Data Protection Addendum

This Data Protection Addendum (“DPA”) forms part of the agreement(s) between Merchants and Ecommend (“Company”) covering Merchant’s use of the Services (as defined in the Services Agreement executed by the parties) (“Agreement”) and governs the use of Customer Data (as defined below), and the related processing of Customer Personal Data (as defined below), by Company. The effective date of this DPA is the effective date of the first Agreement entered into between the parties (the “DPA Effective Date”). Words and phrases used in this DPA, other than those capitalized for grammatical purposes, are defined in the Section of this DPA in which they first appear as indicated by bold type or, if not so defined, have the meanings given to them in the Agreement. References to Articles and Sections are references to those in this DPA unless otherwise indicated.

1. SCOPE AND PURPOSE

The two-fold purpose of this DPA is to set forth Company’s obligations with respect to the:

(a) security of data provided by Customer to Company and processed by Company in connection with its performance of Services under the Agreement (“Customer Data”), regardless of whether it is personal data; and

(b) privacy and protection of those elements of Customer Data that constitute personal data under Comprehensive Data Protection Laws (defined in Article 3).

This DPA shall control over any conflicting data protection and/or privacy related terms or conditions in the Agreement (excluding terms governing use and disclosure of confidential information) as well as any data security or privacy document or policy posted on Customer’s websites, its supplier portals, or similar locations.

Company may update this DPA to reflect material changes in Company’s business practices or changes in applicable law, but in no event will any such change materially reduce the level of protection afforded to Customer Data when measured against Company’s obligation on the DPA Effective Date. If this DPA is changed, Company will provide Customer advance electronic notice, typically by email or via Company’s support portal.

2. DATA SECURITY MEASURES

2.1   Generally.

Company has adopted and implemented physical, technical, organizational, and administrative measures designed to protect, in a manner consistent with accepted industry standards and applicable law, against anticipated or actual threats or hazards to the security, and/or integrity of Customer Data, as well as the destruction, loss, unauthorized access to, or unauthorized use of Customer Data (“Data Security Measures”). Company reviews and, as necessary, updates the Data Security Measures whenever there is a material change in Company’s business practices or applicable law.

2.2 Duration; Standards and Controls.

Company will maintain the Data Security Measures for the duration of each Agreement and thereafter for so long as Company has access to, or stores, Customer Data as part of any archival or related right at law or under an Agreement (including as part of any disengagement services). The Data Security Measures include standards and controls for:

- Data Categorization and Management;

- Asset Management;

- Access Controls and Monitoring;

- Encryption;

- Vulnerability Prevention, Detection, Mitigation and Testing;

- Third Party Oversight;

- Incident Response and Management;

- Workforce Member Awareness;

- Data Retention and Destruction; and

- Business Continuity and Disaster Recovery.

2.3 Scope of Data Security Measures.

(a) Company Systems and Personnel. The Data Security Measures apply to all computing, networking, and telecommunications systems owned and operated by Company to store and process Customer Data. The Data Security Measures further apply to all Company employees, onsite contractors, and those of Company’s off-site contractors who Company anticipates will have access to Customer Data. Company also adopts standards and controls for reasonable due diligence and oversight of its third-party sub-contractors and sub-processors including the Cloud Providers (defined below). As part of such due diligence, and whether or not Section 3.6 also applies, Company confirms all such third parties have data security programs or equivalent processes meeting industry standards and applicable regulatory requirements. Company’s own Data Security Measures do not, however, otherwise apply directly to the Cloud Providers, sub-processors or similar third parties.

(b) Sub-contractors; Cloud Providers. In delivering the Services, Company works with certain third-party business partners and sub-contractors including either or both a cloud platform and a data storage infrastructure provider (collectively, the “Cloud Providers”). Customer generally authorizes Company to use Cloud Providers to process Customer Data in accordance with this agreement.

