Affirm Data Processing Addendum
UPDATED AS OF: September 4, 2024
This Data Processing Addendum (“DPA”) is incorporated into the Merchant Agreement or Partnership Agreement (the “Agreement”) between the Affirm Party (“Affirm”) and Merchant or Partner which are Parties to that Agreement (“Merchant”). This DPA sets out the data protection and privacy obligations of the Parties with respect to Affirm’s offering of and Merchant’s access to and use of the Services. This DPA is effective on the Effective Date of the Agreement, unless this DPA is separately executed, in which case it is effective on the date of the last signature below. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA will control.
Definitions. The terms below have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement or in Applicable Privacy Law.
(a) “Affirm Personal Data” means Personal Data collected by Affirm or by a third party on behalf of Affirm in connection with Affirm’s provision of the Services.
(b) “Applicable Privacy Law” means requests by governmental authority, court orders, laws, regulations, codes, orders, rules and guidelines imposed by law, competent government authority, governing body or regulator in each country and jurisdiction governing data protection and data privacy applicable to the Services and obligations in this DPA. Applicable Law, as defined in the Agreement, includes but is not limited to, Applicable Privacy Law.
(c) “Controller” (or “Business” as used in Applicable Privacy Law) means the entity which determines the purpose and means of the Processing of Personal Data.
(d) “Data Subject” means an identified or identifiable person to whom Personal Data relates.
(e) “Data Subject Request”means a request from Data Subjects seeking to exercise their rights under Applicable Privacy Law.
(f) “GDPR” means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended, updated or replaced from time to time, in the European Economic Area (“EEA”).
(g) “Industry Recognized Security Practices” means generally accepted industry practices, which may include but are not limited to, the International Organization for Standardization (ISO)/IEC 27001:2013 – Information Security Management Systems – Requirements and ISO/-IEC 27022:2013 – Code of Practice for International Security Management; the National Institute of Standards and Technology NIST Cybersecurity Framework; the Control Objectives for Information and related Technology (COBIT) standards; Association of International Certified Professional Accountants (AIPCA) System and Organization Controls 2 (SOC 2); or other applicable industry standards for information security
(h) “Merchant Personal Data” means Personal Data collected by Merchant or by a third party on behalf of Merchant in connection with Merchant’s receipt of the Services.
(i) “Personal Data” (which will include “Personal Information” as used in Applicable Privacy Law) has the meaning as defined under Applicable Privacy Law.
(j) “Process”, “Processing”, and “Processed” will have the meaning as defined under Applicable Privacy Law.
(k) “Processor” (or “Service Provider” as used in Applicable Privacy Law) means the entity engaged to Process Personal Data on behalf of the Controller.
(l) “Restricted Country” means 1) where the GDPR applies, a country outside of the EEA not subject to an adequacy determination by the European Commission; 2) where the Swiss Federal Act on Data Protection of June 19, 1992, applies, a country outside Switzerland which has not been recognized to provide an adequate level of protection by the Federal Data Protection and Information Commissioner; and 3) countries that do not qualify for the adequacy regulations under Section 17A of the UK’s General Data Protection Regulation (“UK GDPR”).
(m) “Restricted Transfer” means, 1) where the GDPR applies, a transfer of Personal Data from the EEA to a Restricted Country; 2) where the Swiss Federal Act on Data Protection of June 19, 1992, applies, a transfer of Personal Data from Switzerland to a Restricted Country; and 3) transfers covered by Chapter V of the UK GDPR.
(n) “Security Incident” means 1) an actual loss or unauthorized access, use, alteration, or acquisition of the other Party’s Confidential Information; or 2) any unauthorized activity that interrupts a Party’s information systems that results in actual loss or unauthorized access, use, alteration, or acquisition to the confidentiality, integrity, or availability of the other Party’s Confidential Information that the system Processes.
(o) “Sell” and “Share” are defined in accordance with Applicable Privacy Law.
(p) "Standard Contractual Clauses" or “SCCs” means (i) where the GDPR applies, the clauses annexed to the European Commission’s Implementing Decision 2021/914 of June 4, 2021 for the transfer of Personal Data to third countries; and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) Data Protection Act 2018 (“UK IDTA”) (in each case, as updated, amended or superseded from time to time). The “UK GDPR” means the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and any applicable implementing or supplementary legislation in any member state of the UK (including, but not limited to, the UK Data Protection Act 2018).
