Affirm Global Data Processing Agreement
Affirm Global Data Processing Agreement
UPDATED AS OF: Apr 22, 2025
This Global Data Processing Agreement (“DPA”) is incorporated into the master agreement (“Agreement”) between Affirm and the third party which is a Party to the Agreement (“Third Party”) (each individually, a “Party” and collectively, the “Parties”). This DPA is effective on the Effective Date of the Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA will control.
1. Definitions.
The terms below have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement.
“Affirm” means the Affirm entity that is a Party to the Agreement and uses the Services subject to the Agreement.
“Affirm Personal Data” means any Personal Data that Affirm and/or its affiliates provides or makes available to Third Party or that Third Party otherwise Processes on behalf of Affirm in connection with the Agreement.
“Applicable Privacy Law” means requests by governmental authority, court orders, laws, regulations, codes, orders, rules and guidelines imposed by law, competent government authority, governing body or regulator in each country and jurisdiction governing data protection, information security, and data privacy applicable to the Services and obligations in this DPA, including, without limitation, the EU Data Protection Laws, the US Data Protection Laws, the Canadian Data Protection Laws, and the Australian Data Protection Laws.
“Australian Data Protection Laws” means data protection laws applicable in Australia, including the Privacy Act 1988 (Cth) and the Privacy and Other Legislation Amendment Act 2024 (Cth), each as amended from time to time.
“Canadian Data Protection Laws” means data protection laws applicable in Canada, including the Personal Information and Electronic Documents Act, the Personal Information Protection Act (British Columbia), the Personal Information Protection Act (Alberta), and the Act respecting the protection of personal information in the private sector, each as amended from time to time.
“Data Subject Request”means a request from Data Subjects seeking to exercise their rights under Applicable Privacy Law.
“Deidentified Data” means data created using Affirm Personal Data that cannot reasonably be linked to a particular individual, directly or indirectly.
“EU Data Protection Laws” means data protection laws applicable in the European Economic Area (“EEA”) and UK including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (“GDPR”); (ii) Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) “UK GDPR” as defined in section 3(10) of the Data Protection Act 2018 (“DPA 2018”), as supplemented by section 205(4), each as amended or superseded from time to time.
“Industry Recognized Security Practices” means generally accepted industry practices, which may include but are not limited to, the International Organization for Standardization (ISO)/IEC 27001:2013 – Information Security Management Systems – Requirements and ISO/-IEC 27022:2013 – Code of Practice for International Security Management; the National Institute of Standards and Technology NIST Cybersecurity Framework; the Control Objectives for Information and related Technology (COBIT) standards; Association of International Certified Professional Accountants (AIPCA) System and Organization Controls 2 (SOC2); or other applicable industry standards for information security.
“Restricted Transfer” means a transfer of Personal Data originating from the EEA or UK to a country that does not provide an adequate level of protection within the meaning of applicable EU Data Protection Laws.
“Security Incident” means an actual or suspected loss of Affirm Personal Data, unauthorized access, use, alteration, or acquisition or other Processing of Affirm Personal Data, or unauthorized access to Affirm systems, accounts, devices, or platforms, or otherwise any unauthorized activity that interrupts Affirm’s operations. This includes but is not limited to instances involving malware, malicious code, unauthorized actors, unauthorized employees or contractors, or any act or omission by Third Party’s employees, agents, partners, contractors, or subcontractors (“Representatives”).
“Services” means the products and/or services provided by Third Party to Affirm pursuant to the Agreement.
"Standard Contractual Clauses" or “SCCs” means (i) where the GDPR applies, the clauses annexed to the European Commission’s Implementing Decision 2021/914 of June 4, 2021 for the transfer of Personal Data to third countries; and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the DPA 2018 (“UK Addendum”) (in each case, as amended or superseded from time to time).
"Subprocessor" means any third party engaged directly or indirectly by Third Party to Process any Personal Data relating to this DPA and/or the Agreement.
“US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the California Consumer Privacy Act of 2018 as amended, including its implementing regulations and the California Privacy Rights Act of 2020, the Oregon Consumer Privacy Act, and the Minnesota Consumer Data Privacy Act, in each case as amended and including any regulations promulgated thereunder.
The terms “Personal Data”, “Controller”, “Data Subject”, “Processor”, “Process”, “Processing”, “Processed”, “Business” and “Service Provider” have the meanings given to them in the Applicable Privacy Law or, absent any such meaning or law, by EU Data Protection Laws.
