YellowPepper Data Processing Agreement

Last Updated: December 14, 2020

This Data Processing Agreement (“DPA”) is an agreement between, on the one hand, you and the entity you represent (“Customer” or “you”), and, on the other hand, YellowPepper Holding Corporation and/or any other applicable affiliated YellowPepper entity(ies) with which you have a written or electronic agreement to Process Personal Information on your behalf (each, an “Agreement”).  This DPA forms part of each such Agreement, except for any Agreement under which you and YellowPepper have expressly agreed to terms that address the subject matter of this DPA. Each of YellowPepper and Customer are referred to herein as a “Party” and collectively as the “Parties.”

1 Processing of Customer Personal Information.   

1.1 Processor designation. The Parties acknowledge and agree that:

1.1.1 the Customer Personal Information that YellowPepper Processes on behalf of Customer in order to provide YellowPepper Services, may include Personal Information about Customer’s employees, agents or customers such as cardholders (“Customer Personal Information”);

1.1.2 such Processing by YellowPepper may include, by way of example and for illustrative purposes, the Processing detailed on the Schedule on the Processing of Customer Personal Information (below); and
 
1.1.3 YellowPepper is a “processor” or “service provider” under Applicable Data Protection Law acting on Customer's instructions (referred to as “Processor” for purposes of this DPA). 

1.2 Authorization to Process. Processor will Process Personal Information on behalf of Customer (“Customer Personal Information”) to provide YellowPepper Services, and Processor is authorized to Process Customer Personal Information solely in connection with the following activities:

1.2.1 To provide YellowPepper Services in accordance with the applicable Agreement(s);
 
1.2.2 To provide any Processing required under applicable laws or regulations;

1.2.3 Based on the instructions of Customer, to transfer Personal Information Processed by YellowPepper to acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, payment networks (such as Visa and Mastercard), or service providers performing payer authentication services used by Customer; 

1.2.4 As reasonably necessary to enable YellowPepper to comply with any other directions or instructions provided by Customer; 

1.2.5 To reduce or eliminate fraud, including authenticating the identify of Data Subjects, which may include, but are not limited to, combining Customer Personal Information with Personal Information from one or more entities for which YellowPepper performs services in order to detect data security incidents or protect against fraudulent or illegal activity. 

2 Compliance with Law. YellowPepper, in its provision of services to Customer and Customer, in its use of the services, shall Process Customer Personal Information in accordance with Applicable Data Protection Law. 

3 Customer obligations

3.1 Customer shall provide its Data Subjects with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable YellowPepper to comply with Applicable Data Protection Law; 

3.2 Where required by Applicable Data Protection Law, Customer shall promptly inform Processor when Customer Personal Information must be corrected, updated, and/or deleted; 

3.3 Customer shall ensure that at the point of transferring Customer Personal Information to Processor, the Customer Personal Information is adequate, relevant and limited to what is necessary in relation to the Processing envisaged under the Agreement and this DPA; and 

3.4 Customer shall comply (and ensure that its third party auditor’s comply) with Processor’s relevant security policies and appropriate confidentiality obligations as set out in the Agreement. 

4 YellowPepper obligations

4.1 Applicable Data Protection Law. To the extent necessary to enable Customer to comply with its obligations under Applicable Data Protection Law, YellowPepper further agrees to comply with any required provisions of the below Schedule(s) to the extent applicable. The parties agree that YellowPepper may add additional Schedules to this DPA, wherever required for YellowPepper to comply with Applicable Data Protection Laws that become applicable to YellowPepper in the future. 

4.2 Data Subject Rights. Processor will, to the extent legally permitted, provide reasonable assistance to Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (e.g., rights to access or delete Personal Information) in a manner that is consistent with the nature and functionality of YellowPepper Services. Where YellowPepper receives any such request from a Data Subject that is a client of Customer, YellowPepper shall notify the Customer and the Customer is responsible for handling such requests by the Data Subject in accordance with Applicable Data Protection Law. 

4.3 Engaging with Sub-Processors. Processor shall ensure that when engaging with another data processor (a “Sub-Processor”) for the purposes of carrying out specific Processing activities on behalf of Customer, there is an agreement between Processor and the relevant Sub-Processor that provides at least the same level of protection for Customer Personal Information as set forth in this DPA.