(q) "Subprocessor" means any Processor engaged by a Party to assist in fulfilling its obligations with respect to providing the Services. For purposes of this DPA, Subprocessor includes subcontracted Service Providers or Contractors as defined under Applicable Privacy Law.
2. Role of the Parties. Affirm is a separate and independent Controller in respect of all Affirm Personal Data, and Merchant is a separate and independent Controller in respect of all Merchant Personal Data. Affirm owns all right, title, and interest in and to Affirm Personal Data, and Merchant owns all right, title, and interest in and to Merchant Personal Data. Each Party will Process the other Party’s Personal Data as a Service Provider (or Processor, as the context may require) solely to provide the Services to Customers and consumers, to carry out its obligations under the Agreement, and to the extent that a Party is acting as a Processor, it will Process the other Party’s Personal Data on behalf of and according to the Controller’s instructions unless doing so would otherwise violate Applicable Law.
3. General Obligations.
(a) Each Party represents that it will comply with Applicable Privacy Law. To the extent that Applicable Privacy Law requires a Party to obtain the consent of a Data Subject for the disclosure of Personal Data to the other Party, the Party disclosing the Personal Data represents and warrants that it has obtained such consent and will notify the other Party if the Data Subject withdraws consent.
(b) Each Party will ensure that: (i) any Representative (as defined in the Agreement) it engages to Process Personal Data are subject to a binding written contractual obligation to keep the data confidential; (ii) access to Personal Data is restricted only to those Representatives who require it for the purposes of fulfilling the applicable Party’s obligations under the Agreement; and (iii) that Representatives Processing Personal Data are suitably skilled and experienced, and have received adequate training on compliance with Applicable Privacy Law.
(c) Each Party may take reasonable and appropriate steps to help ensure that any Personal Data it provides the other Party is Processed in a manner consistent with Applicable Privacy Laws and, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of the Personal Data.
(d) Each Party will promptly notify the other Party if it believes or confirms that it cannot follow the instructions of the applicable Controller or meet its obligations under the Agreement or Applicable Privacy Law for any reason, unless the applicable Party is prohibited by Applicable Law from making such notification.
4. Data Processing.
(a) Each Party will reasonably cooperate with and assist the other Party with meeting the other Party’s Applicable Privacy Law obligations and will immediately notify the other Party if it receives any complaint, notice, or communication that relates to the other Party's compliance with Applicable Privacy Law.
(b) To the extent that a Party discloses any Personal Data to the other Party in connection with its provision of the Services, it shall Process such Personal Data solely for the purpose of fulfilling its obligations under the Agreement and in accordance with the disclosing Party’s instructions. For clarity, neither Party will, nor will either Party permit any Subprocessor to: (i) Sell or Share any of the other Party’s Personal Data; (ii) Process the other Party’s Personal Data for any purpose other than for the business purpose of performing the Services and fulfilling its obligations under the Agreement (or as otherwise permitted by Applicable Law); (iii) retain, use, or disclose the other Party’s Personal Data outside of the direct business relationship between the Parties as defined in the Agreement; or (iv) combine the other Party’s Personal Data with Personal Data that it receives from, or on behalf of, another person or persons or that it collects from its own consumer interaction.
5. Subprocessors. Each Party is authorized to engage Subprocessors to Process the other Party’s Personal Data as necessary to carry out each Party's obligations under the Agreement. Each Party will conduct reasonable due diligence on each Subprocessor to ensure each Subprocessor is capable of providing the level of data protection required by this DPA. Each Party will enter into a written agreement with each of its Subprocessors that imposes no less restrictive terms as those contained in this DPA. To the extent this criteria changes, the applicable Processor will notify the Controller and the Controller may object to such change in criteria. Each Party is responsible for the acts and omissions of its Subprocessors in connection with Processing of Personal Data under the Agreement.
