Last Updated: July 7, 2022

This Merchant Data Security Policy (“Merchant Data Security Policy”) establishes the information security requirements under which Merchant may use Affirm Confidential Information and Affirm Personal Information (collectively, “Affirm Data”). Capitalized terms used in this Merchant Data Security Policy but not defined below are defined in the Agreement. Affirm may amend the Merchant Data Security Policy from time to time in accordance with the Agreement.

1. Privacy. In the performance of its obligations under the Agreement, each Party may create, receive, or have access to­­­­­ information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“Personal Information” or “Personal Data”). A Party’s Personal Information will be considered such Party’s Confidential Information under the Agreement and will be subject to the ownership interests of the Parties as described in Section ‎1.3(b) and any other applicable terms of the Agreement. Affirm may grant Merchant access to Affirm Confidential Information in its sole discretion for the sole purpose or as reasonably necessary to provide the Services or to perform obligations required under this Agreement and may, at any time and without cause, (a) cease sharing Affirm Confidential Information with Merchant and (b) require that Merchant delete, destroy, erase or otherwise cease all Processing of Affirm Confidential Information, unless otherwise required by Applicable law or in order to perform obligations to Customers required under the Agreement.

2. Ownership of Personal Information. “Affirm Personal Information” means Personal Information collected from a third party by Affirm or by a third party on behalf of Affirm in connection with Affirm’s provision of the Services. “Merchant Personal Information” means Personal Information collected from a third party by Merchant or by a third party on behalf of Merchant in connection with Merchant’s receipt of the Services. Affirm owns all right, title, and interest in and to Affirm Personal Information, and Merchant owns all right, title, and interest in and to Merchant Personal Information. The Parties acknowledge and agree that some of the same data elements (e.g., a Customer’s name) may be both Affirm Personal Information and Merchant Personal Information. Each Party acknowledges that (a) each Party maintains information about Customers derived from numerous sources (including directly from the Customer); and (b) information about Customers developed or maintained by one Party may be identical to information that the other Party has developed or maintains.

3. Processing Personal Information. Each Party will, as applicable, “Process” (as such term is defined or recognized by Applicable Law applicable to the Parties and subject matter herein) Personal Information in accordance with Applicable Law, its applicable privacy policy, and the Agreement.

a. If, during the Term of the Agreement, Merchant Processes credit, debit, or other payment card number and cardholder information with respect to Customers, Merchant will at all such times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including, without limitation, remaining aware at all such times as of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at Merchant’s sole cost and expense. Merchant will not receive any Cardholder Data (as defined in the latest PCI DSS) from Affirm under the Agreement.

b. Affirm will act solely as a Service Provider (as such term is defined in the CCPA) with respect to Merchant Personal Information and, as such, shall Process Merchant Personal Information solely to provide the Services to Merchant and carry out its obligations under the Agreement. Affirm will not Process Merchant Personal Information for any other purpose, unless required by Applicable Law. Affirm will notify Merchant if it believes that it cannot follow Merchant’s instructions or fulfill its obligations under the Agreement because of a legal obligation to which it is subject, unless Affirm is prohibited by Applicable Law from making such notification.

c. For clarity, Affirm will not: (a) sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means in exchange for monetary or other valuable consideration (collectively, “Sell”) any Merchant Personal Information; (b) retain, use, or disclose Merchant Personal Information for any purpose other than for the specific business purpose of performing the Services, including retaining, using, or disclosing Merchant Personal Information for a commercial purpose other than performing the Services; or (c) retain, use, or disclose Merchant Personal Information outside of the direct business relationship between the Parties as defined in the Agreement. Affirm certifies that it understands these restrictions.

d. Notwithstanding anything to the contrary, Affirm may Process Merchant Personal Information as necessary to: detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; engage subcontractors; comply with Applicable Law, law enforcement requests or defend against or maintain legal claims; and build or improve the quality of its products and services.

e. Merchant will not (and will not allow any third party at its direction or on its behalf to) (a) Sell Affirm Personal Information; (b) permit others to Sell Affirm Personal Information; or (c) Process Affirm Personal Information for any purpose other than carrying out Merchant’s obligations under the Agreement.

