THESE BAMBORA TERMS AND CONDITIONS OF SERVICE (the “Agreement"), by and between Bambora Inc., with offices at #200-1675 Douglas Street, Victoria BC, Canada, V8W 2K4 ("Bambora"), and the person, entity or organization completing the Bambora application (the "Application") into which this Agreement has been incorporated by reference ("Merchant") (each, a "Party" and together, the "Parties"), which is made and entered into as of the date Merchant completes and signs the Application.
PLEASE READ THIS ENTIRE AGREEMENT CAREFULLY, AS IT FORMS PART OF A LEGALLY BINDING AGREEMENT BETWEEN MERCHANT AND BAMBORA.
To that end and in consideration of the recitals and the respective promises of the parties contained herein, the receipt and sufficiency of which the Parties hereby acknowledge, the Parties agrees as follows:
1. Scope and Purpose. Bambora provides payment solutions for global e-commerce, including technical processing services to support credit and debit card transactions and other forms of local payment methods, as well as related value-added services (the "Bambora Services"). The purpose of this Agreement is to establish terms and conditions applicable to the Merchant's use of the Bambora Services.
2. Merchant's Obligations.
2.1. The merchant shall, for the term of the Agreement, provide Bambora with complete and correct information referring to: (1) any interaction between Merchant and Bambora that results in a unique transaction ID generated in Bambora's systems (each, a "Transaction") (including, but not limited to, payment information and information in respect to any payment that is for any reason rejected, reversed, refused, charged back, disputed or withdrawn by a bank, or a payer and/or Customer (each a, "Reversed Payment"); (2) any payment that is for any reason partially or totally reversed by the Merchant to the payer (each a "Refunded Payment"); and (3) to its business model and any and all other information relevant to the relationship between the Parties.
2.2. Merchant is not allowed to resell the Bambora services if not otherwise agreed between the Parties in writing.
2.3. Merchant shall immediately information Bambora if there is any reason to believe that any information has been incorrectly processed or sent to Bambora.
2.4. The Merchant shall use best efforts to prevent itself from being involved to any extent in any actions of money laundering or any other illegal activities.
2.5. All data provided by Merchant shall comply with the instructions set forth by Bambora from time to time in writing or verbally. Such instructions may be amended from time to time in Bambora's sole discretion.
2.6. Merchant represents, warrants, and covenants it shall during the term of this Agreement have all necessary rights, authorizations, licenses, and permits for its operations, and shall have undertaken and fulfilled all actions and conditions to comply with its obligations under this Agreement.
2.7. Merchant represents, warrants, and covenants that it shall comply with all applicable laws, rules and regulations, including and statutory regulations or guidelines by banks, card associations (e.g. Visa International, MasterCard International), or any other legal or regulatory authority in relation to payments ("Schemes") as applicable and including, but not limited to, consumer privacy, data security, and any other protection laws. In the event merchant cannot comply with or learns that it has not complied with such laws, Merchant shall immediately notify Bambora.
2.8. As applicable, Merchant is and will remain Payment Card Security Standard ("PCI DSS") validated. If Merchant shall, at any time, not be PCI DSS validated, Merchant shall immediately notify Bambora and Bambora shall have the right to terminate the Agreement.
2.9. Merchant is fully responsible for the security of data on the Merchant's website. Merchant agrees to comply with all applicable provincial, territorial and federal laws and rules in connection with Merchant's collection, use, retention, security and dissemination of any personal, financial, card, or transaction information on its website. Merchant represents to Bambora that Merchant does not have access to card information and that it will not request access to such card information from Bambora. In the event Merchant receives such card information in connection with the processing services under this Agreement, Merchant agrees not to use it for any fraudulent purpose or in violation of any law or Scheme. If at any time Merchant believes that card Information has been compromised, Merchant shall notify Bambora promptly and assist in providing notification to the proper parties. Merchant may not use any card information other than for the sole purpose of completing the transaction authorized by the Customer for which the information was provided to Merchant.
2.10. In the event there is a significant change regarding the commercial condition of Merchant (including, but not limited to any adverse change in financial position including voluntary or involuntary bankruptcy proceedings) or change of business model (different from what Merchant specified on the Application, by the way of example only, in the event Merchant intends to significantly reduce or increase the number of Transactions processed under this Agreement), Merchant shall immediately inform Bambora of such change and Bambora may (1) adjust the fees that are charged by Bambora to Merchant for the Bambora Services ("Bambora Fees"), or (2) adjust its Security as defined in Section 7, with thirty (30) days prior written notice.