2. Data Processing.
2.1. Roles of the Parties. Affirm is the Controller or Business. Third Party will Process Affirm Personal Data as a Processor, Controller, or Service Provider as applicable.
2.2. Details of the Processing. The details of the Processing of Personal Data under the Agreement and this DPA are described in the Agreement and in Schedule 1 to this DPA.
2.2.1. Processing Instructions.
The Agreement and this DPA shall constitute the instructions to Third Party for the Processing of Affirm Personal Data by Third Party, and Affirm may issue further written instructions in accordance with this DPA.
Third Party will only Process Affirm Personal Data (i) in accordance with 2.2.1(a); and (ii) in accordance with Applicable Privacy Law.
Third Party will not Process Affirm Personal Data in a manner that establishes credit eligibility or that gate keeps or steers consumers to or away from certain payment products.
Third Party will promptly notify Affirm in writing, unless prohibited under Applicable Privacy Law, if Third Party:
becomes aware of or believes that any Processing instruction from Affirm violates Applicable Privacy Law;
is unable to comply with Affirm’s Processing instructions for any reason;
is unable to comply with Applicable Privacy Law; and/or
is unable to comply with the terms of this DPA for any reason.
2.2.2. Selling or Sharing Affirm Personal Data. Subject to paragraph 2.2.1, Third Party will not: (a) sell Affirm Personal Data or otherwise making Affirm Personal Data available to any third party for monetary or other valuable consideration; (b) share Affirm Personal Data with any third party for cross-context behavioral advertising; (c) Process Affirm Personal Data for any purpose other than for the business purposes specified in the Agreement; (d) Process Affirm Personal Data outside of the direct business relationship between the Parties; and (e) except as otherwise permitted by Applicable Privacy Law, combine Affirm Personal Data with Personal Data that Third Party receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
2.3. Compliance with Applicable Privacy Law. Each Party will comply with all Applicable Privacy Law in relation to the Processing of Personal Data.
2.4. Compliance with PCI DSS: To the extent Third Party Processes Cardholder Data (as defined by the PCI Security Standards Council) on behalf of Affirm, Third Party will comply with Payment Card Industry Data Security Standard (“PCI DSS”) requirements and will provide Affirm with up-to-date attestations thereof upon request.
3. Security.
3.1. Confidentiality of Representatives. Third Party will ensure that: (i) access to Affirm Personal Data is available only to Representatives who require it to fulfill its obligations under the Agreement; and (ii) such Representatives are subject to written, binding obligations at least as protective of Affirm Personal Data as the terms of the Agreement and that Representatives Processing Affirm Personal Data have received adequate training on compliance with Applicable Privacy Law.
3.2. Security Measures. Third Party will implement administrative, physical, and technical safeguards that are no less rigorous than Industry Recognized Security Practices. Third Party will maintain, and periodically review, a documented security program to safeguard Affirm Personal Data, which will, at a minimum, include the obligations located at https://www.affirm.com/terms/TOSM (collectively, “Technical and Organizational Security Measures”).
3.3. Security Incident. In the event of a Security Incident, Third Party will immediately, and in any event, in no more than twenty four (24) hours, notify Affirm in writing by emailing infosec@affirm.com and furnish Affirm with the full details of the Security Incident and any corresponding investigation in writing (excluding any attorney-client privileged materials). Third Party will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Affirm information about the Security Incident, to the extent known to Third Party or as the information becomes available to Third Party, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Third Party will cooperate with Affirm in any effort, action, or proceeding to protect Affirm Personal Data and to mitigate and/or remediate the impact of the Security Incident. Third Party will not make any disclosure related to a prospective or actual Security Incident unless Affirm has given Third Party prior express written permission or such notification is required by Applicable Privacy Law. If Third Party is responsible for or failed to reasonably mitigate a Security Incident resulting in loss, damage, or interruption of business sustained by Affirm, Third Party will be responsible for Affirm's attorney fees, fines, penalties, lost revenue and income, and costs and expenses related to Affirm's investigation, restoration and/or remediation, IT response and mitigation service, and first and third party notification(s).
