UPDATED AS OF: September 10, 2025

This Global Data Processing Agreement (“DPA”) is incorporated into the Master Agreement (“Master”) (collectively, DPA and Master constitute the “Agreement”) between the Affirm entity (“Affirm”) and the third party which is a Party to the Agreement (“Third Party”) (each individually, a “Party” and collectively, the “Parties”). This DPA is effective on the Effective Date of the Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature. In the event of any conflict between this DPA and the Master, the provisions of this DPA will control.

1. Definitions.

The terms below have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement. The terms “Personal Data”, “Controller”, “Data Subject”, “Processor”, and “Process” have the meanings given to them under Applicable Privacy Law or, absent any such meaning or law, by the GDPR. As used in this DPA, “Personal Data” will have the meaning of “Personal Information” or “Nonpublic Personal Information,” each as used in Applicable Privacy Law. “Controller” and “Processor” will be deemed equivalent to “Business” and “Service Provider”, respectively, under this DPA for purposes of CCPA compliance.

“Applicable Privacy Law” means requests by governmental authority, court orders, laws, regulations, codes, orders, rules and guidelines imposed by law, competent government authority, governing body or regulator in each country and jurisdiction governing data privacy, information security, and data Processing applicable to the Services and obligations in this DPA. For avoidance of doubt, Applicable Privacy Law includes, but is not limited to, applicable GLBA, CCPA and Canadian law restrictions on reuse and redisclosure.

"CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder, as may be amended from time to time.

“Data Subject Request”means a request from a Data Subject seeking to exercise their rights under Applicable Privacy Law. 

“Deidentified Data” means data created using Affirm Personal Data that cannot reasonably be linked to a particular individual, directly or indirectly.

“GLBA” means Title V of the Gramm Leach Bliley Act (15 U.S.C. 6801 et seq.) and the implementing privacy and security regulations issued pursuant to the Gramm Leach Bliley Act.

“GDPR” means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended from time to time, in the European Economic Area (“EEA”). 

“Industry Recognized Security Practices” means generally accepted industry practices, which may include but are not limited to, the International Organization for Standardization (ISO)/IEC 27001:2022 – Information Security Management Systems – Requirements and ISO/-IEC 27022:2022 – Code of Practice for International Security Management; the National Institute of Standards and Technology NIST Cybersecurity Framework; the Control Objectives for Information and related Technology (COBIT) standards; Association of International Certified Professional Accountants (AICPA) System and Organization Controls 2 (SOC 2); or other applicable industry standards for information security.

"Representatives" means a Party's directors, officers, employees, agents, contractors, subcontractors, and authorized advisors who need to know the information to perform obligations under the Agreement.

“Restricted Country” means (i) where the GDPR applies, a country outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR (as defined below) and the Data Protection Act 2018 (“DPA 2018”) apply, countries that have not been specified by the Secretary of State to ensure an adequate level of protection of Personal Data under Section 17A of the DPA 2018.

“Security Incident” means an actual or reasonably believed loss, unauthorized access to, or unauthorized Processing of Controller Personal Data or any other confidentiality incident which requires disclosure in accordance with Applicable Privacy Law.  

“Services” means the products and/or services provided by Third Party to Affirm pursuant to the Agreement.

"Standard Contractual Clauses" or “SCCs” means (i) where the GDPR applies, the clauses annexed to the European Commission’s Implementing Decision 2021/914 of June 4, 2021 for the transfer of Personal Data to third countries; and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the DPA 2018 (“UK Addendum”), in each case, as amended or superseded from time to time.

"Subprocessor" means any third party engaged directly or indirectly by Processor to Process any Personal Data under  the Agreement. 

“UK GDPR” is as defined in Section 3(10) of the DPA 2018, as supplemented by section 205(4), as amended from time to time.

2. Roles of the Parties and Details of Processing. In connection with certain Processing activities, either Party may act as a Controller or Processor with respect to Personal Data. The applicable role(s) for each Processing activity and the details of Processing of Personal Data are identified in the Agreement. 

3. Controller-Processor Terms. To the extent a Party is a Controller and the other is a Processor, the terms of this Section 3 will apply. In addition to any other instructions provided by Controller, the Agreement constitutes Controller’s instructions to Processor regarding the Processing of applicable Personal Data by Processor, and Processor will Process such Personal Data only in accordance with these instructions and Applicable Privacy Law. Processor will promptly notify Controller in writing, unless prohibited under Applicable Privacy Law, if Processor: (a)becomes aware of or believes that any Processing instruction from Controller that violates Applicable Privacy Law; (b) is unable to comply with Affirm’s Processing instructions; and/or (c) is unable to comply with the terms of this DPA. To the extent a Party is a “Contractor” (as defined in the CCPA), it certifies that it understands and will comply with the CCPA’s restrictions and requirements.