2.11. Merchant shall notify Bambora immediately of any objections to the Merchant's monthly transaction report. If Merchant does not object to the monthly transaction report in writing within thirty (30) days after receipt of such report, the report shall be deemed accurate and complete and Merchant waives any objections to such report.
2.12. Merchant agrees that any communication received from Merchant, or in Merchant's name, or from Merchant's premises or equipment, is authorized by Merchant and binding on Merchant. Merchant authorizes Bambora to rely on and act on any such communication.
2.13. Merchant shall use best efforts to prevent unauthorized use of, or unauthorized access to the Bambora Services and shall be solely responsible to Bambora for any losses, breaches, or other damages that result from any unauthorized use of, or unauthorized access to, the Bambora Services.
3.1. For all services in where Bambora settles Merchant's funds, Merchant authorizes Bambora to credit the account Merchant elects for Bambora to settle funds to (the "Bank Account"). Settlement periods may be adjusted by Bambora, as required from time to time, upon notice to Merchant. If a Transaction cannot be processed, Bambora will contact Merchant. Bambora shall have the right to review all Transactions prior to settlement.
3.1.1. Credit Card Processing Service. If Merchant elects the Credit Card Processing Service as described in the Application, default settlement shall be three (3) business days, which are any day other than a Saturday, Sunday or applicable bank holidays (each a "Business Day"), after the debit instructions are processed and Bambora shall credit the Bank Account with the amounts from all completed Transactions. The net amount due to Merchant may be reduced by any and all Reversed Payments, Refunded Payments, Bambora Fees, and Penalties not yet collected by Bambora, partner bank(s), and/or payment solution provider(s), from the finalized Transactions.
3.1.2. Direct Debit/Direct Payment Service. If Merchant elects the Direct Debit/Direct Payment Service ("DD/DP") as described in the Application, default settlement shall be five (5) business days after the debit instructions are processed and Bambora shall credit the Bank Account with the amounts from all completed Transactions. Any debits dishonored in connection with the Bambora Services will be deducted from the total amounts from all completed Transactions and the net amount will be credited to the Bank Account. Merchant represents and warrants to Bambora that Merchant has obtained the necessary authorization from any third party whose account is to be debited in conjunction with the Bambora Service and has provided the necessary notice requirements to these third parties before providing Bambora with debit instructions. Merchant shall be solely liable for any losses attributable to breach of this representation and warranty.
3.1.3. INTERAC Online Service. If Merchant elects the INTERAC Online services, default settlement for INTERAC Online Transactions shall be settled to the Bank Account. Daily payment instructions will be sent for all Transactions authorized by Bambora up until the recommended latest time on a Business Day as advised to Merchant from time to time, by which Bambora must receive Merchant's Transactions in order for Bambora to process them on the same day. Settlement will be net of any Bambora Fees, unless otherwise agreed by the Parties. The amount to be paid to the Merchant will be determined on a daily basis. Refunded Payments will be deducted from daily purchase Transactions and the net amount will be remitted to the Bank Account.
3.2. Bambora may, in its reasonable judgement, temporarily adjust the amount remitted to Merchant and/or remittance frequency, as security against existing or anticipated credit risk, fraudulent activity, future chargebacks, or other suspicious activities associated with Merchant's use of the Bambora Service or if required by law or court order, upon notification to Merchant via email or fax. If the amount of any deductions exceeds the sum of all current collected Customer Transactions, the amount remaining and owed to Bambora shall be due and payable by the Merchant to Bambora and Merchant authorizes Bambora to debit the Bank Account for the amount due in accordance with Section 5 below.
3.3. Merchant acknowledges that any withdrawal by Bambora in accordance with this Agreement is a debit as defined under Rule H1 of the Canadian Payments Association (a "Pre-Authorized Debit" or "PAD") for business purposes and Merchant waives the right to receive advance notice for these debits. Merchant's authorization for a PAD shall remain in effect after termination of this Agreement and until all of Merchant's obligations to Bambora have been paid in full. If Merchant changes the Bank Account at any time during the term of this Agreement or at any time after the term before all of Merchant's obligations to Bambora have been paid in full in Bambora's sole discretion, the PAD authorization shall also apply to the new bank account. Merchant further agrees to abide by all applicable Payment Association Rules.