(i) Data Security Programs. Company will pass through to Customer the benefits of its subcontractors’, including the Cloud Providers’, data security and privacy practices and procedures. The Cloud Providers, and not Company, are responsible for protecting their respective overall computing infrastructures and physical facilities including those on and from which Company customer-facing systems operate and store and retrieve data. Those infrastructures comprise all the hardware, software, networking, and facilities necessary for Company to deliver its services and make the Services (and all data loaded onto them) available to Customer remotely but exclude Company’s own internal use systems which remain Company’s responsibility under the Company Data Security Measures and this DPA.

(ii) Vulnerability Testing. Company has adopted standards and implemented controls for vulnerability prevention, detection, and mitigation. Company periodically tests those controls. In addition, during the term of each Agreement, Customer may, at its cost and expense, perform its own penetration testing and other vulnerability assessments of Cloud Providers and those portions of the Company technology loaded thereon, by following the Cloud Providers’ published procedures. As Company does not typically store material amounts of Customer Data in electronic form outside of the Cloud Providers’ infrastructure, Customer shall not be permitted to conduct vulnerability testing of Company’s or its other sub-contractors’ internal systems unless otherwise agreed in writing.

2.4 Data Security Audits.

The independent certifications and reports of Company and its Cloud Providers are widely recognized and accepted by the industry and its regulators as comprehensive verifications of security controls used in the operations of financial technology vendors. As such, consistent with accepted industry practices, Company limits the number, nature, and type of further data security audits that may be performed on its systems and facilities, as described below:

(a) Regulatory Inquiries. Company will reasonably cooperate with Customer’s regulators having competent authority and sufficient legal basis to request that Company complete questionnaires about Company’s security and privacy controls as they relate to Customer Data. If, after completing such a questionnaire, a regulator reasonably believes a remote or in-person site visit in the nature of an audit of those controls is necessary, Company will reasonably cooperate in those activities upon written request from the regulator, including as such written request may be made to Customer and passed on to Company. Cloud Providers do not permit Company or any of Company’s customers or their regulators to visit the Cloud Providers’ data centers or facilities, whether remotely or in-person, and therefore site visit rights under this Section do not extend to facilities under the control of Cloud Providers. Company shall further reasonably cooperate with Customer’s request to obtain data security and privacy information from any of Company’s material sub-contractors, including the Cloud Providers, such as copies of their ISO certifications or SOC reports.

(b) Customer Questionnaires. If Customer has a regulatory or reasonably documented internal governance obligation to submit questionnaires to its vendors regarding such vendors’ security standards and controls, Company shall reasonably cooperate with Customer’s internal security personnel to complete such questionnaires as they relate to Customer Data; provided, however, that Customer shall first confirm that such questionnaire obligation cannot be satisfied by reference to the above-described independent certifications and reports and, provided further, that Company reserves the right to charge Customer at Company’s standard hourly rates if such submissions are made more than once per year and/or if any such questionnaire requires more than

ten (10) hours of total person effort in a calendar year. The contents of all completed questionnaires shall be the confidential information of Company subject to the applicable terms of each Agreement.

(c) Customer Audits. If an Auditable Event (defined below) occurs, Customer may conduct reasonable remote reviews of the security controls used by Company and, if reasonably necessary thereafter, an on-site audit of Company. Customer will schedule all such reviews and audits by contacting Customer’s assigned Company relationship manager who will work with Customer on a mutually agreed timeline and audit plan inclusive of plans for discussion and remediation of any purported security concerns contained in the final audit report provided to Company. Customer will conduct the review or audit itself or through a reputable third-party designee that is not a Company competitor, does not already represent Company, and who is subject to customary confidentiality obligations at least as protective of Company as those under the Agreement. All audits shall be at Customer’s cost and expense and their results the confidential information of Company subject to the confidentiality terms of each Agreement. As used herein an “Auditable Event” is any one or more of the following: (a) the lapse or revocation of, or the finding of a material deficiency under, a previously provided ISO 27001, SOC 2 Type 2, or equivalent or similar certification or report for the cloud infrastructure; and/or (b) the occurrence of a Data Security Breach (defined in Section 2.5) provided that such review and audit shall not be conducted until after resolution of the Data Security Breach to permit Customer to confirm that the causes thereof have been reasonably remedied.