Processor will: (i) assist Controller in ensuring compliance with Applicable Privacy Law, including but not limited to, security, breach notification, and Assessment obligations; (ii) upon Controller’s request, promptly delete or return all Controller Personal Data, except as required to comply with Applicable Law (provided that any such Personal Data must be retained in accordance with the Agreement); (iii) make available to Controller all information necessary to demonstrate compliance with this DPA; (iv) promptly notify Controller of any complaints received by Processor regarding its Processing of Controller Personal Data and provide such information as reasonably required by Controller in respect of the complaint; and (v) allow for and contribute to audits conducted by the Controller or its designated auditor.

Processor will not, with respect to Personal Data it Processes on behalf of Controller: (A) Sell such Personal Data or otherwise make such Personal Data available to any third party for monetary or other valuable consideration; (B) Share such Personal Data with any third party for cross-context behavioral advertising; (C) Process such Personal Data for any purpose other than for the business purposes specified in the Agreement; (D) Process such Personal Data outside of the direct business relationship between the Parties; and (E) except as otherwise permitted by Applicable Privacy Law, combine such Personal Data with any other Personal Data. As used in this Section, “Sell” and “Share” have the meanings given to them under Applicable Privacy Law or, absent any such meaning or law, by the CCPA. Controller may instruct Processor to promptly remediate any unauthorized Processing of Personal Data Processed under the Agreement, and Processor will promptly comply with any such reasonable instructions.

4. Controller-Controller Terms. To the extent each Party is a Controller, the terms of this Section 4 will apply. Subject to Applicable Privacy Law (including, but not limited to any consent or notice requirements), each Party is a separate and independent Controller of Personal Data disclosed or made available to it in connection with the Agreement. Each Party will comply with Applicable Privacy Law and take all actions and implement all measures necessary to support the Processing of Personal Data as a separate and independent Controller under this Agreement. Each Party will reasonably cooperate with and assist the other Party with meeting the other Party’s obligations under Applicable Privacy Law and will promptly notify the other Party if it receives any complaint, notice, or communication that relates to the other Party's compliance with Applicable Privacy Law. 

5.  Compliance with Applicable Privacy Law. Each Party will comply with all Applicable Privacy Law in relation to the Processing of Personal Data. Notwithstanding anything to the contrary in this DPA, Third Party will not Process Personal Data in a manner that establishes credit eligibility or that gate keeps or steers consumers to or away from certain payment products.

6. Security.

6.1. Confidentiality of Representatives. Each Party will ensure that: (i) access to Personal Data Processed under the Agreement is available only to Representatives who require such Personal Data to fulfill their obligations under the Agreement; (ii) such Representatives are subject to written, binding obligations at least as protective of Personal Data as the terms of the Agreement; and (iii) such Representatives have received adequate training on compliance with Applicable Privacy Law.

6.2. Security Measures. Each Party will establish, maintain and comply with physical, technical, organizational and administrative controls and an accurate, comprehensive, up-to-date data security program, policies, and data security measures consistent with Applicable Privacy Law and Industry Recognized Security Practices to protect against Security Incidents, which, to the extent Third Party is a Processor, will include, at a minimum, the obligations located at https://www.affirm.com/terms/TOSM (collectively, “Technical and Organizational Security Measures”). 

6.3. Security Incident. In the event of a Security Incident, Processor will (i) promptly, but in no more than forty eight (48) hours of a Security Incident, notify Controller in writing (email acceptable) and furnish Controller with the details of the Security Incident and any corresponding investigation in writing (excluding any attorney-client privileged materials); (ii) take reasonable steps to contain, investigate, and mitigate any Security Incident and use commercially reasonable efforts to prevent a recurrence of any future Security Incident; (iii) as applicable, come into compliance with Applicable Law; (iv) provide Controller with all information requested about the Security Incident, to the extent known to Processor or as the information becomes available to Processor; (vi) cooperate with Controller in any effort, action, or proceeding to protect Personal Data, to mitigate and/or remediate the impact of the Security Incident, and to enable Controller to comply with its obligations under Applicable Privacy Law; and (vii) not make any disclosure related to a Security Incident unless Controller has provided prior express written permission or such notification is required by Applicable Privacy Law. If Processor is responsible for or failed to reasonably mitigate a Security Incident resulting in loss, damage, or interruption of business sustained by Controller, Processor will be responsible for Controller's attorney fees, fines, penalties, lost revenue and income, and costs and expenses related to Controller's investigation, restoration and/or remediation, IT response and mitigation service, and first and third party notification(s). Processor will notify Controller as soon as it becomes aware of any investigation, other action taken by, or correspondence from, a supervisory authority in connection with a Security Incident. To the extent each Party is a separate and independent Controller and a Party suffers a Security Incident on information systems it owns, controls, or subcontracts, such Controller will notify the other Party within forty-eight (48) hours of such Security Incident (or as otherwise required by Applicable Privacy Law), and the Parties will reasonably cooperate and assist each other in good faith in order to comply with Applicable Privacy Law. All notices to Affirm under this Section 6.3 will be sent to infosec@affirm.com.