4. Transaction Limits. Bambora and/or any Scheme may: (a) limit or restrict Merchant sales to a minimum or maximum product price or a minimum or maximum amount per order; (b) impose limits on the amount or number of Transactions which may be charged to a Customer credit card during any time period; and/or (c) refuse to accept orders from Customers with a prior history of questionable Customer Transactions. Bambora shall not be responsible for any losses to the Merchant, including, but not limited to claims for lost profits, arising from or as a result of Transactions Limits.
5. Bambora Fees and other Charges.
5.1. The Merchant shall pay to Bambora the following: (a) Bambora Fees, including fees for additional services outside the standard Bambora Services, for the Bambora Service (s) selected by Merchant in the Application; (b) any applicable taxes that are Merchant's responsibility, unless Merchant provides Bambora with a tax exemption certificate; and (c) any other amounts that Merchant owes to Bambora resulting from Merchant's use of the Bambora Services.
5.2. The Merchant authorizes Bambora to debit the Merchant Bank Account for fees payable to Bambora. Merchant acknowledges that any withdrawal by Bambora in accordance with this Agreement are PADs as defined in Section 3.3, for business purposes and Merchant waives the right to receive advance notice for these debits or credits. Alternatively, if Bambora is unable to debit owed amounts, Bambora reserves the right to invoice Merchant for any such amounts, which amount shall be due and payable thirty (30) days after the invoice date or on such earlier date as may be specified.
5.3. An email will be delivered to the Merchant providing notice that a statement is available online to review. Merchant will review the statement no less frequently than every thirty (30) days. Merchant will notify Bambora in writing within thirty (30) days of the statement of any errors or omissions in the statement. After expiration of the thirty (30) days charges related to the transaction report shall be considered valid and Merchant shall be deemed to have acknowledged the correctness of that invoice and to have waived the right to dispute that invoice.
5.4. In case of late payment, Bambora has the right to charge interest on any unpaid amounts corresponding to the current prime interest rate as reported by the Bank of Canada, plus eight (8) percentage points or the maximum permitted by law in the Merchant's jurisdiction (whichever is higher), until Bambora has received full payment. In connection with the collection or enforcement of debit arising from unpaid amounts only, Bambora shall be entitled to recover its reasonable attorney's fees and costs associated therewith. Otherwise, no attorney's fees or costs may be recoverable under the Agreement unless expressly so stated, nor under any other theory of law, including tort.
6.1. Bambora shall have the right to adjust the Bambora Fees at any time. Such changes may result from, but are not limited to, changes of Scheme and interchange fees, changes of international banking regulations, currency restrictions, or fee changes by a partner bank. Merchant agrees that Bambora may pass these increased charges through to Merchant by increasing the Bambora Fees. Bambora will use reasonable efforts to inform Merchant of any such fee changes at least ninety (90) calendar days prior to the fee changes taking effect, unless Bambora has been notified by the third party of the changes within a shorter timeframe or is required to pay such charges in a shorter timeframe.
6.2. Bambora reserves the right to adjust the Bambora Fees in the event of any changes to or deviations from the expected card, country, and currency splits including payment volumes and values. Bambora reserves the right to immediately pass-through such cost increases to Merchant and Merchant shall be liable for such cost increases immediately.
6.3. Bambora reserves the right to upgrade, modify, develop or alter any part of the Bambora Services and its platform provided by Bambora when required by Bambora, its partner bank(s) and/or legislation. If such changes require Merchant to act, Merchant shall immediately integrate said alterations or modifications and will in all cases have the alterations or modifications finalized upon the effective date such alternations and/or modifications are to become live. Bambora will not charge Merchant for any such alterations or modifications if not agreed to in writing. Merchant shall bear its own cost and expenses in relation to the integration of the alterations or modifications into its system.
6.4. The Parties may agree from time to time and based on Merchant's reasonable requests, that Bambora customize or alter the Bambora Services for the Merchant. Any such changes requested by Merchant and agreed by the Parties will be charged on a time and materials basis, at Bambora's then-current rate, unless agreed otherwise between the Parties.
7.1. Bambora may determine at any time during the term of this Agreement that a security ("Security") is needed in order to process Transactions for the Merchant and reserves the right to adjust the amount of the Security any time during the term of this Agreement. In order to allow Bambora to accurately review Merchant's accounts, Bambora reserves the right to review the Merchant's accounts at Bambora and the Merchant agrees to immediately provide information regarding Merchant's ownership, operations and financial position upon request to Bambora.