4. Subprocessors. Affirm authorizes Third Party to engage Subprocessors to Process Affirm Personal Data only as required to provide the Services. Third Party will conduct reasonable due diligence on each Subprocessor to ensure each Subprocessor is capable of providing the level of protection required by this DPA. Third Party will enter into a written agreement with each Subprocessor that imposes no less restrictive terms as those contained in this DPA. Third Party will be fully liable for the acts or omissions of its Subprocessors. Third Party will provide Affirm with at least thirty (30) days’ notice of any proposed changes concerning the addition or replacement of any Subprocessors. Affirm has the right to object to, and prevent, any such addition or replacement of Subprocessors prior to any Processing of Affirm Personal Data by the intended Subprocessor. In the event Affirm submits any objection to a proposed Subprocessor, Third Party and Affirm will work together in good faith to find a mutually acceptable resolution to address the objection. If Third Party and Affirm are unable to reach a mutually acceptable resolution within a reasonable timeframe, which will not exceed thirty (30) days, Affirm may terminate the portion of the Agreement relating to the Services affected by the changed Subprocessor by providing written notice to Third Party.
5. Data Subject Requests. Third Party will implement and maintain appropriate technical and organizational means to enable Affirm to fulfill its obligation to respond to Data Subject Requests. Where requested, Third Party will, within ten (10) calendar days of such request, assist Affirm with its response to a Data Subject Request, including as appropriate, providing Affirm with information in Third Party’s custody related to a specific Data Subject. Any information provided by Third Party to Affirm under this DPA will be in an electronic format. Upon a request to delete certain Personal Data, Third Party will promptly delete such Personal Data after receiving Affirm’s request and provide Affirm with a written certification of compliance signed by an officer of Third Party, unless Applicable Privacy Law requires Third Party to retain the Personal Data, in which case Third Party will promptly provide a written statement to Affirm regarding the Applicable Privacy Law which requires such retention. Third Party will: (i) without undue delay, notify Affirm of a Data Subject’s request to exercise their rights under Applicable Privacy Law with respect to the Parties’ Processing of Personal Data; and (ii) will not respond to that request as to Personal Data Processed on behalf of Affirm, except on the instructions of Affirm or as required by Applicable Privacy Law, in which case Third Party will, to the extent permitted by such Applicable Privacy Law, inform Affirm of the legal requirement before the Third Party responds to the request.
6. Requests for Affirm Personal Data. If Third Party receives a valid subpoena, court order, warrant, or other legal demand (“Request”) from a third party (including law enforcement, judicial authority, or any governmental body) (“Requesting Party”) for disclosure of Affirm Personal Data, Third Party will use commercially reasonable efforts to redirect the Requesting Party to seek that Affirm Personal Data directly from Affirm. If, despite Third Party’s efforts, Third Party is compelled to disclose Affirm Personal Data to a Requesting Party, Third Party will: (a) promptly notify Affirm of the Request to allow Affirm to seek a protective order or other appropriate remedy, unless prohibited from notifying Affirm, in which case Third Party will use commercially reasonable efforts to obtain a waiver of that prohibition; (b) challenge any over-broad, inappropriate, or unlawful Request; and (c) disclose only the minimum amount of Affirm Personal Data necessary to satisfy the Request.
7. Monitoring and Audit Rights. Affirm may, upon notice, monitor and take reasonable and appropriate steps to ensure that Third Party’s Processing of Affirm Personal Data is consistent with Affirm’s obligations under Applicable Privacy Law and this DPA. Upon request, Third Party will fully cooperate in the prompt completion of assessments or audits related to Third Party’s or Third Party’s Subprocessors’ Processing of Affirm Personal Data. Affirm will conduct such assessments and audits no more frequently than once per annum except in the case that (i) it is required by a supervisory authority with jurisdiction over the Processing of Affirm Personal Data or otherwise under Applicable Privacy Law; (ii) Third Party has been found to not comply with this DPA; or (iii) there is a Security Incident, in which case Third Party must comply with additional due diligence requests as necessary to confirm resolution of outstanding security issues. Such security assessment will be at Affirm’s sole cost and election. Affirm may instruct Third Party to promptly remediate any unauthorized Processing of Affirm Personal Data, and Third Party will promptly comply with any such reasonable instructions.
8. International Data Transfers. Each Party will only transfer Personal Data across international borders and between jurisdictions to the extent permitted by this DPA and in accordance with Applicable Privacy Law.