2.5 Incident Response and Management.

Company will evaluate and respond to all incidents that are, or create suspicion of, a Data Security Breach (as defined herein). The goal of Company’s incident response is to identify and contain the potentially unauthorized activity and restore the security, integrity, and availability of the affected systems as well as to establish root causes and remediation steps. Company’s information security team will be informed of all such incidents and will define escalation paths and response teams to address them. As used herein, “Data Security Breach” means the confirmed unauthorized access, acquisition, disclosure, or use of Customer Data protected under the Data Security Measures.

2.6  Data Security Breach Notification.

If Company determines that an incident actually was, or resulted in, a Data Security Breach, Company will, as relevant information is collected or otherwise becomes available to Company, provide Customer with a description of the Data Security Breach, the Customer Data adversely affected, and other information Customer may reasonably request, unless Company is prohibited by law from doing so. In any event, Company will notify Customer as soon as practical and without any unreasonable delay following Company’s determination that a Data Security Breach occurred, but in no event later than would allow Customer a reasonable period of time to meet Customer’s own reporting or notice obligations under applicable law. Typically, this means Company will notify Customer no more than forty-eight (48) hours after Company has confirmed that Customer Data has suffered a Data Security Breach. Additionally, the Company information security team will work with Customer, and, where necessary, with outside forensics investigators and regulatory and law enforcement authorities, to respond to and attempt to mitigate the adverse effects of a Data Security Breach. Company agrees to coordinate in good faith with Customer on developing the content of any related public statements that relate to Customer or any required notices to Customer’s data subjects resulting from a Data Security Breach.

3. PERSONAL DATA GOVERNED BY COMPREHENSIVE DATA PROTECTION LAW

In providing the Services to Customer, Company may process data meeting the definition of “personal data” under one or more Comprehensive Data Protection Laws. As used herein, “Comprehensive Data Protection Laws” means the General Data Protection Regulations separately adopted by the United Kingdom and by the European Union for use throughout the European Economic Area (collectively, the “GDPR”), the California Consumer Privacy Act (and its successor the CPRA), and/or the similar laws in other United States jurisdictions (such as Colorado and Virginia) or around the world (such as the Cayman Islands).

3.1 Capacity; Duration; Nature and Purpose.

If Customer Data has elements of personal data governed by Comprehensive Data Protection Laws, the parties acknowledge and agree that: (a) Company acts in the capacity of Customer’s “service provider” or “processor”, as applicable under such laws; (b) the duration of Company’s processing is at Customer’s discretion, commensurate with the time period described in Section 2.2; (c) the nature and purpose of Company’s processing is limited to what is needed to perform for the benefit of Customer under an Agreement; and (d) the types of personal data processed and categories of data subjects will be determined and disclosed in each Agreement. All of Company’s processing of such personal data will further be subject to the obligations described in Sections 3.2 through 3.10 of this DPA below.

3.2 Customer Instruction; No Sale.

Company will never sell any personal data provided to it by Customer under an Agreement. Company will process (including cross-border transfers described in Section 3.3) personal data only on Customer’s instructions as documented in the applicable Agreement. If Company is required by law to process personal data in a manner not covered by the instruction Company received from Customer, Company will, unless prohibited by law, inform Customer before so processing. Company will also promptly inform Customer if, in Company’s opinion, the Customer’s instruction violates the applicable Comprehensive Data Protection Laws.

3.3 Cross-border Transfers.

(a) Generally. To the extent the parties agree that transfer of Customer’s personal data from the Jurisdiction of Origin (defined below) is required, but the applicable Comprehensive Data Protection Laws restrict such transfer, the transferring party will conduct a transfer impact assessment (where Company is the transferring party, the assessment will be conducted in such manner and form Company believes necessary based on the relative risks) to determine if appropriate safeguards are present in the Destination Jurisdiction (defined below). If the result of an assessment supports the transfer, it will occur only as permitted under the applicable Comprehensive Data Protection Laws and this Section 3.3. Where Company is the transferring party, the transfer shall be disclosed to Customer. As used herein, “Jurisdiction of Origin” means the country, and if applicable, territory, province, or state in which the data subjects were located at the time their personal data was collected, and “Destination Jurisdiction” means the country, and if applicable, territory, province, or state, to which such personal data is being transferred.