6.4 Compliance with PCI DSS: To the extent Third Party Processes Cardholder Data (as defined by the PCI Security Standards Council), it will comply with Payment Card Industry Data Security Standard (“PCI DSS”) requirements and will provide Affirm with up-to-date attestations thereof upon request.

7. Subprocessors. To the extent a Party acts as Processor, Controller grants general authorization to Processor to engage Subprocessors to Process Personal Data only as required to provide the Services and to comply with the Agreement. Processor will: (a) conduct reasonable  due diligence on each Subprocessor to ensure each Subprocessor is capable of providing the level of data protection required by this DPA; (b) enter into a written agreement with each Subprocessor that imposes no less restrictive terms as those contained in this DPA; (c) be fully liable for the acts or omissions of its Subprocessors. To the extent required by Applicable Privacy Law, Processor will maintain a current list of all Subprocessors and will provide Controller with at least thirty (30) days’ notice of any proposed changes before authorizing any new or making any material changes to any existing Subprocessor. If Controller reasonably objects to a new Subprocessor, the Parties will work together in good faith to resolve Controller’s concerns. If no mutually acceptable resolution is reached within thirty (30) days, Controller may terminate the portion of the Agreement relating to the Services affected by the changed Subprocessor upon written notice to Processor without penalty. 

8. Data Subject Requests. Where a Party acts as a Processor, it will implement and maintain appropriate technical and organizational means to enable Controller to respond to Data Subject Requests as required by Applicable Privacy Law. In relation to Personal Data Processed under the Agreement: (a) Controller will have sole discretion of and responsibility for responding to a Data Subject Request; (b) Processor will promptly forward to Controller any Data Subject Request received by Processor and not otherwise respond to that Data Subject Request without authorization from Controller. Processor will, within ten (10) calendar days of a request by Controller, assist Controller with its response to a Data Subject Request, including, as appropriate, providing Controller with information in Processor’s custody related to a specific Data Subject in accordance with Controller’s instruction and promptly deleting Personal Data after receiving Controller’s request with written confirmation of compliance signed by an authorized representative of Processor, unless Applicable Privacy Law requires Processor to retain the Personal Data, in which case Processor will promptly provide a written statement to Controller regarding the Applicable Privacy Law which requires such retention. Any such retained Personal Data will continue to be subject to this DPA. 

9. Assessments and Audit Rights. Where a Party acts as a Processor, as related to its or its Subprocessors’ Processing of Personal Data under the Agreement, it will promptly: (a) make available to Controller all information necessary to demonstrate compliance with this DPA; and (b) allow for and fully cooperate in any assessment, data protection impact assessment, or audit (each, an “Assessment”) requested by Controller, provided that to the extent any such audit is onsite, such onsite audit will only be permitted if the applicable site hosts Processor’s Processing activities and the site is under Processor's control. Controller will conduct any such Assessment no more frequently than once per annum except where: (i) an additional Assessment is required by Applicable Privacy Law or a supervisory authority with jurisdiction over the Processing of Personal Data under the Agreement; (ii) the scope of the Services changes significantly; (iii) Processor is reasonably suspected of being noncompliant with this DPA; or (iv) there is a Security Incident. Any Assessment will be at Controller’s sole cost and election. Processor represents and warrants to Controller that any information provided in response to an Assessment is accurate to the best of Processor’s knowledge and the person providing such information is authorized to do so and knowledgeable about Processor’s privacy and information security measures.

10. International Data Transfers. Each Party will only transfer Personal Data across international borders and between jurisdictions to the extent permitted by this DPA and in accordance with Applicable Privacy Law. In the event of a conflict between this DPA and the SCCs, the provisions of the SCCs, to the extent applicable, will control.