7.2. In the event Bambora determines that Security is necessary, or the amount of Security needs to be adjusted, then Bambora may; (a) withhold Merchant's settlement payments until the Security amount is adequate, as in the sole opinion of Bambora; (b) delay funding to the Bank Account; (c) apply a rolling reserve deduction; and (d) pursue any other remedies Bambora may have at law or in equity.
8. Foreign Exchange Transactions. Currency conversions will be completed at a retail foreign exchange rate as determined by Bambora. Amounts transferred from a Merchant's United States dollar statement to their Canadian Dollar statement will be calculated by subtracting 0.0125 from the sell United States Dollar exchange rate published by the Toronto Dominion Bank on the processing date. Amounts transferred from a Merchant's Canadian Dollar statement to a United States Dollar statement will be calculated by adding 0.0125 to the buy United States Dollar exchange rate published by the Toronto Dominion Bank on the processing date.
9. Reversed Payment and Refunded Payment. The Merchant shall be responsible for any Reversed Payment, Refunded Payment and in the event the DD/DP service is applicable, dishonored, unauthorized, forged, materially altered, returned or contested items incurred while utilizing the Bambora Services. Merchant agrees that Bambora may recover any Reversed Payment and Refunded Payment amounts by debiting the Bank Account. If Bambora is unable to recover funds related to a Reversed Payment or Refunded Payment, Merchant agrees to pay Bambora the full amount of the Reversed Payment or Refunded Payment amounts immediately. If Merchant incurs excessive Reversed Payments, as determined by Bambora, then Bambora may terminate the Agreement effective immediately.
10. Force Majeure. In the event a Party is prevented from fulfilling its obligations under the Agreement by circumstances outside of its control, such as labor strikes, limitations imposed upon either of the Parties by any authority or under law, material changes of market conditions by reason of change in law or decision by any relevant authority, terrorist acts, breakdown of or damage to electronic telecommunications or other equipment, or if Bambora is otherwise prevented from fulfilling the terms and conditions in the Agreement due to circumstances caused by a third party, such events are grounds for an extension of the time for performance of such Party's obligations under the Agreement. If the circumstances preventing performance continue for sixty (60) calendar days from the date of event, upon written notice to the other Party, either Party has the right to terminate the Agreement and the Agreement shall terminate effective immediately without either Party having liability, except to claims by either Party that do not relate or are not a result of the event causing delay.
11.1. Confidential Information shall mean information that relates to the business of either Party or any entity which directly or indirectly owns or controls, is owned or controlled by, or is under common ownership or common control with the Party in question ("Affiliate"), which is not generally known to the public, which is used, developed, or obtained by either Party relating to, without limitation, products, operating systems and the system of Bambora and all its parts, algorithms, studies and development methods and processes, all modifications and reconfiguration of computer related hardware, revenue and costs, costs of equipment sold, salaries and expenses, Customers, payer and client(s) data, promotional and other marketing plans, financial and credit statistics relating to such Party, including names, addresses, and home telephone numbers, all details regarding the physical plant of Bambora. For the avoidance of doubt the terms of the Agreement shall also be considered Confidential Information.
11.2. Bambora and Merchant each agrees, during the term of the Agreement, and for a period of three (3) years following the termination of the Agreement, not to disclose or use any item of the Confidential Information of the other Party, unless use or disclosure by a Party is required to perform its obligations under the Agreement. The Party disclosing Confidential Information to a third party hereunder, including to its Affiliates, shall ensure that such persons/companies shall observe this confidentiality clause or be bound by equivalent terms. Confidential Information does not include information which: (a) is now, or hereafter becomes, through no act or failure to act on the part of the receiving Party, generally known or available; (b) is known by the receiving Party at the time of receiving such information as evidenced by its records; (c) is provided to the receiving Party by a third party, without restriction on disclosure; (d) is independently developed by the receiving Party without any breach of the Agreement; (e) is the subject of a written permission to disclose provided by the disclosing Party; or (f) is required to be disclosed by law or court order or by order of a competent regulatory body.
11.3. Both Parties shall protect and hold any Confidential Information received from the other Party in strict confidence and with the protection that they use to protect their own Confidential Information of like importance from disclosure (but not less than reasonable). Each receiving Party shall be liable for any misuse, misappropriation or improper disclosure of Confidential Information by any of its employees, contractors, agents, and professional advisers to whom Confidential Information is disclosed or made available by that receiving Party.
11.4. Upon the termination of the Agreement, each Party will, upon the written request of the other Party, return or destroy all Confidential Information of the other Party. In the event the Confidential Information is destroyed, the Party shall certify it was destroyed and the certification shall be executed by an officer, but one (1) copy of Confidential Information may be retained if required by law.
