Declines.io

Declines.io

Menu
Get Started

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is governed by and hereby attached to the Merchant Terms and Conditions (“Agreement”) executed by and between Declines.io referred as “declines.io”, “we” or “us”) and you, the merchant identified under the Agreement (“Merchant”, “you” or “your”). This DPA supplements the Agreement, inclusive of all exhibits, addenda, statements of work, work orders and similar documents entered into by the parties pursuant to such Agreement with regard to the Processing of Personal Data (as such terms are defined below). 

Each of declines.io and the Merchant may be referred herein as a “party” and collectively as the “parties”. Capitalized terms used but not defined in this DPA shall have the meanings assigned to them in the Agreement or under applicable Data Protection Laws. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail as to the subject matter of conflict. 

The parties have agreed to enter this DPA to address the compliance obligations imposed upon the parties pursuant to Data Protection Laws. Therefore, this DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data through the course of the Services.

  1. DEFINITIONS.  
    1. The terms “Business”, “Business Purpose”, “Consumer”, “Controller”, “Personal Data”, “Personal Information”, “Processing” or “Processor”, Sensitive Data”, Service Provider”, “Sale”, “Sell” and Share”, shall all have the same meanings as ascribed to them under the Data Protection Laws. Under this DPA: Personal Data” shall include “Personal Information”, a “Controller” shall include a “Business”, and a “Processor” shall include and refer to a “Service Provider”. 
    2. Customer Data means data identifying an individual included in the Customer Data (as defined in the Agreement) Processed by the parties under the Agreement.
    3. Data Protection Laws” means any all applicable federal and state privacy laws and regulations, including without limitation the: (i) California Consumer Privacy Act of 2018 including by the California Privacy Rights Act (‘CCPA’); (ii) the Colorado Privacy (‘CPA’); (iii) the Connecticut Data Privacy and Online Monitoring Act (‘CTDPA”); (iv) the Florida Digital Bill of Rights (‘FDBR’); (v) the Montana Consumer Data Privacy Act (‘MTCDPA’); (vi) the Oregon Consumer Data Privacy Act (‘OCDPA’); (vii) Texas Data Privacy and Security Act (‘TDPSA’); (viii) the Utah Consumer Privacy Act (‘UCPA’); the and (ix) the Virginia Consumer Data Protection Act (‘VCDPA’), and any implementing regulations and amendment thereto.
    4. Instructions” means the written, documented instructions issued by the Merchant to declines.io directing declines.io to perform a specific or general action with regard to the Processing of Customer Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA). 
    5. Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. 
    6. TDPSA means the Texas Data Privacy and Security Act

 

  • ROLES; COMPLIANCE WITH LAWS.
      1. With respect to the Processing of Customer Data, the parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, Merchant is the Controller, and declines.io is the Processor. 
      2. For the purpose of the CCPA, declines.io Processes Customer Data as the Service Provider on behalf of the Merchant as the Business and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another merchants. 
      3. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the Data Protection Laws. Without derogating from the generality of the above, the Merchant shall be exclusively responsible to ensure compliance of its Instructions to enable lawful collection and Processing of Customer Data, including obtaining any required consent and providing any required disclosures. 
  • The subject matter, duration, nature and purpose of the Processing, types of Personal Data Processed, and categories of Data Subjects are as described in Annex I.
  • declines.io OBLIGATIONS.
  • declines.io shall process the Customer Data only on behalf of and under the instructions of the Merchant, for the limited Business Purpose outlined under Annex I, in accordance with Data Protection Laws and Merchant’s Instruction.. Notwithstanding the above, in the event declines.io is required under applicable laws, including Data Protection Law, to Process Customer Data other than as instructed by Merchant, the declines.io shall make reasonable efforts to inform the Merchant of such requirement prior to Processing such Customer Data, unless prohibited under applicable law. 
  • Without limiting the foregoing, declines.io will notify Merchant if it determines, in its reasonable discretion that: (i) it can no longer meet its obligations under applicable Data Protection Laws; or (ii) any of Merchant’s Instructions infringe applicable laws, and declines.io shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction. 
  • declines.io hereby certifies that it understands the restrictions in the applicable Data Protection Laws and will comply with them. 
  • CONSUMER REQUESTS AND LEGAL REQUESTS.
    1. declines.io shall provide commercially reasonable assistance and procures that its Sub-Processor (as defined below) will provide assistance where and to the extent applicable, in connection with any obligation by Merchant to respond to Consumer’s or applicable authority’s requests for exercising their rights or other inquiries under Data Protection Laws, including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Merchant’s respective obligation. Merchant will reimburse declines.io for such costs arising from assistance, where the assistance exceeds reasonable commercial efforts and resources.

