Vendor Data Processing Agreement
UPDATED AS OF: April 1, 2022
This Data Processing Agreement (“DPA”) is incorporated into the master services agreement (the “Agreement”) between the Affirm Party and the service provider named in the Agreement (“Vendor”) (each individually, a “Party” and collectively, the “Parties”). This DPA sets out the data protection and privacy obligations of the Parties arising out of the Services contemplated by the Agreement. This DPA is effective on the Effective Date of the Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA will control.
1. Definitions.
The terms below have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement.
“Affirm Party” or “Affirm” means the Affirm organization that is a Party to the Agreement and uses the Services subject to the Agreement.
“Affirm Data” means information that Affirm discloses to Vendor, or that Vendor otherwise collects, stores, or processes on behalf of Affirm in connection with the Agreement. Affirm Data includes “Affirm Personal Data” (as defined below). Affirm Data does not include any data that Vendor acquired independently of its relationship with Affirm.
“Affirm Personal Data” means any Personal Data that Affirm provides or discloses to Vendor or that Vendor otherwise collects, stores, or Processes on behalf of Affirm in connection with the Agreement.
“Applicable Privacy Law” means requests by governmental authority, court orders, laws, regulations, codes, orders, rules and guidelines imposed by law, competent government authority, governing body or regulator in each country and jurisdiction governing data protection and data privacy applicable to the Services and obligations in this DPA.
“Controller” means the entity which determines the purpose and means of the Processing of Personal Data.
“Data Subject” means an identified or identifiable person to whom Personal Data relates.
“Data Subject Request”means a request from Data Subjects seeking to exercise their rights under Applicable Privacy Law.
“EEA” means the European Economic Area.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended, updated or replaced from time to time, in the European Union (“EU”), Switzerland and/or the United Kingdom.
“Industry Recognized Security Practices” means generally accepted industry practices, which may include but are not limited to, the International Organization for Standardization (ISO)/IEC 27001:2013 – Information Security Management Systems – Requirements and ISO/-IEC 27022:2013 – Code of Practice for International Security Management; the National Institute of Standards and Technology NIST Cybersecurity Framework; the Control Objectives for Information and related Technology (COBIT) standards; Association of International Certified Professional Accountants (AIPCA) System and Organization Controls 2 (SOC2); or other applicable industry standards for information security
“Known Security Defects” means flaws in the configuration, operation or code of Vendor’s systems.
“Personal Data” (or “Personal Information” as used in Applicable Privacy Law) has the meaning as defined under Applicable Privacy Law.
“Process”, “Processing”, and “Processed” will have the meaning as defined under Applicable Privacy Law.
“Processor” (or “Service Provider” as used in Applicable Privacy Law) means the entity engaged to process Personal Data on behalf of the Controller.
“Restricted Country” means 1) where the GDPR applies, a country outside of the European Economic Area (“EEA”) not subject to an adequacy determination by the European Commission; 2) where the Swiss Federal Act on Data Protection of June 19, 1992, applies, a country outside Switzerland which has not been recognized to provide an adequate level of protection by the Federal Data Protection and Information Commissioner; and 3) countries that do not qualify for the adequacy regulations under Section 17A of the United Kingdom’s General Data Protection Regulation (“UK GDPR”).
“Restricted Transfer” means, 1) where the GDPR applies, a transfer of Personal Data (as defined under the GDPR) from the EEA to a Restricted Country; 2) where the Swiss Federal Act on Data Protection of June 19, 1992, applies, a transfer of Personal Data from Switzerland to a Restricted Country; and 3) transfers covered by Chapter V of the UK GDPR.
“Security Incident” means an actual or suspected loss of Affirm Data, unauthorized access, use, alteration, or acquisition of Affirm Data or unauthorized access to Affirm systems, accounts, devices, or platforms, or otherwise any unauthorized activity that interrupts Affirm’s operations. This includes but is not limited to instances involving malware, malicious code, unauthorized actors, unauthorized employees or contractors, or good faith acts or omissions by Vendor’s employees, agents, partners, contractors, or subcontractors.