6. Data Security.
(a) Each Party will establish, maintain and comply with physical, technical and administrative controls and an accurate, comprehensive, up-to-date data security program, policies, and data security measures consistent with Applicable Law and industry standards to protect the other Party's Confidential Information from disclosure, destruction, misuse, loss, acquisition or alteration by an unauthorized third party.
(b) Each Party will regularly monitor, evaluate and adjust, as appropriate, its security measures in light of any risk assessment findings, relevant changes in Applicable Privacy Law or relevant data security standards, technology advances, changes to its systems, internal or external threats to Confidential Information, reasonable requests from the applicable Controller arising out of security or other concerns reasonably identified and communicated to the extent possible that are mutually agreed upon, and its own changing business arrangements in order to ensure that its data security program and controls remain accurate, comprehensive and up-to-date.
(c) In the event either Party suffers or learns of any Security Incident, the impacted Party will: (i) promptly (but in no event later than 48 hours following confirmation of the Security Incident) notify the other Party in writing of such Security Incident and furnish the other Party with the details of such Security Incident; (ii) cooperate in any reasonable effort, action or proceeding to protect all Confidential Information subject to such Security Incident and to reasonably mitigate and/or remediate the impact of the Security Incident; (iii) promptly use best efforts to prevent a recurrence of any future Security Incident and (iv), as applicable, come into compliance with Applicable Law. In the event of a Security Incident, to the extent that such Security Incident involves the other Party’s Confidential Information, the other Party will have the right to audit or conduct (or cause a qualified, independent third party to audit or conduct) a security assessment for verification of the impacted Party’s data security obligations as set forth in this Section 6. Such security assessment will be at the other Party’s sole cost and election. All notices to Affirm under this Section 6 will be sent to infosec@affirm.com.
(d) Each Party will encrypt all Affirm Confidential Information, including Personal Data, in-transit, and will encrypt all Personal Data both at rest and in-transit with industry-standard encryption methods and algorithms, such as AES-256 and the two most recent, non-deprecated versions of TLS, respectively. Each Party will not transmit any unencrypted Personal Data over the internet or a wireless network, and will not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and only if the mobile computing device is protected by industry standard encryption.
(e) Merchant will ensure that: (i) Merchant’s connectivity to Affirm’s information systems and all attempts at the same will be only through Affirm’s security gateways/firewalls and only through Affirm’s authorized security procedures, which can be obtained from Affirm’s Information Security Department; (ii) Merchant will not access, and will not permit unauthorized persons or entities to access, Affirm’s information systems without Affirm’s express written authorization, and any such actual or attempted access will be consistent with Affirm’s authorization; (iii) any private API keys or other material provided to Merchant for the purpose of Merchant authenticating to Affirm’s information systems will constitute Confidential Information and will be protected as such; and (iv) Merchant will take appropriate measures to ensure that Merchant’s information systems which connect to Affirm’s information systems, and anything provided to Affirm, do not contain any computer code, programs, mechanisms, or programming devices designed to, or that would, enable the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of the Affirm’s services or information systems, and Merchant will immediately notify Affirm upon detection of any vulnerabilities thereto. Each Processor will logically segregate the other Party’s Personal Data from all other data.
(f) If, during the Term of the Agreement, a Party Processes credit, debit, or other payment card number and cardholder information with respect to Customers, the Party will at all such times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including, without limitation, remaining aware at all such times as of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at the Party’s cost and expense. Merchant will not receive any Cardholder Data (as defined in PCI DSS) from Affirm under the Agreement.
(g) To ensure the security of Affirm Personal Data, Merchant will implement administrative, physical, and technical safeguards that are no less rigorous than Industry Recognized Security Practices. Merchant will maintain, and periodically review, a documented security program to safeguard Affirm Personal Data, which will, at a minimum, include the Technical and Organizational Security Measures set forth in Appendix A.