(b) Transfers under GDPR; SCCs. Where a transfer is governed by the GDPR, the transfer will be conducted in accordance with an approved mechanism, respectively, set forth in Articles 46 through 49 of the EU GDPR or UK GDPR, as applicable which may, if determined by the transferring party in consultation with the receiving party, require binding the receiving party to the applicable Standard Contractual Clauses (“SCCs”) module appropriate to the roles of the parties in such transfer. Where SCCs Modules 2, 3 and/or 4 are used, the parties agree that if there is any conflict or contradiction between such SCC’s and this DPA, the required resolution of such conflict in favor of the SCCs shall apply only to the act of transfer/importation and the sub-set of personal data directly involved therewith.

(c) Customer Acknowledgement. Customer acknowledges that Customer Data may be transferred to, and processed in, the United States or any other country in which Company or its Cloud Providers maintain facilities. If the parties agree that cross-border transfer by Customer from a Jurisdiction of Origin to Company in one or more of those locations as the Destination Jurisdiction, then, subject to Sections 3.3(a) and 3.3(b), Customer is, as between Company and Customer, solely responsible for ensuring it is authorized to deliver its data to Company in the Destination Jurisdiction and for fulfilling the obligations of a data controller/collector/exporter under the applicable Comprehensive Data Protection Laws.

 3.4 Appropriate Measures; Security of Processing.

Company’s Data Security Measures are designed to satisfy the requirement under the Comprehensive Data Protection Laws that Company adopt appropriate technical and organizational measures to protect Customer’s affected personal data. Company will apply its Data Security Measures to Customer’s personal data including as necessary to permit Customer to comply with applicable Comprehensive Data Protection Laws such as the measures required under GDPR Article 32.

3.5 Workforce Confidentiality Obligations.

Company requires that members of its workforce (including contractors) who are authorized to process Customer’s personal data have committed themselves to the confidentiality thereof or are otherwise under an appropriate statutory obligation of confidentiality.

3.6 Sub-processors.

If Company engages a sub-processor to carry out personal data processing activities that are otherwise part of Company’s obligation to Customer, Company will conduct due diligence to confirm they are capable of protecting Customer Data to the same extent as Company is required to under this DPA, including by way of a contract or other legal act under applicable law and, to the extent required by applicable law (such as GDPR Article 28, paragraphs (2) and (4)), Company will obtain Customer’s consent prior to such engagement and notify Customer, with a reasonable opportunity to object, should Company change a previously approved sub-processor; provided that by entering into an Agreement, Customer is giving general consent to Company’s use of its Affiliates as sub-processors, as well as the use of sub-processors in the roles of the Cloud Providers.

3.7 Data Subject Requests.

Taking into account the nature of Company’s processing, Company will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to requests from data subjects to exercise their rights under applicable law including, where a data subject whose personal data Company is processing contacts Company instead of Customer, Company will, to the extent legally permitted, promptly notify Customer and reasonably cooperate with Customer to fulfill Customer’s obligations, subject to the fact that Customer is responsible for any reasonable costs arising therefrom.

3.8 Verification; Assistance with Compliance.

Company will assist Customer in ensuring compliance with Customer’s obligations to consult with certain regulatory authorities regarding the processing of personal data including, where applicable, such obligations as are enumerated under GDPR Article 28 with respect to GDPR Articles 32 through 34 and 36, taking into account the nature of processing and the information available to Company. As described in Section 2.4 of this DPA, Company will make available to Customer information reasonably necessary to demonstrate Company’s compliance with this DPA.