“Services” means the products and/or services provided by Vendor to Affirm pursuant to the Agreement.
"EU Standard Contractual Clauses" (“EU SCCs”) means, where the GDPR applies, the clauses annexed to the European Commission’s Implementing Decision 2021/914 of June 4, 2021 for the transfer of Personal Data (as defined by the GDPR) to third countries.
“Strong Cryptography” means industry-tested and accepted algorithms, such as those referenced in NIST SP 800-175B.
"Subprocessor" means any Processor engaged by Vendor to assist in fulfilling its obligations with respect to providing the Services defined in this DPA to Affirm. This includes Subprocessors as defined under the GDPR and UK GDPR and subcontracted Service Providers under the CCPA.
“UK Standard Contractual Clauses” (“UK SCCs”) means the addendum issued by the United Kingdom (“UK”) Information Commissioner’s Office and approved by Parliament in accordance with s119A of the UK Data Protection Act 2018, which incorporates the EU SCCs.
2. Data Processing.
2.1. Roles of the Parties. This DPA applies to the Processing of Personal Data by one or both Parties as part of the Services described in this DPA.
2.1.1. Role of Affirm. For purposes of this DPA, Affirm is the Controller.
2.1.2. Role of Vendor. For purposes of this DPA, Vendor is the Processor or a Controller.
2.2. Details of the Processing.
(a) Purpose and Nature of Processing. The purpose and nature of the Processing will be as described in the Agreement.
(b) Frequency of Transfer. The frequency of transfer of Personal Data will be as described in the Agreement.
(c) Vendor Retention Period and Duration of Processing. A Party’s retention period of the other Party’s Personal Data and the duration of Processing will be as described in the Agreement.
(d) Categories of Data Subjects. Data Subjects may include a Party’s customers, employees, suppliers, and end users, or any other natural person whose Personal Data is provided to a Party.
(e) Categories of Personal Data and of Data Subjects. The categories of Personal Data to be Processed and categories of Data Subjects will be included in the description of Services of the Agreement.
2.2.1. Processing Instructions.
(a) Vendor will not Process Affirm Personal Data for any purpose other than: (i) as directed by Affirm through Affirm’s documented instructions; (ii) for the purposes of providing the Services as expressly stated in this DPA; or (iii) as otherwise required under Applicable Privacy Law. Vendor acknowledges that Affirm Data is not shared or crafted for the purpose of establishing eligibility with reference to a particular consumer or set of particular consumers.
(b) Vendor will promptly notify Affirm in writing, unless otherwise prohibited under Applicable Privacy Law, if Vendor:
(i)becomes aware of or believes that any Processing instruction from Affirm violates Applicable Privacy Law;
(ii) is unable to comply with Affirm’s Processing instructions for any reason;
(iii)is unable to comply with Applicable Privacy Law; and/or
(iv)is unable to comply with the terms of the Agreement for any reason.
2.2.2. Processing of Personal Data of California Consumers
(a) To the extent Affirm Personal Data and the Services are subject to the CCPA, Vendor will:
(i) comply with all applicable requirements of the CCPA throughout the term of the Agreement and thereafter, to the extent required;
(ii) only Process Affirm Personal Data for the Business Purpose (as defined by the CCPA) described in the Agreement;
(iii) not Process or sell Affirm Personal Data for Vendor’s own Commercial Purpose(s) (as defined by the CCPA) . If a law requires Vendor to disclose Affirm Personal Data for a purpose unrelated to the Business Purpose described in the Agreement, Vendor must first inform Affirm in writing and give Affirm a reasonable opportunity to object, unless the law prohibits such notice;
(iv) limit Affirm Personal Data Processing to activities reasonably necessary and proportionate to provide the Services described in the Agreement;
(v) as applicable, promptly comply with any CCPA consumer request or instruction requiring Vendor to provide, amend, transfer, or delete Affirm Personal Data, or to stop, mitigate, or remedy any unauthorized processing;
(vi) to the extent the Services require the collection of Personal Data from natural persons on Affirm’s behalf, always provide a CCPA-compliant notice at or prior to the collection of applicable Personal Data;
(vii) reasonably cooperate and assist Affirm with meeting Affirm’s CCPA compliance obligations and responding to CCPA-related inquiries; and
(viii) notify Affirm immediately if it receives any complaint, notice, or communication that directly or indirectly relates either Party's compliance with the CCPA.
