the non-breaching party may seek the entry of an injunction enjoining any breach or threatened breach of those provisions, in addition to any other relief to which non-breaching party may be entitled at law or in equity.

 

11.               Term and Termination.  This Agreement commences on Customer’s use of the Services and will remain in effect until terminated pursuant to this Section.  Either party may terminate this Agreement upon written notice to the other party in accordance with this Agreement; provided that, PCI Pal must provide Customer written notice at least 90 days prior to PCI Pal’s termination of this Agreement.  Any termination of this Agreement shall also terminate the licenses granted by PCI Pal to Customer hereunder.  If PCI Pal believes or determines, in its sole and reasonable discretion, that Customer has materially violated any of the terms of this Agreement, then PCI Pal may suspend or revoke the licenses granted hereunder upon 30 days’ prior notice to Customer.  This Agreement and your access rights to the PCI Pal Offering will terminate automatically upon Your material breach of any of the terms of this Agreement and failure to cure such breach within sixty (60) days of PCI Pal notifying you. All provisions of this Agreement which by their nature should survive termination shall survive, including, without limitation, Sections 6, 9 through 12, 14, 15, and 16.

 

12.               Processing, Collection and Use of Information.  The Data Processing Agreement attached hereto as Exhibit A and incorporated herein by this reference (the (“DPA”) shall govern the Processing of Personal Data, as those terms are defined in the DPA, under this Agreement. You acknowledge that PCI Pal may, directly or indirectly, collect and store de-identified information regarding Customer’s use of the PCI Pal Offerings, including the Software, and about equipment through which the Platform is accessed or used.  You agree that PCI Pal may use such de-identified information for any purpose related to any use of the PCI Pal Offerings, including the Software, including, without limitation, improving the performance of the Software or developing any improvement on, modification or alteration of, or enhancement to any part or all of the PCI Pal Offering (“Improvements”), and verifying compliance with the terms of this Agreement and enforcing PCI Pal’s rights, including all intellectual property rights in and to the PCI Pal Offering, including the Software.

 

13.               Confidentiality.  “Confidential Information” means any non-public proprietary information of a party to this Agreement disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”) whether in oral, written, graphic, machine readable, or other tangible form that would reasonably be understood to be confidential given the nature of the information and the circumstances surrounding the disclosure, including without limitation the Software, and the terms and conditions of this Agreement, in each case whether or not marked as “Confidential”, “Proprietary”, or other similar designation.  Confidential Information will not include  any information that (a) was publicly known and made generally available prior to the time of disclosure, (b) became publicly known and made generally available after disclosure through no action or inaction of the Receiving Party, (c) was already in the possession of Receiving Party at the time of disclosure, (d) was obtained by the Receiving Party from a third party on a non-confidential basis without a breach of such third party’s obligations of confidentiality, or (e) is independently developed by the Receiving Party without use of or reference to Confidential Information of the Disclosing Party.  The Receiving Party will (i) treat as confidential all Confidential Information, (ii) not disclose such Confidential Information to any third party, except to its employees who have a need to know such information for the purposes of performing hereunder, and subject to a written agreement containing provisions substantially as protective as the terms of this Section, and (iii) will not use such Confidential Information except in connection with performing its obligations under this Agreement.  The Receiving Party may disclose Confidential Information if required by law so long as it provides the Disclosing Party prompt written notice of such requirement prior to disclosure and assistance in obtaining an order protecting such information from public disclosure.

 

14.               Insurance. Until two years following termination or expiration of this Agreement, PCI Pal shall maintain in force, through commercial insurance provider(s)), at a minimum the following insurance coverage, which shall be the primary insurance in connection with this Agreement and Customer shall be named as an additional insured under such policies:

(a)                commercial general liability insurance that includes, but is not limited to, coverage for bodily injury, property damage, contractual liability, and products/completed operations arising out of this Agreement, in an amount at least $1 million per occurrence and $2 million annual aggregate;

(b)                workers’ compensation insurance as required by any applicable law or regulation as well as employer’s liability insurance in an amount at least $1,000,000 per accident;

(c)                 professional liability insurance in the amount at least $4,000,000 in the aggregate;

(d)                umbrella/excess liability insurance, on an occurrence basis, providing coverage in excess of primary coverage, commercial general liability and employer’s liability, in the minimum amount of $5 million per occurrence and $5 million annual aggregate; and

(e)                privacy and network security (cyber liability) liability insurance coverage under its Errors and Omissions policy, with limits of at least $5 million per claim and in the aggregate.