10.1. EEA Personal Data Transfer.  Transfers of Personal Data from the EEA to a Restricted Country will be conducted in accordance with this DPA and SCCs, including as applicable, the Processor-to-Controller SCCs (located at https://www.affirm.com/terms/processor-to-controller), the Controller-to-Processor SCCs (located at https://www.affirm.com/terms/controller-to-processor), and the Controller-to-Controller SCCs (located at https://www.affirm.com/terms/controller-to-controller), which SCCs are incorporated herein by reference. Appendix A hereto provides additional details as required by Annexes I and II of the SCCs.

10.2. UK Personal Data Transfer. Transfers by either Party of Personal Data involving the UK, either in addition to the EEA or separately, to a Restricted Country will be conducted in accordance with this DPA and the SCCs, including, as applicable, the UK Addendum (located at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf), the terms of which are incorporated herein by reference. For purposes of the UK Addendum, the information required for the purposes of Part 1 (Tables) of the UK Addendum will be populated with the relevant information set out in this DPA (see Appendix A).

11. Deidentified Data. If either Party receives Deidentified Data from or on behalf of the other Party, the receiving Party will: (a) take reasonable measures to ensure the information cannot be associated with a Data Subject; (b) commit to Process the Deidentified Data solely in deidentified form and not attempt to reidentify the information; and (c) contractually obligate any recipients of the Deidentified Data to comply with the requirements in this Section and Applicable Privacy Law. 

12. Disposal and Return. Upon termination or expiration of the Agreement and, if earlier, upon request of Controller, Processor will securely destroy all Personal Data it Processed under the Agreement and within ten (10) days of Controller’s request, Processor will provide written certification signed by an officer of Processor that all Personal Data it Processed under the Agreement in all formats, including without limitation, paper, electronic and disk form, has been destroyed. Processor may retain Personal Data to the extent required by Applicable Privacy Law, provided that any such Personal Data so retained will remain subject to the terms of the Agreement. 

13. Affirm Contact. Please contact privacylegal@affirm.com regarding any questions or issues related to this DPA. 

Appendix A

A. The following includes the information required by Annex I of the SCCs.                 

Data exporter(s): 

Name: Third Party and/or the Affirm entity operating in the countries which comprise the European Economic Area or the UK

Address: As provided in the Local Order or as otherwise provided by data exporter

Contact person’s name, position and contact details: As provided in the Local Order or as otherwise provided by data exporter

Activities relevant to the data transferred under these SCCs: Performance of Services and as otherwise described in the Agreement

Role: Controller and/or Processor as described in this the Agreement above

Data importer(s): 

Name: Third Party and/or the Affirm entity operating in the countries which comprise the European Economic Area or the UK

Address: As provided in the Local Order or as otherwise provided by data importer

Contact person’s name, position and contact details: As provided in the Local Order or as otherwise provided by data importer

Activities relevant to the data transferred under these SCCs: Performance of Services and as otherwise described in the Agreement

Role: Controller and/or Processor as described in Section A of this the Agreement

Categories of Data Subjects: As described in Section A of this the Agreement

Categories of Personal Data: As described in Section A of this the Agreement

Sensitive Data: The data exporter might include sensitive personal data in the personal data described in Section A of this the Agreement

Frequency of the Transfer: Personal data is transferred as described in the Agreement.

Nature of the Processing: The Data Importer will Process the Personal Data as described in the Agreement for the duration and scope set forth in the Agreement.

Purposes of Data Transfer and Further Processing: To provide the Services and as otherwise described in Section A of this the Agreement.

Period for which the Personal Data will be Retained: Subject to Applicable Privacy Law, Personal Data will be retained in accordance with the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: The subject matter and nature of the Processing are described in the Agreement. Subject to Applicable Privacy Law, the data retention and deletion provisions of the Agreement, the duration of the Processing is the duration of the Agreement (including any survival period).

Competent supervisory authority/ies in accordance with Clause 13: Where the data exporter is Affirm, the Urzad Ochrony Danych Osobowych (The Office for Personal Data Protection of Poland); Where the data exporter is Third Party, the competent supervisory authority will be determined in accordance with the GDPR; and For transfers from the UK, the Information Commissioner's Office.

B. The following includes the information required by Annex II of the SCCs.

Description of the technical and organisational measures implemented by the data importer(s): The technical and organizational measures (including the certifications held by the data importer) as well as the scope and the extent of the assistance required to respond to data subjects’ requests, are described in the Agreement.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor: The technical and organisational measures that the data importer will impose on sub-processors are described in the Agreement.

C. The following chart includes the information required by Part 1: Tables of the UK Addendum.