4. Data Security.

a. In addition to any other data security requirements in the Agreement, each Party will establish, maintain and comply with physical, technical, and administrative controls and an accurate, comprehensive and up-to-date data security program and policy inclusive of adequate data security measures consistent with Applicable Law and industry standards to protect the other Party’s Confidential Information from disclosure, destruction, misuse, loss, acquisition, or alteration by an unauthorized third party.

b. Merchant will regularly monitor, evaluate and adjust, as appropriate, its security measures in light of any risk assessment findings, relevant changes in Applicable Law or relevant data security standards, technology advances, changes to Merchant's systems, internal or external threats to Confidential Information, reasonable requests from Affirm arising out of security or other concerns reasonably identified and communicated to the extent possible, and Merchant's own changing business arrangements in order to ensure that Merchant’s data security program and controls remain accurate, comprehensive and up-to-date.

c. Merchant may not (and may not allow any third party at its direction or on its behalf to) (a) Sell Affirm Personal Information or any other Affirm Confidential Information; (b) permit others to Sell Affirm Personal Information or any other Affirm Confidential Information; (c) Process Affirm Personal Information or any other Affirm Confidential Information for any purpose other than carrying out Merchant’s obligations under the Agreement; or (d) conduct unauthorized security assessments, including vulnerability scans and penetration tests, on Affirm systems.

d. In the event that Merchant suffers or learns of any disclosure, destruction, loss, misuse, acquisition or alteration by an unauthorized third party of Affirm’s Confidential Information (a “Security Breach”), Merchant will: (a) promptly (but in no event later than 48 hours following confirmation of the Security Breach) notify Affirm in writing of such Security Breach and furnish Affirm with the details of such Security Breach; (b) cooperate in any reasonable effort, action, or proceeding to protect all Confidential Information, including any applicable Personal Information subject to such Security Breach and to reasonably mitigate and/or remediate the impact of the Security Breach; (c) promptly use best efforts to prevent a recurrence of any future Security Breach and (d), as applicable, come into compliance with Applicable Law. In addition to, and consistent with, any applicable audit rights provided to Affirm under the Agreement, in the event of a Security Breach, to the extent that such Security Breach involves Affirm Confidential Information, Affirm will have the right, to audit or conduct (or cause a qualified, independent third party to audit or conduct) a security assessment for verification of Merchant's data security obligations as set forth in this Section 1.3. Such security assessment will be at Affirm's sole cost and election.

e. Merchant will encrypt all Affirm Confidential Information, including Personal Information, in-transit, and will encrypt all Personal Information both at rest and in-transit with industry-standard encryption methods and algorithms, such as AES -256 and the two most recent, non-deprecated versions TLS, respectively. Merchant will not transmit any unencrypted Personal Information over the internet or a wireless network, and will not store any Personal Information on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and only if the mobile computing device is protected by industry standard encryption.

f. Merchant will ensure that: (a) Merchant’s connectivity to Affirm’s information systems and all attempts at the same will be only through Affirm’s security gateways/firewalls and only through Affirm’s authorized security procedures, which can be obtained from Affirm’s Information Security Department; (b) Merchant will not access, and will not permit unauthorized persons or entities to access, Affirm’s information systems without Affirm’s express written authorization, and any such actual or attempted access will be consistent with Affirm’s authorization; (c) any private API keys or other material provided to Merchant for the purpose of Merchant authenticating to Affirm’s information systems shall constitute Confidential Information and shall be protected as such; and (d) Merchant will take appropriate measures to ensure that Merchant’s information systems which connect to Affirm’s information systems, and anything provided to Affirm, do not contain any computer code, programs, mechanisms, or programming devices designed to, or that would, enable the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of the Affirm’s services or information systems, and Merchant will immediately notify Affirm upon detection of any vulnerabilities thereto.