 

  • SUB-PROCESSORS.
      1. The Merchant acknowledges that declines.io may transfer Customer Data to and otherwise interact with third party sub-processor or sub-contractor (“Sub-Processor”). The Merchant hereby authorizes declines.io to engage and appoint such Sub-Processors already engaged by declines.io to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf, and to engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a ten (10) days prior notice of its intention to do so to the Merchant. In case the Merchant has not objected to the adding or replacing of a Sub-Processor within such notice period, such Sub-Processor shall be deemed approved by the Merchant. In the event the Merchant objects to the adding or replacing of a Sub-Processor, within such notice period, declines.io may, under declines.io’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement. 
  • declines.io shall, where it engages a Sub-Processor, impose, through a legally binding contract between the declines.io and the Sub-Processor, data protection obligations that that provides at least the same level of protection as those set out in this DPA, as applicable to the services provided by the Sub-Processor. declines.io shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of applicable Data Protection Laws. 
  • declines.io shall remain responsible to the Merchant for the performance of the Sub-Processor’s obligations in accordance with this DPA.
  • DATA PROTECTION ASSESSMENTS.
    1. Upon Merchant’s reasonable request, Merchant will make available such information in declines.io’s possession as reasonably necessary for Merchant to conduct and document data protection assessments in accordance with Data Protection Laws. Merchant will have the right to: (i) take reasonable and appropriate steps to help ensure that declines.io uses Customer Data in a manner consistent with declines.io’s obligations under this DPA and as required under Data Protection Laws; and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Customer Data under and as required by applicable Data Protection Laws. 

 

  • SECURITY INCIDENT.
    1. declines.io will notify the Merchant without undue delay upon becoming aware of any Security Incident involving the Customer Data.  In addition, declines.io will take reasonably necessary steps to remediate, minimize any effects of and investigate the Security Incident and to identify its cause; and co-operate with the Merchant and provide the Merchant with such reasonable assistance and information in connection with the containment, investigation, remediation or mitigation of the Security Incident and, if applicable, obligation to notify the affected individuals.
    2. declines.io’s notification or compliance with its obligations under this Section 7 regarding a response to a Security Incident shall not be construed as an acknowledgment by declines.io of any fault or liability with respect to the Security Incident. 

 

  • AUDIT.
    1. declines.io shall maintain records of the Processing activities of Customer Data carried out under this DPA,

declines.io shall make such records available to the Merchant, subject to a thirty (30) days written request, however no more than once per twelve (12) months of engagement. Such records provided shall be considered declines.io’ Confidential Information and shall be subject to confidentiality obligations under the Agreement.  

  1. Alternatively, in the event the records and documentation provided subject to Section 8.1 above are not sufficient for the purpose of demonstrating compliance, declines.io shall make available, solely upon prior reasonable written notice and no more than once per twelve (12) months of engagement, to a reputable auditor nominated by the Merchant or by declines.io, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). declines.io may object to an auditor appointed by the Merchant in the event declines.io reasonably believes the auditor is not suitably qualified or is a competitor of declines.io. 
  2. Merchant shall bear all expenses related to an investigation or an Audit under this Section 8.
  3. Nothing in this DPA will require declines.io to either disclose to Merchant or its third-party auditor, or allow Merchant or its third-party auditor to access: (i) any data of any other declines.io’s merchant; (ii) declines.io’s internal accounting or financial information; (iii) any trade secret of a declines.io or its affiliates; (iv) any information that, in declines.io’s reasonable opinion, could compromise the security of any declines.io’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Merchant or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Merchant’s obligations under the U.S. Data Protection Laws. No access to any part of declines.io’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.

 

  • CERTIFICATION. 
  • declines.io certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling or Sharing Personal Information. declines.io acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for processing the Personal Information for a Business Purpose or as specified in the Agreement.
  • DATA SECURITY.
    1. declines.io shall implement and maintain reasonable security procedures, practices, and controls, as may be appropriate based on the nature of the information, designed to protect Customer Data from unauthorized access, disclosure or destruction. declines.io will provide the notifications and assistance to Customer as required by the data breach provisions under the Data Protection Laws.  

 

  • TERM, TERMINATION, DATA DELETION AND CONFLICT
    1. This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates or as long as declines.io Processes Customer Data. 
    2. declines.io shall be entitled to terminate this DPA or suspend the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s instructions or this DPA infringe applicable legal requirements, provided Merchant did not cure such infringement within ten (10) days from receiving applicable notice from declines.io. 
    3. Following the termination of this DPA, declines.io shall, at the choice of the Merchant, delete all Customer Data Processed on behalf of the Merchant and certify to the Merchant that it has done so, or, return all Customer Data to the Merchant and delete existing copies, unless applicable law or regulatory requirements requires that declines.io continue to store Customer Data. declines.io may satisfy the obligations above by enabling the Customer to export or delete Customer Data through the Services. In addition, the above shall not be constructed as declines.io’s obligation to retain Customer Data for any period, and declines.io may delete Personal Data at any time according to its retention policies. 

 

  • In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail only to the subject matter in conflict. 

ANNEX I

Type of Consumers: Merchant’s Customers (as defined in the Agreement). 

Type of Personal Data: 

  • Contact information, including: full name, email address, billing address, phone number.
  • Date and place of birth, if applicable. 
  • Payment and repayment transaction information (including card number, expiry date, error or confirmation codes, credit card holder, issuing bank name, MID number, MCC code, etc.). 
  • Credit score and credit bureau information as well as other related KYC data.
  • Transactions and history.

Nature and Purpose of Processing: Providing the Factoring Services as defined in the Agreement, including by transmitting, accessing, hosting, disclosing and sharing.  

Duration of Processing: For as long as is necessary to provide the Service by declines.io; provided there is no legal obligation to retain the Customer Data past termination or unless otherwise requested by the Merchant.