11.5. This Section 11 is not applicable to disclosure of Confidential Information to a partner bank, which is involved in any Transaction.
12. Export Compliance. Merchant represents and covenants that as the seller of products and services to end users it shall comply with all export control and economic sanctions laws, rules and regulations (collectively, "Export Control Laws") applicable to Merchant's business, its products and services, and its end users, including without limitation those restricting the parties with whom Merchant may engage in business due to their location in an embargoed or sanctioned country or their designation on a Restricted Parties List (as defined below), and those restricting the sale of products for prohibited end-uses. Merchant shall not submit to Bambora any transaction that would violate applicable Export Control Laws applicable to the Parties (including without limitation (a) an IP address, bill-to address and/or ship-to address indicating an embargoed or sanctioned country, (b) an individual or entity designated on an applicable restricted parties list such as but not limited to the Denied Persons Lists, and Specially Designated Nationals List, Unverified Lists, Entity Lists, Debarred Parties Lists, and Non-proliferation Sanctions Lists (collectively, "Restricted Parties Lists"), or (c) where prohibited end-use is indicated). Without limiting the foregoing, neither Party shall take or agree to take any action that would be prohibited or penalized under applicable law. Merchant's obligations under this Section 12 shall be considered material obligations.
13. Limitation of Liability. In no event will Bambora, its Affiliates, or their respective directors, officers, employees or agents be liable for, with the exception of Bambora's gross negligence or willful misconduct, any incidental, direct, indirect, special or consequential damages (including without limitation, damages for personal injury, loss of profits or sales, business interruption, loss of business information, data loss or any other pecuniary loss) in connection with or arising out of this Agreement, whether caused by circumstances beyond its control (including without limitation, computer, utility or remuneration breakdown) or otherwise. Except as expressly written in this Agreement, there are no warranties, express or implied, by operation of law or otherwise, for any services furnished under this Agreement. Bambora disclaims any and all implied warranties including the warranties of merchantability and fitness for a particular purchase. Bambora has not assumed, nor authorized anyone else to assume on its behalf, any other liabilities. In all situations involving performance or non-performance of the Bambora system, the Merchant's sole remedy is the adjustment or repair of the Bambora system.
14. Indemnification. Merchant will fully indemnify, defend and hold harmless Bambora, its Affiliates and their successors and assigns from and against any and all demands, judgements, losses, obligations, damages, fines, recoveries and deficiencies, or liabilities (including any costs, expenses, penalties, and reasonable attorney's fees) in connection with a claim, action, suit or proceeding made, brought or commenced by a third party that Bambora, its Affiliates and their successors and assigns may incur or suffer, which arise, result from, or relate to any transaction between the Merchant and the payer and/or Customer, or to any failure by the Merchant to comply with its obligations under the Agreement. Merchant may enter into a settlement of an indemnified claim without Bambora's approval only if such settlement: (a) involves only the payment of money damages by the Merchant and not by Bambora, and (b) includes a complete release of Bambora. The Merchant shall obtain Bambora's written approval for the settlement of any other indemnified claim. Merchant will take reasonable steps to assist Bambora in handling a claim, action, suite or proceeding made, brought or commenced by a payer and/or Customer or any other third party against Bambora in which Bambora is not seeking indemnification as detailed in this Section 14. Bambora shall have complete discretion whether or not to defend any such claim, action, suit or proceeding, or to negotiate any settlement with the claimant. Merchant assumes full responsibility for any fraud occurring in its systems.
15. Termination. This Agreement may be terminated by either Party for any reason upon thirty (30) days advance written notice to the other Party. Bambora Services can be suspended and/or terminated immediately by Bambora in the event of any material breach of any of these terms and conditions by the Merchant, including but not limited to: (a) inappropriate use of the Bambora Services; (b) non-payment; (c) for just cause as determined by Bambora; or (d) as required by any applicable Scheme. If the Agreement is terminated for reasons of non-compliance of any terms of this Agreement, the information may be shared with law enforcement, payments associations or other payments entities. Merchant further agrees and acknowledges that Bambora shall have the right to immediately terminate the Agreement without penalty if it determines that Bambora is unable to engage in business with Merchant under Export Control Laws applicable to Bambora or its parent company or pursuant to territorial restrictions for permitted commerce, including without limitation Merchant's designation on one or more Restricted Parties Lists or is in violation of Export Control Laws. Both Parties hereto agree that 11 ("Confidentially"), 13 ("Limitation of Liability"), 14 ("Indemnification"), 16 ("Governing Law"), and 18 ("General Provisions"), and any other provisions of this Agreement which require performance after the termination of this Agreement, or apply events that may occur after termination, shall survive the termination of this Agreement.