3.9 Deletion or Return.

Company will, at Customer’s election, delete or return all Customer’s personal data at the end of each Agreement, and delete existing copies unless applicable law requires otherwise. Company will, however, avail itself of any right that applicable law provides permitting Company to retain archival copes of such personal data or to delete such data in the ordinary course of Company’s documented back-up, retention, and destruction procedures. In those situations, Company acknowledges that this DPA continues to govern all such retained personal data.

3.10 Breach Notification.

Company will notify Customer of and respond to any Data Security Breach as described in Section 2.6 of this DPA. If the applicable Comprehensive Data Protection Laws require that such notification contain specific information (as is the case under GDPR Article 33(3)), Company will provide the same to Customer to the extent such information is reasonably available to Company.

4. COMPANY AS CONTROLLER OF KYC DATA

In certain limited circumstances specifically identified in an Agreement, Company may be required to collect or receive certain personal data of Customer’s investors or general or limited partners in connection with: (a) know-your-customer and similar laws such as anti-money laundering or sanctions laws; and/or (b) authenticating identity as necessary to satisfy other regulatory requirements (the personal data described in clauses “(a)” and “(b)” collectively, “KYC Data”). If the exchange of KYC Data occurs, then as between Company and Customer, Company is either an “independent controller” or the parties are “successive independent controllers” (collectively, “Controller”) with respect to the KYC Data. Each party shall comply with applicable data security laws, including Comprehensive Data Security Laws, with respect to KYC Data it receives, and processes, including by implementing opt-out and do-not-sell mechanisms where applicable. The Controller shall determine its legitimate interests or other lawful bases for processing, take reasonable steps to provide all required notices, and manage and respond to all verified data subject attempts to exercise their rights. Company and Customer will reasonably cooperate with one another to the extent required to comply with applicable data security laws, including in responding to the exercise of rights by verifiable data subjects.

5. EXCLUSIONS AND CONDITIONS

The collection and processing of business contact information (such as name, title, and corporate domain email address) presents a very low likelihood of potential harm to the rights and freedoms of data subjects. As such, following the majority of Comprehensive Data Protection Laws, such business contact information as is exchanged between the parties to administer their contractual relationship and receive credentials to Company’s software is not treated as personal data or Customer Data under this DPA. In addition, Company is not responsible under this DPA for any event related to or arising out of: (a) modifications or alterations of the Company systems or software made by any individual or entity other than Company or its designees; (b) unauthorized access to the Company systems or software or Customer Data thereon occurring via (i) otherwise valid Customer log-in credentials that were not previously reported to Company, in writing, as having been compromised; or (ii) Customer’s own connection to the Public Network (defined below); (c) negligence by Customer, including its personnel or contractors; (d) breach of an Agreement by Customer or those under its reasonable control; (e) Customer’s use of an un-supported version of the affected Company software; (f) Customer’s failure to comply with Company’s published documentation; (g) Company’s adherence to third party API or SDK rules/protocols for any third party integration Customer may request (including integration or connection with any Third Party Software and Data as that term is defined in an Agreement); (h) failures beyond Company’s reasonable control; and/or (i) Customer’s failure to provide and maintain the required customer-side operating environment. “Public Network” means the circuits, overland and/or submarine cabling, and other telecommunications and connectivity infrastructure from a point of demarcation starting immediately after the ingress/egress router or similar appliance for Customer’s network to the point immediately before the ingress/egress router or similar appliance at the facilities Company uses for its own networks and communications infrastructure including those operating on the Cloud Providers’ infrastructure.

Ready to recover your failed transactions?

Join merchants worldwide recovering lost revenue with Ecommend’s intelligent payment
recovery technology, purpose-built for modern e-commerce.

Start Recovering Payments
Ready to recover failed transactions.
alt=""
Reclaim revenue. Boost approval rates. Drive more e-commerce sales.
Ubication
Address
2104 House Ave, Cheyenne, WY 82001
email icon.
Support Email
support@ecommend.co
Phone icon.
Support Number
844-783-4933
Navigation
What we do?Customer ServiceIndustriesFAQ’s
Policy
Privacy Policy
Refund Policy
Terms of Use
Personal Data Information
Data Protection Addendum
2025 Ecommend, LLC. All rights reserved.