1.2     Waiver of Subrogation. PCI Pal will obtain a waiver of rights of subrogation regarding the commercial general liability insurance and workers’ compensation and employer’s liability insurance by each insurer in favor of Customer.

 

15.               General Terms.  This Agreement is governed by, and construed in accordance with, the laws of the State of Delaware, without reference to its, or any other jurisdictions’, conflict-of-laws principles.  Any legal action brought under or in connection with the subject matter of this Agreement shall be brought only in the United States District Court or the State courts each located within the State of Delaware.  Each party submits to the exclusive jurisdiction of these courts and agrees not to commence any legal action under or in connection with the subject matter of this Agreement in any other court or forum.  The terms of the United Nations Convention on Contracts for the Sale of Goods do not apply to this Agreement. The Uniform Computer Information Transactions Act (UCITA) will not apply to this Agreement regardless of when or where adopted.  This Agreement constitute the entire agreement between Customer and PCI Pal with respect to the Platform and the Services and supersedes all prior and contemporaneous agreements of the parties regarding such subject matter.  Neither the course of conduct between us nor trade practice shall act to modify this Agreement.  If any provision of this Agreement is found to be illegal, invalid or unenforceable by a court of competent jurisdiction, such provision will be deleted from these Terms and the remaining provisions will continue with full force and effect.  Neither party may, directly or indirectly, by operation of law or otherwise, assign (in whole or in part) this Agreement or the party’s rights under this Agreement or delegate performance of its duties under this Agreement, without the other party’s prior written consent.  Any purported assignment, transfer or delegation by either party in violation of this section is null and void.  This Agreement is binding upon and inures to the benefit of the parties’ respective successors and permitted assigns.  The parties are independent contractors.  This Agreement does not create a partnership, franchise, joint venture, agency or other relationship between the parties.  No failure to exercise, and no delay in exercising, on the part of either party, any right or any power under this Agreement will act as a waiver thereof, nor will a single or partial exercise of any right or power under this Agreement preclude further exercise of that or any other right under this Agreement.  Neither of the parties shall be considered in default of performance under this Agreement to the extent that such performance is delayed or prevented by pandemics, epidemics, fire, flood, earthquake or similar natural disasters, riot, war, terrorism, civil strife, material shortages or rationing, governmental regulations, communication or utility failures, or casualties to the extent such default is beyond the reasonable control of such party, provided that the default (a) must occur without the party’s fault or negligence, (b) may not be caused directly or indirectly by the party’s own conduct or that of its employees, and (c) could not have been prevented or avoided through the exercise of reasonable diligence.

 

EXHIBIT A

DATA PROCESSING AGREEMENT

1. Definitions. For the purposes of this Data Processing Agreement (“DPA”), [Company] shall be referred to as the “Controller” and PCI Pal shall be referred to as the “Processor” and the following definitions shall apply:

 

1.1 “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.

1.2 “Subcontractor” means a third-party subcontractor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this Addendum or the Agreement.

1.3 “Data Subject” means an identified or identifiable person to whom Personal Data relates.

1.4 “Instruction” means a direction, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Controller to Processor and directing Processor to Process Personal Data.

1.5 “Personal Data” means any information relating to Data Subject which Processor Processes on behalf of Controller other than Anonymous Data, and includes Sensitive Personal Information.

1.6 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

1.7 “Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.8 “Sensitive Personal Information” means a Data Subject’s (i) government-issued identification number (including social security number, driver’s license number or state-issued identification number); (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; (iii) genetic and biometric data or data concerning health; or (iv) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or sexual activity, criminal convictions and offences (including commission of or proceedings for any offense committed or alleged to have been committed), or trade union membership.