16. Processing of Personal Information.
16.2. Where the General Data Protection Regulation applies to Merchant’s processing of Customer personal data (as that term is defined in the General Data Protection Regulation), this Section 16.2 will apply and replace Section 16.1. As part of the provision of the Bambora Services under this Agreement, Bambora (the data processor) will process Customer personal data on behalf of Merchant (the data controller). For these purposes, the Parties have entered the agreement set out in Schedule 1, Data Processing Agreement, according to which the data processor only may process personal data in accordance with the data controller’s instructions. Schedule 1 will prevail in case of conflict between this main part of the Agreement and Schedule 1, provided such conflict relates to the processing of personal data. This Section 16.2 does not, for the avoidance of doubt, release either Party from any other obligations under any other legislation applicable to the Party.
17. Governing Law. This contract, and all provisions contained herein, shall be interpreted in accordance with the laws of the Province of British Columbia and the laws of Canada applicable therein, without regard to conflict of law provisions.
18. Amendments. These terms and conditions may be amended by Bambora at any time upon Bambora posting new terms on its website and Merchant agrees to be bound and abide immediately to any new requirements and/or regulations imposed pursuant to such modification(s). Merchant expressly acknowledges and agrees that continued use of the Bambora Service after the effective date of the new or updated terms will be deemed as Merchant's acceptance of the modification(s).
19. General Provisions. Each Party is an independent contractor of, and is not an employee, agent or authorized representative of, the other Party. The provisions of the Agreement shall not be construed to create a partnership, joint venture, or other business combination between Bambora and Merchant. Any notification required by this Agreement shall be in writing, shall reference this Agreement and this Section 18 and shall be either (a) sent by fax or (b) personally delivered or (c) delivered by email provided that a record, which includes the contents of the email and the date of transmission, is verifiable to (i) the Merchant in accordance with the information provided in the Merchant Sign-up Flow; and (ii) to Bambora at 200-1803 Douglas Street, Victoria BC; fax number (+1)250.472.2330. Notice shall be deemed effective if delivered by fax, on the date shown on the confirmation of transmission or if transmitted by email, on the date that the communication was transmitted, provided that a record of the transmission, which includes the contents of the email and the date of transmission is verifiable. The invalidity or non-enforceability of any provision of this Agreement, as so determined by a court of competent jurisdiction, shall not affect the other provisions, and in any such occasion this Agreement shall be construed in all respects as if such invalid of non-enforceable provision were not part of this Agreement. Neither Party may assign the Agreement, or assign its rights or delegate its duties under the Agreement to any third party without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed, except that Bambora may have the right to (a) engage the services of subcontractors or agents to assist Bambora in the performance of its obligations under this Agreement and (b) assign the Agreement or assign its rights or delegate its duties under the Agreement to an Affiliate, provided that the Affiliate is not a competitor of Merchant, without notice to or consent of the Merchant. In the event Merchant becomes a debtor in bankruptcy or becomes subject to restructuring or insolvency proceedings, the Agreement cannot be assumed or enforced and Bambora shall be excused from performance. Any waiver by Bambora of any of the provisions of the Agreement will not constitute a waiver of any other provision (whether similar or not), nor will such waiver constitute a continuing waiver of that particular provision unless expressly provided by Bambora in writing. The parties acknowledge that they have required this Agreement and all related documents to be drawn up in the English language. This Agreement, and any attachments constitute the entire Agreement between the parties and shall supersede any and all prior and understandings, promises and agreements, if any, made by one party to the other concerning the subject matter of the contract.
20. Other Terms. Merchant acknowledges by signing the Application Merchant has read this Agreement and agrees to be bound by the terms and conditions in this Agreement. Furthermore, by signing the Application, Merchant understands, acknowledges and agrees that it has reviewed the terms below and shall be bound by any of the terms and conditions that apply to Bambora Service(s) selected by Merchant in the Application. Such terms include:
Toronto Dominion Bank Terms and Conditions of Use:
TD Merchant Services Privacy Agreement:
First Data Card Acceptance Form:
First Data Program Guide:
Acxsys INTERAC Online Merchant Guidelines:
AMEX Merchant Account Package:
Wells Fargo Financial Corporation PSP Terms and Conditions:
sproutPOS Terms and Conditions Appendix:
Schedule 1 – Data Processing Agreement
This Data Processing Agreement (the “DPA”) constitutes Schedule 1 to the Agreement between Bambora and the Merchant. Bambora (hereinafter the “Processor”) will process personal data on behalf of the Merchant (hereinafter the “Controller”) when supplying the Services. The Controller is the data controller in relation to the processing of the Data. The Processor is a data processor, processing the Data on behalf of the Controller.