(b) Vendor may retain a Subprocessor as permitted under Section 4 of this DPA.
(c) Vendor certifies that it understands and will comply with the terms set forth in this DPA and the CCPA's restrictions and prohibitions on selling Personal Data and Processing Personal Data.
2.3. Compliance with Applicable Privacy Law. Each Party will comply with all Applicable Privacy Law in relation to the Processing of Personal Data.
2.4. Compliance with PCI DSS: To the extent Vendor Processes Cardholder Data, as defined by the PCI Security Standards Council, on behalf of Affirm, Vendor will at all times remain in compliance with the latest PCI DSS Standards and provide Affirm with up-to-date attestations thereof upon request.
3. Security.
3.1. Confidentiality of Personnel. Vendor will ensure that any of Vendor’s personnel and any subcontractors who have access to Affirm Data have a need-to-know and are under an appropriate obligation of confidentiality.
3.2. Security Measures. To ensure the security of Affirm Data, Vendor will implement administrative, physical, and technical safeguards that are no less rigorous than Industry Recognized Security Practices. Vendor will maintain, and periodically review, a documented security program to safeguard Affirm Data, which will, at a minimum, include the obligations located at https://www.affirm.com/terms/TOSM (collectively, the “Technical and Organizational Security Measures”).
3.3. Security Incident. In the event of a Security Incident, Vendor will immediately, and in any event, in no more than twenty four (24) hours, notify Affirm in writing by emailing infosec@affirm.com and furnish Affirm with the full details of the Security Incident and any corresponding investigation in writing (excluding any attorney-client privileged materials). Vendor will cooperate with Affirm in any effort, action, or proceeding to protect Affirm Data and to mitigate and/or remediate the impact of the Security Incident. As applicable, Vendor will not make any notification to regulatory authorities or natural persons unless Affirm has given Vendor prior express written permission or such notification is required by Applicable Privacy Law. If Vendor is responsible or failed to reasonably mitigate a Security Incident resulting in direct loss, damage, or interruption of business sustained by Affirm, Vendor shall be responsible for Affirm's attorney fees, any fines or penalties under Applicable Privacy Law, costs related to Affirm's own investigation, restoration costs, IT response and mitigation service costs, lost revenue and income, and first and third party notification costs.
4. Subprocessors.
(a) Affirm authorizes Vendor to engage Subprocessors to Process Affirm Data only as required to provide the Services described in the Agreement.
(b) Vendor will conduct reasonable due diligence on each Subprocessor to ensure each Subprocessor is capable of providing the level of protection required by this DPA.
(c) Upon reasonable request, Vendor will provide information related to its Subprocessors’ data protection and privacy capabilities to Affirm. Affirm may reasonably object to a Subprocessor in writing at any time during the Term. Upon any such reasonable objection, Vendor will promptly, but in no more than ten (10) business days, (i) cease the Subprocessor’s involvement with the Services, which Vendor will confirm in writing to Affirm thereafter; or (i) if this Section 4(c)(i) is not commercially reasonable for Vendor, Vendor will promptly notify Affirm in writing, and Affirm may terminate the Agreement (in whole or in part) immediately at its sole discretion for cause.
(d) Vendor will enter into a written agreement with each Subprocessor that imposes no less restrictive terms as those contained in this DPA.
(e) Vendor will be fully liable for the acts or omissions of its Subprocessors.
