Tap’n Merchant Data Protection Agreement
Effective July 1, 2022
This Merchant Data Protection Agreement (“DPA”) is a legal contract between you as amerchant of goods and services and Tap’n, Inc. dba Tap’n (“Tap’n”) and its Afflilates. ThisDPA establishes Tap’n’s minimum data protection standards in connection with itsperformance of Merchant Services for Merchant, and is provided to Merchant for its review,acknowledgment and acceptance and is subject to and incorporated into the MerchantTerms of Service (“Merchant Terms of Service”) by the reference. References to “You”,“Your” or “Merchant” shall mean you, acting as a merchant of goods and services, using theMerchant Services depending on the context in which those terms are used.
This Privacy Policy is meant to be compliant with the General Data Protection Regulation 2016/679 (“GDPR”) and California Consumer Privacy Act (“CCPA”). The processing of Your Personal Information as described herein is necessary to meet our contractual obligations to You, to meet our legal obligations, or to meet our legitimate interests . Moreover, Tap’n does not sell Your Personal Information as the terms “sell” and “Personal Information” are defined by the CCPA and, in providing its services to You, Tap’n will not retain, use, or disclose Your Personal Information to any other third parties that would constitute “selling” as the term is defined by the CCPA. Our legitimate interests may include analyzing, improving, and better tailoring our products and Tap’n Services. Any questions or requests regarding Tap’n’s processing of Your Personal Information in respect of Your rights under GDPR and CCPA should be directed to us as the data controller of your personal data.
California residents have the right not to receive discriminatory treatment by Tap’n for the exercise of their rights conferred by the California Consumer Privacy Act.
Permitted Purpose.
Merchant agrees that Tap ‘n’s collection, processing, use, storage and/or transfer of PersonalData (defined below) collected, obtained or received from Merchant and/or its customers is essential for Tap’n to perform the Merchant Services specified in the Merchant Terms ofService (the “Permitted Purpose”).
In addition to those definitions set forth elsewhere in this DPA or in the MerchantTerms of Service, the following capitalized terms shall have the meanings set forth below.
Joint Controller
Tap’n is the controller and responsible for Personal Data it collects and processes in connection with use of the Platform by Merchant and its customers. Merchant shall be considered a Joint Controller and may be provided access to Personal Data at the reasonable discretion of Tap’n and subject to all Data Protection Laws and other applicable regulations.
Data Collection.
The parties acknowledge that in order to perform the Permitted Purpose, they must transfer Personal Data between one another. The parties acknowledge and agree that in performing their obligations set out therein they are each acting as an independent data controller strictly for the Permitted Purpose.
Tap’n may collect, use, store and transfer different kinds of Personal Data about Merchant and its customers, which may include identity data (e.g., names), technical data (e.g., Merchant and its customers internet protocol (IP) addresses), Location data, Usage data. Tap’n may be required to collect Personal Data by law, or under the terms of a contract between the parties. Failure by Merchant to provide such Personal Data may result in the suspension and/or termination of services by Tap’n, subject to advance notice by Tap’n to Merchant.
Use of Personal Data.
Use of Personal Data by Tap’n and Merchant shall comply with applicable privacy laws. Tap’n shall have the right to use the Personal Data when necessary for its Legitimate Interests (or those of a third party) and Merchant’s interests and fundamental rights do not override those interests, or when necessary for its compliance with its obligations under applicable law.
The ways in which Tap’n plans to use Personal Data, the type of data to be collected and the applicable lawful basis and legitimate interest it relies on for processing such Personal Data is set forth in Schedule A, attached hereto. In addition to the purposes set forth in ScheduleA, Tap’n shall have the right to use Personal Data for other purposes that are not incompatible with the purposes set forth in Schedule A, provided such use is permitted under applicable law. Tap’n shall provide prior written notice to Merchant if Tap’n needs to use Personal Data for an purpose not identified in Schedule A, with such notice setting forth the legal basis which allows Tap’n to do so. For the avoidance of doubt, Tap’n may process Personal Data withoutMerchant’s knowledge or consent if required or permitted by law and such use complies with this DPA
Use of Personal Data by Tap’n and Merchant shall comply with applicable privacy laws. Tap’n shall have the right to use the Personal Data when necessary for its Legitimate Interests (or those of a third party) and Merchant’s interests and fundamental rights do not override those interests, or when necessary for its compliance with its obligations under applicable law.
