UPDATED AS OF: Sep 25, 2025

This Global Security Addendum, (“Global Security Addendum”) is incorporated into the Affirm Global Master Services Agreement (“Agreement”) between the Affirm Party and the third party named in the Agreement (“Third Party”) (each individually, a “Party” and collectively, the “Parties”). This Security Addendum establishes the security obligations of the Parties arising out of the Services contemplated by the Agreement. This Security Addendum is effective on the Effective Date of the Agreement, unless this Security Addendum is separately executed in which case it is effective on the date of the last signature. In the event of any conflict between this Security Addendum and the Agreement, the provisions of this Security Addendum will control.  

1. Definitions: 

“Affirm Data” means information that Affirm discloses to Third Party, or that Third Party otherwise collects, stores, or processes on behalf of Affirm in connection with the Agreement. Affirm Data does not include Affirm Personal Data. Affirm Data does not include any data that Third Party acquired independently of its relationship with Affirm.

“Affirm Personal Data” means any Personal Data that Affirm provides or discloses to Third Party or that Third Party otherwise collects, stores, or Processes on behalf of Affirm in connection with the Agreement. 

“Industry Recognized Security Practices” means generally accepted industry practices, which may include but are not limited to, the International Organization for Standardization (ISO)/IEC 27001:2013 – Information Security Management Systems – Requirements and ISO/-IEC 27022:2013 – Code of Practice for International Security Management; the National Institute of Standards and Technology NIST Cybersecurity Framework; the Control Objectives for Information and related Technology (COBIT) standards; or other applicable industry standards for information security.

“Known Security Defects” as used in the Technical and Organizational Security Measures means flaws in the configuration, operation or code of Vendor’s systems.

“Security Incident” means an actual or suspected loss of Affirm Data and/or Affirm Personal Data, unauthorized access, use, alteration, or acquisition of Affirm Data and/or Affirm Personal Data or unauthorized access to Affirm systems, accounts, devices, or platforms, or otherwise any unauthorized activity that interrupts Affirm’s operations.  This includes but is not limited to instances involving malware, malicious code, unauthorized actors, unauthorized employees or contractors, or good faith acts or omissions by Third Party’s employees, agents, partners, contractors, or subcontractors (“Representatives”).

2. Security.

2.1. Confidentiality of Personnel. Third Party will ensure that any of Third Party’s personnel and any Representatives who have access to Affirm Data have a need-to-know and are under an appropriate obligation of confidentiality shall:

(a) Limit access to Affirm Data to personnel who have a business need to have access to such Affirm Data; and

(b) Ensure that such personnel are subject to obligations at least as protective of Affirm Data as the terms of this Addendum and the Agreement, including duties of confidentiality with respect to any Affirm Data to which they have access.

2.2. Security Measures. To ensure the security of Affirm Data, Third Party will implement administrative, physical, and technical safeguards that are no less rigorous than Industry Recognized Security Practices. Third Party will maintain, and periodically review, a documented security program to safeguard Affirm Data, which will, at a minimum, include the obligations located at https://www.affirm.com/terms/TOSM (collectively, “Technical and Organizational Security Measures”). 

2.3. Security Incident.

(a) In the event of a Security Incident, Third Party will immediately, and in any event, in no more than twenty four (24) hours, notify Affirm in writing by emailing infosec@affirm.com and furnish Affirm with the full details of the Security Incident and any corresponding investigation in writing (excluding any attorney-client privileged materials). 

(b) Third Party shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Affirm information about the Security Incident, to the extent known to Third Party or as the information becomes available to Third Party, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. 

(c) Third Party will cooperate with Affirm in any effort, action, or proceeding to protect Affirm Data and to mitigate and/or remediate the impact of the Security Incident. 

(d) As applicable, Third Party will not make any notification to regulatory authorities or natural persons unless Affirm has given Third Party prior express written permission or such notification is required by applicable law. 

(e) If Third Party is responsible or failed to reasonably mitigate a Security Incident resulting in direct loss, damage, or interruption of business  sustained by Affirm, Third Party shall be responsible for Affirm's attorney fees, any fines or penalties under applicable law, costs related to Affirm's own investigation, restoration costs, IT response and mitigation service costs, lost revenue and income, and first and third party notification costs.

2.4 Information Security Questionnaires. Third Party will assist Affirm in providing responses to Affirm’s security questionnaires conducted in connection with the Services and the performance of the Agreement. Third Party represents and warrants to Affirm that any information provided in response to Affirm’s Information Security Questionnaires are accurate to the best of Third Party’s knowledge and the person providing such information is authorized to do so and knowledgeable about Third Party’s information security measures.

2.5 Monitoring and Audit Rights. Affirm may, upon notice, monitor and take reasonable and appropriate steps to ensure that Third Party’s Processing of Affirm Data is consistent with Affirm’s obligations under Applicable Law and this Global Security Addendum. Upon request, Third Party will fully cooperate in the prompt completion of assessments or audits related to Third Party’s or Third Party’s Representatives’ Processing  of Affirm Data. Affirm will conduct such assessments and audits no more frequently than once per annum except in the case that (i) it is required by a supervisory authority with jurisdiction over the Processing of Affirm Data or otherwise under Applicable Law; (ii) Third Party has been found to not comply with this Global Security Addendum; or (iii) there is a Security Incident, in which case Third Party must comply with additional due diligence requests as necessary to confirm resolution of outstanding security issues. Such security assessment will be at Affirm’s sole cost and election. Affirm may instruct Third Party to promptly remediate any unauthorized Processing of Affirm Data, and Third Party will promptly comply with any such reasonable instructions.