5. Data Subject Requests. As applicable, Vendor will implement and maintain appropriate technical and organizational means to obtain information necessary to enable Affirm to fulfill Affirm’s obligation to respond to requests from natural persons to exercise rights afforded to them under Applicable Privacy Law. Where requested and related to Processing under the Agreement, Vendor will, within ten (10) calendar days of such request, assist Affirm with its response to a Data Subject Request, including as appropriate, providing Affirm with information in Vendor’s custody related to a specific natural person. Any information provided by Vendor to Affirm under this DPA will be in an electronic format. Upon a request to delete certain Personal Data, Vendor will promptly delete such Personal Data after receiving Affirm’s request and provide Affirm with a written certification signed by an officer of Vendor, unless Applicable Privacy Law requires Vendor to retain the Personal Data, in which case Vendor will promptly provide a written statement to Affirm regarding the Applicable Privacy Law which requires such retention. Vendor will: (a) without undue delay, notify Affirm of a natural person’s request to exercise their rights under Applicable Privacy Law with respect to the Parties’ Processing of Personal Data; and (b) will not respond to that request as to Personal Data Processed on behalf of Affirm, except on the instructions of Affirm or as required by Applicable Privacy Law, in which case Vendor will, to the extent permitted by such Applicable Privacy Law, inform Affirm of the legal requirement before the Vendor responds to the request.
6. Requests for Affirm Personal Data. If Vendor receives a valid subpoena, court order, warrant, or other legal demand (“Request”) from a third party (including law enforcement, judicial authority, or any governmental body) (“Requesting Party”) for disclosure of Affirm Personal Data, Vendor will use commercially reasonable efforts to redirect the Requesting Party to seek that Affirm Personal Data directly from Affirm. If, despite Vendor’s efforts, Vendor is compelled to disclose Affirm Personal Data to a Requesting Party, Vendor will: (a) promptly notify Affirm of the Request to allow Affirm to seek a protective order or other appropriate remedy, unless prohibited from notifying Affirm, in which case Vendor will use commercially reasonable efforts to obtain a waiver of that prohibition; (b) challenge any over-broad, inappropriate, or unlawful Request; and (c) disclose only the minimum amount of Affirm Personal Data necessary to satisfy the Request.
7. Indemnification. Vendor will indemnify, defend and hold harmless Affirm and its officers, directors, employees, agents, affiliates, successors and permitted assigns (each, an “Indemnified Party” and collectively, the “Indemnified Parties“) against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including legal fees and court fees, that are incurred by the Indemnified Parties (collectively, “Losses”) arising out of any third-party claim brought against Affirm relating to or arising out of Vendor’s or any Subprocessor’s Processing of Affirm Data not in accordance with this DPA, except where such Losses result from an Indemnified Party’s gross negligence, willful misconduct, or recklessness.
8. Monitoring and Audit Rights. Vendor grants to Affirm the right, upon notice, to monitor and take reasonable and appropriate steps to ensure that Vendor’s Processing of Affirm Data is consistent with Affirm’s obligations under Applicable Privacy Law and this DPA. Affirm may instruct Vendor to promptly remediate any unauthorized Processing of Affirm Data, and Vendor will promptly comply with any such reasonable instructions. Upon request, Vendor will fully cooperate in the prompt completion of assessments or audits related to Vendor’s or Vendor’s Subprocessors’ Processing of Affirm Data. In addition to, and consistent with, any applicable audit rights provided by Vendor hereunder, Affirm will have the right to audit or conduct (or cause a qualified, independent third party to audit or conduct) a security assessment for verification of Vendor’s data security obligations as set forth in this Section 8. Affirm will conduct such assessments and audits no more frequently than once per annum except in the case that Vendor has been found to not comply with this DPA or in the case of a Security Incident, in which case Vendor must comply with additional due diligence requests as necessary to confirm resolution of outstanding security issues. Such security assessment will be at Affirm’s sole cost and election.
9. International Data Transfers.
9.1. General Obligations. Vendor will only transfer data across international borders and between jurisdictions to the extent permitted by Section 9 and in accordance with Applicable Privacy Law.