This DPA consists of this main document and the following appendices:
Sub-schedule 1 – Instructions to the Processor
Sub-schedule 2 – Approved Sub-Processors
2 DEFINITIONS AND INTERPRETATION
2.1 In this DPA, capitalized terms shall have the meanings set out below or if not defined herein, the meanings set forth in Applicable Legislation.
means the GDPR, and any applicable supplementary legislation to the GDPR, and any other data privacy or data protection law or regulation that applies to the processing of Data under this DPA, including applicable Canadian privacy laws.
means the personal data and personal information (as defined in Applicable Legislation), specified in Sub-schedule 1 hereto.
means Regulation (EU) 2016/679 of the European Parliament and the Council as amended, supplemented and/or varied from time to time.
3.1 The Processor shall process the Data in accordance with the Controller’s written instructions set forth in Sub-schedule 1. The instructions shall at least include (i) the purpose of the processing, (ii) the character of the processing, (iii) the duration of the processing, or how the duration will be decided, (iv) the categories of personal data included in the Data, and (v) the categories of data subjects included in the processing.
3.2 The Processor may not process the Data for any other purposes or in any other way than as instructed by the Controller from time to time. The Parties shall update Sub-schedule 1 in the event of new or amended instructions. The Processor is entitled to charge any work carried out by it to comply with the Controller’s instructions on a time and material basis in accordance with its standard consultancy rates.
3.3 Notwithstanding the above, the Processor may undertake reasonable day-to-day actions with the Data without having received specific written instructions from the Controller, provided that the Processor acts for and within the scope of the purposes stated in Sub-schedule 1.
3.4 In the event that the Processor considers that any instruction violates Applicable Legislation, the Processor shall refrain from acting on such instructions and shall promptly notify the Controller and await amended instructions.
4 THE CONTROLLER’S OBLIGATION TO PROCESS DATA LAWFULLY
The Controller shall ensure that a legal ground recognized under Applicable Legislation applies for processing, including the Processor’s processing, of the Data. The Controller shall further meet all other obligations of a controller under Applicable Legislation, including that the Controller’s instructions for the processing of the Data shall comply with Applicable Legislation. The Controller shall have sole responsibility for the accuracy, quality and legality of the Data and the means by which it acquired the Data.
5 SECURITY MEASURES
5.1 The Processor shall maintain adequate security measures to ensure that the Data is protected against destruction, modification and proliferation. The Processor shall further ensure that Data is protected against unauthorized access and that access events are logged and traceable. The Controller agrees that the Processor’s security measures are adequate, sufficient and appropriate.
5.2 The Processor shall ensure (i) that only authorized employees have access to the Data, (ii) that the authorized employees process the Data only in accordance with this DPA and the Controller’s instructions and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Data. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
6 THE PROCESSOR’S OBLIGATIONS TO ASSIST
The Processor shall assist the Controller with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures. The Processor shall further assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR.
7.1 The Processor may engage third parties to process the Data or any part thereof on its behalf (“Sub-Processor”), provided that the Controller has been informed thereof in writing and not objected in writing 10 days after such information was provided (in which event they are considered approved). Approved Sub-Processors are listed in Sub-schedule 2 hereto, which shall be updated in the event of changes to the approved Sub-Processors. Sub-schedule 2 shall list the name, contact information, company form, geographical location and the location of the Data that the approved Sub-Processor processes.
7.2 The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations at least reflecting those undertaken by the Processor under this DPA.
7.3 In the event the Controller objects to any new Sub-Processor in accordance with what is stated in Section 7.1 above, the Processor shall refrain from using such Sub-Processor for the processing of the Data and shall use reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable change to Controller’s configuration or use of the services to avoid processing of Data by the objected-to new Sub-Processor without unreasonably burdening the Controller. If such change is not practically or commercially reasonable to make within a reasonable period of time, which shall not exceed thirty (30) days, the Processor shall at its discretion be entitled either to compensation from the Controller for any additional costs incurred by it due to such objection, or, (ii) terminate the DPA on 45 days’ notice. The Processor shall inform the Controller within 40 days after receipt of the Controller’s objection whether it opts for alternative (i) or (ii).