8.1. EEA Personal Data Transfers.
(a) Processor-Controller Transfers. Restricted Transfers from Third Party as Processor to Affirm as Controller will be in accordance with this DPA and its Schedule 1, and the EEA Processor-to-Controller SCCs (located at https://www.affirm.com/terms/processor-to-controller) (terms of which are incorporated here by reference).
(b) Controller-Processor Transfers. Restricted Transfers from Affirm as Controller to Third Party as Processor will be in accordance with this DPA and its Schedule 1, and the EEA Controller-to-Processor SCCs (located at https://www.affirm.com/terms/controller-to-processor) (terms of which are incorporated here by reference).
(c) Controller-Controller Transfers. Restricted Transfers between Third Party and Affirm (each acting as Controller) will be in accordance with this DPA and its Schedule 1, and the EEA Controller-to-Controller SCCs (located at https://www.affirm.com/terms/controller-to-controller) (terms of which are incorporated here by reference).
(d) If and to the extent the EEA Standard Contractual Clauses conflict with any provision of this DPA, the EEA Standard Contractual Clauses will prevail to the extent of such conflict.
8.1.2. U.S. and Canada Personal Data. Third Party may transfer, store, or Process Personal Information outside of the United States or Canada only after Third Party demonstrates that the jurisdiction in which the recipient of the transfer resides requires at least the same level of privacy and security protections required by the Agreement and to the extent required by Applicable Privacy Law.
8.1.3. UK Personal Data Transfer. Restricted Transfers by either Party of Personal Data involving the UK will be in accordance with the EEA SCCs, subject to the amendments incorporated by the UK International Data Transfer Addendum, the terms of which are incorporated here by reference. If and to the extent the UK Addendum conflicts with any provision of this DPA, the UK Addendum will prevail to the extent of any such conflict.
8.1.4. Australian Personal Data. If it is necessary for the performance of the Agreement, Third Party may disclose Personal Information to a person (including a related entity or subcontractor) who is not in Australia provided that person provides a written statement in a form satisfactory to Affirm, prior to any such disclosure, which states that the person: (a) agrees to comply with the Australian Privacy Principles (as defined in Australian Data Protection Laws) in relation to the Processing of Personal Information disclosed to it in the course of the Agreement; (b) has an established complaint handling process for privacy complaints and provides a copy of that process; (c) has a data breach response plan which includes a mechanism for notifying Affirm where there are reasonable grounds to suspect a Security Incident and outlines appropriate remedial action (based on the type of Personal Information to be handled under the Agreement); and (d) will enter into an equivalent contractual arrangement protecting the Personal Information with any third parties to whom it discloses the Personal Information (for example, that person’s subcontractor).
9. Deidentified Data. If Third Party receives Deidentified Data from or on behalf of Affirm, Third Party will: (a) take reasonable measures to ensure the information cannot be associated with a Data Subject; (b) commit to Process the Deidentified Data solely in deidentified form and not attempt to reidentify the information; and (c) contractually obligate any recipients of the Deidentified Data to comply with the requirements in this Section and Applicable Privacy Law.
10. Disposal and Return. If in Affirm’s control, Affirm will eliminate Third Party’s access to all Affirm Personal Data upon expiration or termination of the Agreement. Upon termination or expiration of the Agreement and, if earlier, upon request, Third Party will securely destroy all Affirm Personal Data. Within ten (10) days of Affirm’s request, Third Party will provide a written certification signed by an officer of Third Party, certifying that all Affirm Personal Data in all formats, including without limitation, paper, electronic and disk form, has been destroyed. Upon expiration or termination, Third Party may retain certain Affirm Personal Data if required by Applicable Privacy Law, provided that any such Affirm Personal Data so retained will remain subject to the terms of the Agreement.
11. Data Privacy Impact Assessment and Security Questionnaire. Third Party will assist Affirm in providing a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed Processing activity conducted in connection with the Services and the performance of the Agreement that presents a high risk to Data Subjects. Third Party represents and warrants to Affirm that any information provided in response to Affirm’s Privacy Impact Assessment and/or Information Security Questionnaires are accurate to the best of Third Party’s knowledge and the person providing such information is authorized to do so and knowledgeable about Third Party’s privacy and information security measures.
12. Affirm Contact. Please contact privacylegal@affirm.com regarding any questions or issues related to this DPA.