9.1.1. EU Personal Data. Transfers of Personal Data of EU Data Subjects from the EU/EEA to a Restricted Country will be conducted in accordance with the Standard Contractual Clauses.
(a) Processor-Controller Transfers. Transfers of EU Data Subject Personal Data from Vendor (data exporter) in the EU/EEA to Affirm (data importer) in a Restricted Country, will be in accordance with this DPA and the Processor-to-Controller Standard Contractual Clauses (located at https://www.affirm.com/terms/processor-to-controller) will (terms of which are incorporated here by reference).
(b) Controller-Processor Transfers. Transfers of EU Data Subject Personal Data from Affirm (data exporter) in the EU/EEA to Vendor (data importer) in a Restricted Country will be in accordance with this DPA and the Controller-to-Processor Standard Contractual Clauses (located at https://www.affirm.com/terms/controller-to-processor) (terms of which are incorporated here by reference).
(c)Controller-Controller Transfers. Transfers from the EU/EEA to a Restricted Country between Vendor and Affirm will be in accordance with this DPA and the Controller-to-Controller Standard Contractual Clauses (located at https://www.affirm.com/terms/controller-to-controller) (terms of which are incorporated here by reference).
9.1.2. U.S. and Canada Personal Data. To the extent a transfer involves Personal Data, Vendor may not transfer, store, or Process Personal Information outside of the United States or Canada without Affirm’s express prior written permission and only after Vendor demonstrates that the jurisdiction in which the recipient of the transfer resides requires at least the same level of privacy and security protections required by the Agreement and to the extent required by Applicable Privacy Law.
9.1.3. UK Personal Data. Transfers of Personal Data collected in the UK from UK Data Subjects to a Restricted Country will be in accordance with the EU SCCs, subject to the amendments incorporated by the UK International Data Transfer Addendum.
10. Limitations on Processing. Vendor acknowledges and certifies that it is prohibited from: (a) selling or sharing (each as defined by Applicable Privacy Law) Affirm Personal Data; (b) Processing Affirm Personal Data outside of the direct business relationship with Affirm; (c) combining Affirm Personal Data with any other data Vendor receives unless expressly permitted in writing to do so by Affirm; or (d) Processing any Affirm Personal Data provided by Affirm (or provided by a third party on Affirm’s behalf) or collected by Vendor on Affirm’s behalf for any purpose other than (i) providing the Services under this DPA; (ii) using Affirm Personal Data internally to verify or maintain the quality or safety of the Services, and to improve, upgrade or enhance the Services for Affirm; or (iii) using Affirm Personal Data to comply with Applicable Privacy Law.
11. Disposal and Return. If in Affirm’s control, Affirm will eliminate Vendor’s access to all Affirm Data upon expiration or termination of the Agreement. Vendor agrees to dispose securely of all data at Affirm’s request, or at latest at the end of the Term of the Agreement, unless otherwise instructed in writing. Upon the expiration or termination of the Agreement, Vendor will return all Affirm Data to Affirm or, at Affirm’s option, destroy all Affirm Data and within ten (10) days of Affirm’s request, provide a written certification signed by an officer of Vendor, certifying that all Affirm Data in all formats, including without limitation, paper, electronic and disk form, have been returned or destroyed, as the case may be. Upon expiration or termination, Vendor may retain certain Affirm Data if required by Applicable Privacy Law, provided that any such Affirm Data so retained will remain subject to the terms of the Agreement.
12. Data Privacy Impact Assessment and Security Questionnaire. Vendor will assist Affirm in providing a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed Processing activity conducted in connection with the Services and the performance of the Agreement that presents a high risk to Data Subjects. Vendor represents and warrants to Affirm that any information provided in response to Affirm’s Privacy Impact Assessment and/or Information Security Questionnaires are accurate to the best of Vendor’s knowledge and the person providing such information is authorized to do so and knowledgeable about Vendor’s privacy and information security measures.
13. Affirm contact/representative. Please contact privacylegal@affirm.com regarding any questions or issues related to this DPA.