1.9 “Services” shall have the meaning set forth in the Agreement.

 

2. Processing of Data

 

2.1 The rights and obligations of the Controller with respect to this Processing are described herein. Controller shall, in its use of the Services, at all times Process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with the General Data Protection Regulation(Regulation (EU) 2016/679), the ePrivacy Directive (Directive 2002/58/EC), and the proposed ePrivacy Regulation (the “GDPR,” “ePrivacy Directive,” and “ePrivacy Regulation,” together, “Data Protection Laws”). Controller shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the Processing of Personal Data in accordance with Controller’s instructions will not cause Processor to be in breach of the Data Protection Laws. Controller is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Processor by or on behalf of Controller, (ii) the means by which Controller acquired any such Personal Data, and (iii) the instructions it provides to Processor regarding the Processing of such Personal Data. Controller shall not provide or make available to Processor any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Processor from all claims and losses in connection therewith.

2.2 Processor shall Process Personal Data only (i) for the purposes set forth in the Agreement, and (ii) in accordance with the terms and conditions set forth in this Addendum and any other documented instructions provided by Controller. Controller hereby instructs Processor to Process Personal Data in accordance with the foregoing and as part of any Processing initiated by Controller in its use of the Services.

 

3. Authorized Subcontractors

 

3.1 Controller acknowledges and agrees that Processor may (i) engage its affiliates and the Subcontractors to access and Process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.

 

4. Rights of Data Subjects

 

4.1 Processor shall, to the extent permitted by law, promptly notify Controller upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Processor receives a Data Subject Request in relation to Controller’s data, Processor will advise the Data Subject to submit their request to Controller and Controller will be responsible for responding to such request, including, where necessary, by using the functionality of the Services.

4.2 Processor shall, at the request of the Controller, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Controller in complying with Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Controller is itself unable to respond without Processor’s assistance and (ii) Processor is able to do so in accordance with all applicable laws, rules, and regulations. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.

 

5. Indemnification

5.1 Controller shall indemnify and hold harmless Processor, its officers and directors, employees and its affiliates and their respective successors and assigns and each other person, if any, who controls any thereof, against any loss, liability, claim, damage and expense whatsoever (including, but not limited to, any and all expenses whatsoever reasonably incurred in investigating, preparing or defending against any litigation or regulatory action commenced or threatened or any claim whatsoever) arising out of or based upon Controller’s violation of or non-compliance with any Data Protection Laws. Controller further agrees to pay all costs, fees, and expenses (including legal costs) that Processor may sustain or incur as a result of Controller’s violation of or non-compliance with any Data Protection Laws.

 

 

EXHIBIT B

Service Level Agreement (STANDARD)

1. Glossary of Terms

• Working Hours – the period 08:30 to 17:30 (UK / US Regions) Monday to Friday excluding public holidays
• SLA – Service Level Agreement

 

2. Incident Resolution

2.1         Process

PCI Pal provides a 24-hour emergency engineer response to any service affecting incident categorised as Priority level 1 or 2. (Please note that the service must be in commercial use)

Any Priority level 3, 4 or 5 will be triaged and logged for response via email or follow up within the working hours below.  If you suspect your incident to be a Priority 1 or 2 incident, you must report these via telephone in the first instance, rather than any other communication method to ensure that SLA’s are triggered accordingly.

 

Priority Definitions:

The Company will classify the Priority of faults by agreement as follows:

 

PCI Pal define a “Response” as an automated acknowledgement reply to service desk requests logged by email, containing a case number / ticket id.  In the case of requests logged via telephone, response is defined as initial contact with an agent that will log details of the incident with the service desk portal.

 

“Response Time” is the time it takes to acknowledge a customer’s issue. It is measured from the time a request is received, by the customer via a phone call, email submission or via our portal, until the time that the customer is advised their problem has been received and is being addressed.