4.4 Staff. Processor shall ensure that persons authorized to Process Customer Personal Information are under an appropriate obligation of confidentiality. 

4.5 Security of Processing. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of natural persons, Processor will implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Processor shall, in particular, take into account the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information transmitted, stored or otherwise Processed. Processor shall provide reasonable assistance to Customer in ensuring Customer meets its own compliance obligations with respect to these same security measures. 

4.6 PCI Compliance. Processor’s storage, processing, and transmission of any payment instrument data shall comply with the Payment Card Industry (PCI) Security Standard, and Processor shall regularly validate its compliance as determined by its status as a Service Provider (as Service Provider is defined in the PCI Security Standard). Upon Customer's request, YellowPepper shall provide Customer with written confirmation of its PCI compliance status.

4.7 Security Breach

4.7.1 In the event of an actual Security Breach (defined below) affecting Customer Personal Information contained in Processor’s systems, Processor shall (i) investigate the circumstances, extent and causes of the Security Breach and report the results to Customer and continue to keep Customer informed on a regular basis of the progress of Processor’s investigation until the issue has been effectively resolved; and (ii) cooperate with Customer in any legally required notification by Customer to affected Data Subjects. The obligations herein shall not apply to Security Breaches caused by Customer or Customer’s Data Subjects.

4.7.2 Processor shall notify Customer without undue delay upon Processor or any Sub-Processor becoming aware of an actual Security Breach affecting Customer Personal Information, providing the Customer with sufficient information and reasonable assistance to allow Customer to meet its obligations under Applicable Data Protection Law to (i) notify a Supervisory Authority (as defined under Applicable Data Protection Law) of the Security Breach; and (ii) communicate the Security Breach to the relevant Data Subjects. 

4.7.3 Except as required by applicable law or regulation, each Party will not make (nor permit any third party to make) any statement concerning the Security Breach that directly or indirectly references to the other Party, unless this later provides its explicit written authorization. 

4.8 Deletion and Retention. Processor shall, at the choice of Customer, delete or return all Customer Personal Information upon termination of the Agreement and delete existing copies unless storage is required by applicable law.

5 Miscellaneous. The terms of this DPA shall apply only to the extent required by Applicable Data Protection Law. To the extent not inconsistent herewith, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data-processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term or condition of this DPA, this DPA does not apply to any data or information that does not relate to one or more identifiable individuals, that has been aggregated or de-identified in accordance with Applicable Data Protection Law, or to the extent that Processor and you have entered into separate data-processing terms that address the subject matter hereof.

6 Definitions. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Law. 

6.1 Applicable Data Protection Law” means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a Party’s obligations under the Agreement and this DPA. For illustrative purposes only, “Applicable Data Protection Laws” may include, without limitation, and to the extent applicable, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), Brazilian General Data Protection Law (“LGPD”), Colombian Data Protection Law, The Federal Law on The Protection of Personal Data Held by Private Parties (Mexico), and any associated regulations or any other legislation or regulations that transpose or supersede the above; 

6.2 Personal Information” means all data or information, in any form or format, that: (i) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household; or (ii) the Applicable Data Protection Law regulates as “personal data,” “personal information,” or otherwise. To avoid doubt, “Personal Information” includes any information relating to a Data Subjects as defined in the Agreement; 

6.3 Process” or “Processed” or “Processing” means any operation or set of operations which is performed upon Personal Information , whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction;

6.4 Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach,” a “breach of security of a system” or similar term (in each case, as defined in any other Applicable Data Protection Law) as well as any other event that compromises the security, confidentiality or integrity of Personal Information.

CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”) SCHEDULE
This CCPA Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the CCPA applies to your use of YellowPepper Services. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this CCPA Schedule and the DPA, this CCPA Schedule shall prevail. 

YellowPepper shall not: 

1.1 sell Customer Personal Information; or

1.2 retain, use or disclose Customer Personal Information other than as set forth in the body of the DPA, except as required or permitted by the CCPA; or 

When providing or making available Personal Information to YellowPepper, Customer shall only disclose or transmit that Personal Information which is necessary for YellowPepper to perform its obligations under the applicable Agreement(s).

To the extent required by the CCPA, this CCPA Schedule constitutes its certification to the Processing restrictions herein.


Schedule on the processing of customer personal information