7. Data Subject Requests. Each Party will permit Data Subjects to exercise their rights under Applicable Privacy Law and will implement and maintain appropriate technical and organizational means to comply with Data Subject Requests. Where requested and related to Processing under the Agreement, the applicable Processor will, within ten (10) calendar days of such request, assist the applicable Controller with its response to a Data Subject Request, including as appropriate, providing the Controller with information in the Processor’s custody related to a specific natural person. Any information provided by the applicable Processor to the applicable Controller under this DPA will be in an electronic format. The applicable Processor will: (a) without undue delay, direct a Data Subject who has submitted a Data Subject Request with respect to the Controller’s Personal Data to Controller; and (b) not respond to that Data Subject Request as to Personal Data Processed on behalf of the Controller, except on the instructions of the Controller or as required by Applicable Privacy Law, in which case the Processor will, to the extent permitted by such Applicable Privacy Law, inform the Controller of the legal requirement before the Processor responds to the Data Subject Request.
8. International Data Transfers. Each Party will only transfer Personal Data across international borders and between jurisdictions to the extent permitted by Section 8 and in accordance with Applicable Privacy Law. In the event of a conflict between this DPA and the SCCs, the provisions of the SCCs will control.
(a) EEA Personal Data Transfer. Transfers of Personal Data from the EEA to a Restricted Country will be conducted in accordance with SCCs. Appendix A hereto provides additional details as required by Annexes I and II of the SCCs.
(i) Processor-Controller Transfers. Transfers of applicable Personal Data from a data exporter in the EEA to a data importer in a Restricted Country, will be in accordance with this DPA and the Processor-to-Controller SCCs (located at https://www.affirm.com/terms/processor-to-controller) (terms of which are incorporated here by reference).
(ii) Controller-Processor Transfers. Transfers of applicable Personal Data from a data exporter in the EEA to a data importer in a Restricted Country will be in accordance with this DPA and the Controller-to-Processor SCCs (located at https://www.affirm.com/terms/controller-to-processor) (terms of which are incorporated here by reference).
(iii) Controller-Controller Transfers. Transfers of applicable Personal Data from the EEA to a Restricted Country between Merchant and Affirm will be in accordance with this DPA and the Controller-to-Controller SCCs (located at https://www.affirm.com/terms/controller-to-controller) (terms of which are incorporated here by reference).
(b) UK Personal Data Transfer.Transfers of applicable Personal Data from the UK to a Restricted Country will be conducted in accordance with SCCs. For purposes of the UK IDTA: (i) the information required for the purposes of Part 1 (Tables) of the UK IDTA will be populated with the relevant information set out in this DPA; and (ii) the UK IDTA will be governed by the laws of, and disputes will be resolved before the courts of, England and Wales.
(c) U.S. and Canada Personal Data. To the extent a transfer involves Personal Data, Merchant may not Process Affirm Personal Data outside of the United States or Canada without Affirm’s express prior written permission and only after Merchant demonstrates that the jurisdiction in which the recipient of the transfer resides requires at least the same level of privacy and security protections required by the Agreement and to the extent required by Applicable Privacy Law.
9. Disposal and Return. Upon request, and except as required by Applicable Law or, with respect to Affirm, as required to maintain or retain for servicing Customers, each Party will immediately destroy, and upon request, certify such destruction of, all of the requesting Party’s Confidential Information in its possession, on its systems, or held by Subprocessors in its behalf. Any such Personal Data so retained will remain subject to the terms of the Agreement.
10. Data Privacy Impact Assessment and Security Questionnaire. Each Party will assist the other Party in providing a data protection impact assessment where requested in connection with performance of its obligations under the Agreement that presents a high risk to Data Subjects. Each Party represents and warrants to the other Party that any information provided in response to a Party’s privacy impact assessment is accurate to the best of the responding Party’s knowledge and the person providing such information is authorized to do so and knowledgeable about the responding Party’s privacy and information security measures.
11. Affirm Contact/Representative. Please contact privacylegal@affirm.com regarding any questions or issues related to this DPA.
12. Requests for Personal Data. If a Party receives a valid subpoena, court order, warrant, or other demand (“Request”) from a law enforcement agency, judicial authority, or government or regulatory body (“Requesting Party”) for disclosure of the other Party’s Personal Data, the receiving Party will redirect the Requesting Party to seek that Personal Data directly from the other Party. If, despite the receiving Party’s efforts, the receiving Party is compelled by law or court order to disclose the other Party’s Personal Data to a Requesting Party, the receiving Party will: (a) promptly notify the other Party of the Request to allow the other Party to seek a protective order or other appropriate remedy, unless the receiving Party is prohibited from notifying the other Party, in which case the receiving Party will use commercially reasonable efforts to obtain a waiver of that prohibition; (b) challenge any over-broad, inappropriate, or unlawful Request; and (c) disclose only the minimum amount of the other Party’s Personal Data necessary to satisfy the Request.
