UPDATED AS OF: Sep 25, 2025

Third Party will maintain a comprehensive security policy and measures that satisfy the requirements set forth below in clauses (a)-(p). The Third Party will review its security policy and measures at least annually, and upon request, provide it to Affirm.

To the extent the DPA applies, references herein to “Affirm Data” will include “Personal Data” as defined in the DPA.  

1. Access Control: limiting access of Affirm Data to authorized personnel with a bona fide need-to-know; maintaining a documented access approval process; revoking such access within twenty (24) hours in cases of personnel transfer or termination, and performing regular audits of user accounts to remove unnecessary access and privileges; strictly segregating Affirm Data from Third Party or any other data, so that it is not commingled with any other types of information; implement physical access controls on premises where Affirm Data is processed in such a manner that physical access is only permitted for authorized persons or persons accompanied by authorized personnel. Where Affirm Data is hosted by Third Party’s employees, agents, partners, contractors, or subcontractors (“Representatives”), Third Party must ensure implementation of such controls by such Representatives and monitor compliance periodically.

2. Awareness and Training: providing appropriate privacy and information security training to Third Party’s Representatives with access to Affirm Data, including annual refresher training; providing developers with appropriate secure development training such as OWASP Top 10.

3. Audit and Accountability: monitoring systems for access, including but not limited to unauthorized activity; generating, reviewing, as well as protecting such audit logs from unauthorized modification or disclosure. At a minimum, such audit logs must contain the following information:

   1. What activity was performed?

   2. Who or what performed the activity, including where or on what system the activity was performed from (subject)?

   3. What the activity was performed on (object)?

   4. When was the activity performed?

   5. Using which tool(s) was the activity performed?

   6. What was the status (such as success vs. failure), outcome, or result of the activity?

4. Assessment, Authorization and Monitoring: maintaining a process for periodically evaluating the effectiveness of its security controls; undergoing periodic network, system, and application vulnerability scans, remediating identified vulnerabilities; and undergoing third-party penetration tests at least annually.

5. Configuration Management: establishing secure baseline configurations for the system(s) according to the principle of least functionality; maintaining a process for change control including documentation, justification, specifications, testing, quality control, recovery, and conducting security impact analyses when appropriate.

6. Contingency Planning: performing regular system- and user-level backups and affording such information the same protections as the original; maintaining, regularly testing, and providing appropriate training for a contingency plan.

7. Identification and Authentication: uniquely identifying all users; enforcing multi-factor authentication for access to Affirm Data; modifying vendor default authenticators; establishing strong authentication mechanisms; and protecting authenticators from unauthorized disclosure and modification.

8. Incident Response: maintaining, regularly testing, and providing appropriate training for, an incident response plan that specifies actions to be taken when Third Party or one of its suppliers suspects or detects that an actual loss, unauthorized access, use, alteration, or acquisition of Affirm Data or unauthorized access to Affirm systems, accounts, devices, or platforms, or otherwise any unauthorized activity that interrupts Affirm’s operations has occurred. 

9. Maintenance; Media Protection; Physical and Environmental Protection: implementing appropriate security at facilities where Affirm Data can be accessed, including physical access controls, video surveillance, environmental safeguards, and controls to protect hardware and media during transport and/or maintenance from unauthorized access or modification; securely sanitizing media before reuse.

10. Personnel Security: implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with Applicable Law (which may include Applicable Privacy Law) for all employees with access to Affirm Data.

11. Risk Assessment: conducting periodic risk assessments and upon significant changes to the IT environment; implementing processes and mechanisms to identify and remediate technical vulnerabilities.

12. System and Services Acquisition: establishing a system development life cycle which incorporates security and privacy requirements; ensuring that externally managed systems meet organizational requirements.

13. System and Communications Protection: implementing boundary protections at managed interfaces of the system, including industry recognized strong password requirements, firewalls and subnets, and limiting traffic to only that with a documented business need; using Strong Cryptography for all Affirm Data when such data is transmitted over a network, whether via email, file transfer protocol, or other means of electronic exchange as well as when such data is stored in any media, including, but not limited to, any laptop computer and USB storage peripherals. Ensure the implementation of a process to protect and manage lifecycle of Cryptographic keys; using pseudonymization techniques where possible for identifying fields, to reduce security & privacy risks to Affirm Data.

14. Known Security Defects/Vulnerabilities Remediation: repairing any Known Security Defects by implementing malicious code protection at system entry and exit points; monitoring and responding to attacks and indicators of potential attacks on the system; validating information inputs; implementing secure error handling; securely disposing of Affirm Data; installing applicable security hotfixes (or workaround) recommended by hardware / software providers as appropriate. “Known Security Defects” means flaws in the configuration, operation or code of Third Party’s systems. Remediation of Known Security Defects must adhere to the following schedule:
    Severity Level Remediation Response Time:

    1. Critical Issue is remediated within five (5) business days

    2. High Issue is remediated within ten (10) business days

    3. Medium Issue is remediated within one (1) month

    4. Low Issue is remediated within six (6) months

15. Supply Chain Risk Management: establishing security requirements with Representatives that are equal to or more restrictive than those in the Agreement; establishing breach notification requirements with Representatives that conform to those in the Agreement; assessing the security of Representatives before onboarding those Representatives; and assessing the security of Representatives annually thereafter.

16. Disposal & Return: Upon the expiration or termination of the Agreement or earlier upon Affirm’s request, Third Party will return all Affirm Data to Affirm or, at Affirm’s option, destroy all Affirm Data and within ten (10) days of Affirm’s request, provide a written confirmation either by email or in writing by an authorized representative of Third Party, certifying that all Affirm Data in all formats, including without limitation, paper, electronic and disk form, have been returned or destroyed, as the case may be.