Disclosure of Personal Data.
Tap’n shall have the right to disclose Personal Data withInternal Third Parties and External Third Parties if in furtherance of a purpose set forth in Schedule A. In addition, in the event of a merger or sale of the Tap’n or a sale of all or substantially all of its assets to a third-party purchaser, the third-party purchaser shall have the right to use the Personal Data in the same manner and for the same purposes as set forth in this DPA. Tap’n shall ensure that all third-parties to whom it discloses Personal Data use commercially reasonable efforts to safeguard the Personal Data and comply with applicable law and the terms of this DPA.
Data Protection.
Each party shall be individually and separately responsible for complying with their respective obligations under Data Protection Laws and other applicable regulations as they apply to the performance of such party's obligations under the applicable agreement(s), and shall not, as far as is reasonable, do anything or permit anything to be done which has the effect of placing the other party in breach of applicable Data Protection Laws. Without limiting the generality of the foregoing:
Tap’n shall use reasonable efforts to inform Merchant if Tap’n is of the opinion that an instruction of Merchant regarding Processing Personal Data infringes Data Protection Law.
Tap’n shall implement and maintain appropriate Technical and Organizational Security Measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, or dissemination and which provide a level of security appropriate to the risk represented by its Processing of Personal Data and the nature of the data to be protected, as may be more specifically set forth in the applicable service agreement(s) between the parties. Additionally, Tap’n will have in place procedures so that any third party it authorizes to have access to the Personal Data, including processors and Subprocessors, will respect and maintain the confidentiality and security of the Personal Data.
Each party shall maintain adequate records of its Processing activities, related to the Personal Data, and make available upon written request such records to the other party to the extent necessary for compliance or regulatory purposes.
Tap’n shall obtain all necessary permissions from each Data Subject as required by applicable Data Protection Laws to allow it to Process the Personal Data: (i) to the extent permitted under applicable Data Protection Laws; (ii) as set out in its’ privacy policies; and (iii) to the extent necessary to fulfill the obligations set out in the applicable service agreement(s). Merchant shall not transfer or share to Tap’n any Personal Data from Data Subjects who have previously withdrawn their Processing consent with Merchant. Merchant shall immediately notify Tap’n of any Data Subject’s withdrawal of Processing consent. A breach of this Section shall be considered a material breach and grounds for termination.
Tap’n may, at its election, appoint third party and Sub-processors to process Personal Data for the Permitted Purpose, provided that such processors: (a) agree in writing to process Personal Data in accordance with Tap’n's documented instructions which are consistent with this DPA and the applicable service agreement; (b) implement appropriate Technical and Organizational Security Measures to protect the Personal Data against a Security Breach; and (c) otherwise provide sufficient guarantees that they will process the Personal Data in a manner that will meet the requirements of applicable Data Protection Laws. Tap’n acknowledges and agrees that it shall remain liable to Merchant for a material breach of the terms of this DPA by a Subprocessors and other subsequent third party appointed by any Subprocessor that causes Merchant direct damage or harm. Tap’n shall not be liable for a Subprocessors Security Breach that was not directly caused by Tap’n.
Tap’n shall provide notification to each Data Subject, as required and in accordance with applicable Data Protection Laws, that it is a Data Controller and of the data processing activities conducted pursuant to the applicable service agreement(s).
Tap’n shall act as the primary point of contact for any requests from a Data Subject to exercise rights granted to such Data Subject under applicable Data Protection Laws with respect to any Personal Data that Tap’n collects and processes in its capacity as a Data Controller. Each party shall reasonably assist the other in handling and responding to any such request. Specifically, where a Data Subject has requested for their data to be ported, Merchant shall take steps necessary to verify the legitimacy of the request, identify and advise Tap’n of the applicable record to be ported, and coordinate the transfer with the receiving parties.
Technical Security Safeguards.
Tap’n will implement and maintain appropriate safeguards designed to (a) ensure the security, confidentiality and integrity of Personal Data and (b) protect against anticipated threats or hazards to, or unauthorized access to or use or disclosure of such Personal Data. Such safeguards (including those relating to how the Personal Data is collected, accessed, used, stored, disposed of, and disclosed) shall include an information security program that meets the requirements of applicable law regulations and government-issued business guidance, including administrative, physical, and technical safeguards required thereunder, and that is no less rigorous than accepted industry standards and practices. The information security program shall include, without limitation, regular backups of Personal Data for storage off-site, and encryption of all Personal Data while “at rest” and in transit across public networks or wirelessly. Tap’n will ensure the appropriate safeguards required above are also utilized by any Subprocessors engaged by Tap’n in the delivery of the Services and use for the Permitted Purposes.