APPENDIX A
The following chart includes the information required by Annex I of the SCCs.
Data exporter(s) | Name: Merchant Address: As provided in the Order Form or as otherwise provided by Merchant Contact person’s name, position and contact details: As provided by Merchant Activities relevant to the data transferred under these SCCs: Providing goods and services upon request to customers Role (controller/processor): Controller and Processor Name: Affirm Address: As provided in the Order Form or as otherwise provided by Affirm Contact person’s name, position and contact details: Activities relevant to the data transferred under these SCCs: Providing services upon request to customers Role (controller/processor): Controller and Processor |
Data importer(s) | Name: Affirm Address: As provided in the Order Form or as otherwise provided by Affirm Contact person’s name, position and contact details: Activities relevant to the data transferred under these SCCs: Providing services upon request to customers Role (controller/processor): Controller and Processor Name: Merchant Address: As provided in the Order Form or as otherwise provided by Merchant Contact person’s name, position and contact details: As provided by Merchant Activities relevant to the data transferred under these SCCs: Providing goods and services upon request to customers Role (controller/processor): Controller and Processor |
Data Subjects | Customers (individuals acting in a personal or household capacity) |
Categories of Personal Data | Personal identification (name, date of birth); transaction details |
Special Category Personal Data (if applicable) | None |
Frequency of the transfer | Ongoing/regular for the duration of the Agreement |
Nature of the Processing | The Personal Data transferred will be subject to the storage and processing activities described in the Agreement. |
Purposes of Data Transfer and Further Processing | Data Importer’s purposes of processing are to facilitate its provision of products or services to individuals who are joint customers of Data Exporter and Data Importer. |
Period for which the Personal Information will be Retained | Data Importer will process Personal Data for the duration of the Agreement. |
Recipients of Personal Information Transferred to the Data Importer | Data importer will maintain and provide a list of its Subprocessors upon request. |
For Transfers to Subprocessors, Subject Matter, Nature and Duration of the Processing | Transfers to Subprocessors comprise the same categories of data subjects and Personal Data, and duration as set out above. The Subprocessors provide services to Data Importer in connection with its delivery of services. |
Location of processing | Affirm, Inc.: United States of America Affirm Canada Holdings Ltd: Canada Affirm U.K. Limited: United Kingdom, Stockholm |
Competent supervisory authority/ies in accordance with Clause 13 | For transfers from the European Economic Area, Poland at Urzad Ochrony Danych Osobowych (The Office for Personal Data Protection); For transfers from the UK, the UK Information Commissioner's Office; For transfers from Switzerland, the Swiss Federal Data Protection and Information Commissioner (FDPIC). |
The following chart includes the information required by Annex II of the SCCs.
Contractual | Data Importer will sign appropriate data transfer agreements in accordance with applicable privacy law. |
Security of Transmission | Personal data is only transferred in an encrypted state. |
Organizational Safeguards | - Documented security policies and procedures are in place and are made available to all employees. - Employees are required to complete annual security training. - Regular audits of organizational and technical protection measures are conducted. - Procedures and personnel are in place for identifying, responding to, and mitigating the impact of, security incidents. - Roles and responsibilities are defined with regard to data, network, and systems access. |
Technical Safeguards | - Disk encryption and anti-malware software are required on all company issued equipment. - Controls are in place that actively monitor the system and its peripheral systems for intrusions and vulnerabilities. - Centralized logging is maintained for security-relevant events on systems. - Data stored within the network in a secure subnet are not accessible by the outside network without proper identity and access management, including multi-factor authentication. - Personal data are encrypted at rest and in transit with current algorithms and protocols. - User access roles and permissions are defined based on job function, and access provisioning and deprovisioning are conducted in an automated fashion. - System changes are introduced and change approvals automatically enforced according to defined procedures. |