When you talk to us, it is important that you have an appropriately qualified member of staff on hand to consult with our support staff on the call.  Agents / Users should contact their own internal IT helpdesk who should carry out internal investigation and triage before contacting the PCI Pal service desk where necessary.

IMPORTANT: Information can be automatically gathered from the application and sent directly to the service desk for triage, by using the inbuilt function embedded in the ‘Protected by PCI Pal’ logo.   Reporting issues via this method means that the tickets contain all the session Ids and details required for PCI Pal to locate call logs and payment records quickly and efficiently.  Incidents should be reported to the service desk via this in-built platform reporting method (and followed up telephone in case of P1 / P2) wherever possible to allow quick location, diagnosis and response.

If a service desk request regarding a fault is found to be caused by an issue within the Customer’s network or users, PCI Pal reserve the right to charge for the time at the Professional Services Rate detailed in the services schedule. If this time is out of working hours, the charge will be increase by 50%.

 

3. PCI Pal Network

3.1         Network Maintenance

In the event of any planned network maintenance activity that is expected to have any impact to your service, PCI Pal will provide notice to you of at least 5 working days. Where PCI Pal is required to carry out emergency remedial work, we will endeavour to inform you as quickly as is practical.

 

The contact details provided by you within this document will be used in this instance.  We encourage all users to sign up to live updates and email alerts from our StatusPage system which will be updated in the event of any system issues. Please contact [email protected] for more information.

 

3.2         Network Availability

PCI Pal offers a target service uptime availability to the Customer as follows:

 

Third party integrations:

Where PCI Pal carries out development and integration work, to the customer’s specification, supply or provision of a third-party service shall not constitute part of the PCI Pal service, for calculating Network Availability and PCI Pal accept no responsibility of the availability of such a third-party service.

 

3.3         SLA Performance Metrics

Our performance metrics are measured 24/7/365 by our network monitoring infrastructure which will alert, by email, text message, and phone call, to our engineering team, who are also available 24/7/365.

 

 

3.4          Service Credits

Where the SLA is not met over the course of a single month period, PCI Pal agree to pay service credits to the Client as set out in this paragraph.

 

1. Failure to resolve a Priority 1 event within the service level will incur a service credit of £250 GBP/ $350 USD for the first failure in any month, followed by a service credit of £350 GBP / $485 USD for the second and £450 GBP / $625 USD for the third failure in any month. This is payable up to a maximum of 3 times per calendar month.

 

2. In addition, PCI Pal will credit a percentage of the monthly invoice value equivalent to the percentage of call failures in that month by the following:

 

Up to 20% call failures will receive a 10% reduction.

Above 20% call failures will receive a 25% reduction.

 

Example: If the client received 10000 calls in a month and 1500 of these calls failed due to a single Priority 1 event affecting the PCI Pal service, the client would receive a service credit of 10% against 15% of the invoice value for that month plus a single event credit of £250 GBP or $350 USD.

 

 

4. Escalation Procedure

PCI Pal has a culture of openness and ownership. However, if for some reason a customer is dissatisfied with the level of response they receive, the following escalation process should be used:

1.    PCI Pal does not dictate under what circumstance you escalate to the next responsible party. However, this process has been set out to best meet the needs of our customers and as such, should be followed in order.

 

5.          Performance Monitoring
PCI Pal is committed to continuous improvement and listening to its customers. A service review will be carried out on a regular basis to ensure we are complying with your SLA document.

 

Such reviews will be carried out by your PCI Pal Service representative, with other members of the support team attending where necessary or requested by you.

 

At such meetings, we would anticipate presenting network performance information, along with data on any specific service issues requested by you.

 

6.           Training
Training will generally be provided in three forms:

 

1)           Self-administered via PCI Pal’s Learning Management System (LMS)

2)           Formal training which will be undertaken in organised and pre-arranged forums

3)           Ad-hoc as required. This will generally be in the form of telephony or conference call based instruction.

 

Parties will need to be connected to the appropriate web site at the time.