Tap’n shall take reasonable steps to ensure that it does not send, distribute or store material containing software viruses, worms, Trojan horses or other harmful code, files, scripts, agents or programs in connection with the Services or any licensed software.
Tap’n shall take reasonable steps to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services.
Tap’n shall take reasonable steps to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident or Security Breach.
Tap’n shall incorporate a process for regularly testing, assessing and evaluating the effectiveness of Technical and Organizational Security Measures for ensuring the security of the Processing and storing of Personal Data.
Tap’n shall employ appropriate encryption when transmitting Personal Data on public or wireless networks. Tap’n shall encrypt during storage any and all Personal Data and other data deemed highly sensitive by Merchant, such as authentication credentials and cryptographic keys.
Tap’n shall limit access to Merchant’s networks, information systems owned or operated by or on behalf of Merchant, and Merchant Personal Data to employees and contractors that require access to perform Tap’n’s obligations under this DPA and any service agreement(s) between the parties consistent with the concept of least privilege. Tap’n shall implement and maintain a formal and documented process for granting, periodically reviewing, and revoking access to all systems that process or store Merchant’s Personal Data.
Tap’n shall maintain appropriate network security measures, including but not limited to firewalls to segregate Tap’n’s internal networks from the internet, risk-based network segmentation, and intrusion prevention or detection systems to alert Tap’n to suspicious network activity.
Tap’n shall securely operate IT infrastructure and applications that process, store, or transmit Personal Data by deploying key operational management controls, including, without limitation, the maintenance of system and network documentation, employment of a secure change management process, the implementation of an incident management process, and ensuring that local logging has been enabled on all systems and networking devices to capture detailed information such as event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Where technically feasible, Tap’n shall deploy anti-malware software on all IT systems that access, store, or process Personal Data, Merchant’s networks, or information systems owned or operated by or on behalf of Merchant. Tap’n shall ensure that all such anti-malware software has the latest signatures and definition files. Tap’n shall also deploy adequate mechanisms to detect and issue alerts about potential unauthorized activity and respond appropriately to protect all systems that process, store, or transmit Merchant’s Personal Data.
Tap’n shall implement appropriate safeguards and controls that restrict unauthorized physical access to facilities containing information systems, devices, and other equipment used to access or otherwise process Merchant’s Personal Data, Merchant’s networks, or information systems owned or operated by or on behalf of Merchant.
Tap’n shall take reasonable steps to ensure that systems which process Merchant’s Personal Data or access Merchant’s networks or information systems owned or operated by or on behalf of Merchant employ strong password complexity rules, and shall employ the following additional safeguards: Passwords shall be configured to expire every 90 days or less, systems shall lockout after three failed login attempts, and systems shall enable O/S screen saver locks after a period of inactivity.
Tap’n shall remove or disable non-essential functionality (i.e., hardening each system) such as scripts, drivers, features, subsystems, or file systems (e.g., unnecessary web servers, default, or sample files, etc.). Tap’n shall ensure that all software used in its information systems and infrastructure maintains up-to-date security patches and upgrades.
Tap’n shall adhere to industry accepted Software Development Lifecycle (SDLC) principles and secure coding practices with respect to the development and maintenance of application(s) used to store, process, or transmit Merchant’s Personal Data
Security Breach Notifications and Cooperation.
In the event that either party becomes aware of a Security Breach of its systems relating to Personal Data, and where required under applicable Data Protection Laws, the affected party shall notify the appropriate supervisory authority(ies) and/or affected Data Subjects within the timelines set out under applicable Data Protection Laws. Both parties shall provide the other with all relevant information regarding the Security Breach or incident including (i) the nature of the incident and, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, and explain the impact of such Personal Data Breach upon the other party and the Data Subjects whose Personal Data is affected by such Personal Data Breach; (ii) in no case delay notification because of insufficient information but instead provide and supplement notifications as information becomes available; and (iii) in cooperation with the other party, use its’ best efforts to investigate such Personal Data Breach and take all necessary and appropriate corrective action to remedy such breach and prevent a recurrence of such breach.