7.4 When the Controller has approved a Sub-Processor, the Controller may no longer object to such Sub-Processor.
8 TRANSFERS TO THIRD COUNTRIES
8.1 In order to supply the services under the Service Agreement, the Processor will transfer Personal Data to Canada, irrespective of the country in which the Controller operates or from which the Controller provides the Data. If the Processor transfers personal data outside the EU/EEA, or engages a Sub-Processor to process Data outside of the EU/EEA, the Processor shall ensure that there is an applicable legal ground for such third country transfer. The Processor shall demonstrate the legality of the transfer upon the Controller’s request.
8.2 When relevant, the Processor is authorized by the Controller to enter into the European Commission’s standard contractual clauses with any Sub-Processor on the Controller’s behalf for the abovementioned purpose.
9.1 Upon the Controller’s request, the Processor will provide to the Controller the information necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation and/or this DPA. The Controller may further once per calendar year request a copy of the report from the Processor’s most recent audit carried out by an accredited third-party audit firm.
9.2 If the Controller can show that it has reasonable grounds to assume that the Processor does not comply with its obligations under Applicable Legislation and/or this DPA, the Controller may at its own cost appoint an accredited third-party audit firm to audit the Processor. The scope, timing and duration of such audit shall be separately agreed upon between the Parties. The Processor shall assist the audit firm and disclose any information necessary in order for the firm to carry out such audit.
9.3 If a Data Protection Authority carries out an audit of the Processor which may involve the processing of Data, the Processor shall promptly notify the Controller thereof.
10.1 The Processor shall be entitled to remuneration for its processing of the Data in accordance with fees set out in the Service Agreement.
10.2 The Controller shall bear all additional costs for any altered or additional instructions to the Processor regarding the processing of the Data. The Processor shall further be entitled to compensation for any and all actions undertaken by it on behalf of or as instructed by the Controller.
11 LIMITATION OF LIABILITY
The Processor’s liability arising out of or related to this DPA is subject to the provisions on limitation of liability stated in the Service Agreement.
12.1 The Processor undertakes not to disclose or provide any Data, or any information related to the Data, to any third party. For the avoidance of doubt, any approved Sub-Processor shall not be considered a third party for the purposes of this Section 12.
12.2 Notwithstanding Section 12.1 above, the Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under Applicable Legislation.
12.3 The confidentiality obligation will continue to apply also after the termination of this DPA without limitation in time.
13 RETURN AND DELETION OF DATA
13.1 The Controller shall upon termination of the Agreement instruct the Processor in writing whether or not to transfer the Data to the Controller (such transfer to be made in a common machine-readable format) or to securely erase the Data from its systems and demonstrate to the Controller that is has taken such measures. Should the Controller fail to provide such instruction, the Processor shall delete the Data in accordance with its adopted retention policies. Where Applicable Legislation or other rules to which the Processor must adhere prevents the Processor from returning or destroying the Data, in whole or in part, in accordance with the Controller’s instruction, the Processor shall preserve the confidentiality of the Data and only process such Data to the extent necessary comply with such rules.
This DPA shall, notwithstanding the term of the Service Agreement, enter into effect when the Processor commences to process Data on behalf of the Controller and shall terminate when the Processor has erased the Data in accordance with Section 13 above.
Sub-schedule 1 – Instructions
Any processing carried out by the Processor shall be carried out in accordance with the following instructions. If the Processor processes Data in violation with these instructions, the Processor will be deemed data controller.
Purposes of the processing
The Processor is providing end-to-end payment processing to the Controller, including debiting and crediting bank accounts, holding funds, managing payments, processing debit and credit card payments, and transmitting funds.
The character of the processing
The Processor will receive payment instructions from the Controller to perform debit and credit card payments and transmit the files directly to the banks or through an approved Sub-Processor. The Processor will reconcile payments and report back upon success or failure as well as any exceptions.
The period of the processing
Processing is performed on instruction by Controller for the lifetime of the Service Agreement.
Categories of Data
The data subjects’ name, address, banking and/or credit payment information and amount of payment.
Categories of data subjects
Employees, customers, customer contact person.
Sub-schedule 2 – Approved Sub-Processors
Payment Sub-Processor/United Kingdom
CUBE Global Storage
Amazon Web Services, Inc.