Both parties agree to reimburse the other party for the reasonable expenses incurred in responding to and mitigating any damages caused by any Security Breach, including, but not limited to, (i) third party services to be provided to or on behalf of affected individuals or entities, (ii) providing a credit-monitoring service for affected individuals if deemed necessary in the affected party’s sole discretion, (iii) providing notices to affected individuals, (iv) providing notices and information to appropriate law enforcement agencies and government regulatory authorities as reasonably necessary to comply with applicable laws and/or any requests from law enforcement or government agencies, (v) reasonable attorneys’ fees and costs, and (vi) any other reasonable expenses incurred by the affected party to comply with applicable Data Protection Laws, laws and/or requests from law enforcement or government agencies.
Both parties agree to assist with and/or perform all remediation efforts that are required by applicable law or by any governmental authority in similar circumstances, regardless of whether applicable law explicitly imposes such remediation obligations on one part of the other or both. Such remediation efforts may include without limitation, investigation and resolution of the causes and impacts of the Personal Data Breach; development and delivery of notices approved by the other party to affected individuals; provision of free credit reports, credit monitoring and repair, and identity restoration products for affected individuals, and/or such other measures that the affected party determines are reasonable and commensurate with the nature and level of severity of the Personal Data Breach.
Data Retention
Tap’n shall retain Personal Data for as long as necessary to fulfil the purposes for which it was collected, including for the purpose of satisfying any legal, accounting, or reporting requirements. Tap’n shall determine the appropriate retention period for the Personal Data based on the amount, nature and sensitivity of the Personal Data, the purposes for which it was processed and whether Tap’n can achieve such purposes through other means, and the applicable legal requirements. In the event Tap’n anonymizes the Personal Data, Tap’n shall have the right to use this information indefinitely without further notice to Merchant.
Merchant Access and Objections
Merchant, upon written request to Tap’n, shall have right to access Personal Data about the Merchant and request a copy of such Personal Data at no cost to Merchant; provided, however, Tap’n reserves the right to deny such request if Tap’n determines the request is unfounded, repetitive or excessive. Merchant may also request, in writing, to correct Personal Data regarding the Merchant. Within forty-five (45) days of receipt of Merchant’s request, Tap’n shall either provide Merchant with access to the Personal Data or notice that such request has been denied with such notice describing the basis for the denial.
Merchant may request in writing that Tap’n delete or remove Personal Data regarding Merchant where there is no Legitimate Interest for Tap’n to continue to process it and (i) Merchant has successfully exercised its right to object to processing in accordance with Section 0, (ii) where Tap’n may have processed such information unlawfully or (iii) where Tap’n is required to erase the Personal Data to comply with local law; provided, however, that Tap’n shall not be required to erase the Personal Data if applicable law either prohibits the erasure of the Personal Data or requires the retention of the Personal Data.
Merchant may object to Tap’n processing Personal Data regarding Merchant; provided, however, that Tap’n shall not be quired to comply with such objection if Tap’n is relying on a Legitimate Interest (or that of a third-party) and Tap’n has determined, in its sole discretion, that Merchant’s interests and fundamental rights do not override those interests.
Fastr Tach shall, upon written request of Merchant, suspend processing Personal Data of Merchant if: (i) if Merchant requests Tap’n to establish the such data’s accuracy; (ii) use of the data by Tap’n is unlawful but Merchant does not want Tap’n to erase the data; (iii) Merchant requires Tap’n to hold the data to establish, exercise or defend legal claims; or (iv) Merchant has objected to use of the Personal Data in accordance with Section 0 and Tap’n’s determination as to whether it has an overriding legitimate grounds to use it is pending.
Merchant shall have the right to withdraw consent previously given to Tap’n to process Merchant’s Personal Data; provided, however, that Tap’n shall not be required to perform any obligations under other agreements with Merchant if consent to use the Personal Data is required for performance of such obligations.
Either party may terminate this DPA upon sixty (60) days’ written notice, or upon a material breach with failure to cure within thirty (30) days of notice. Subject to Section 0, this DPA shall automatically terminate upon the termination of an applicable service agreement(s) entered into between the parties; provided, however, that this DPA shall survive the termination of an applicable service agreement between the parties to the extent that Tap’n continues to process Personal Data on behalf of the Merchant. In the event of a discrepancy between the terms of this DPA and the applicable service agreement(s), the applicable service agreement(s) shall have precedence.