Data Processing Addendum for Merchants

This Data Processing Addendum (“DPA”) is entered into by and between CSG Forte Payments, Inc. on behalf of itself and its Affiliates (“CSG”) and the entity identified as the “Merchant” on the signature page of this DPA. This DPA is supplemental to any services or subscription agreements, amendments, statements of work, schedules, orders or similar agreements entered into or issued pursuant to that agreement entered into between the parties, which governs the provision of the Services by CSG to Merchant (“Agreement”).

Definitions
1. Definitions: In this DPA, the following terms shall have the following meanings:
  1. “Affiliate” shall mean an entity that controls, is controlled by, or is under common control with, CSG Systems, Inc.
  2. “Applicable Data Protection Law” means all applicable United States federal, national and state privacy and data protection laws in effect now or at any time during the course of this DPA that apply to the Processing of Personal Data that is the subject matter of the Agreement (including, where applicable, the California Consumer Data Protection Act (as amended, superseded or replaced from time to time) (“CCPA”)).
  3. “Controller” (i.e., business) means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  4. “Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable individual and includes “Personal Information” as defined under CCPA.
  5. “Process” means any operation which is performed on Personal Data, whether or not by automated means, such as collection, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  6. “Processor” (i.e., service provider) means an individual who, or legal entity that, Processes Personal Data on behalf of a Controller.

Data Protection
1. Relationship of the parties: As between the parties, Merchant is the Controller or Processor and appoints CSG as a Processor or Sub-processor, as applicable, to Process the Personal Data that is the subject of the Agreement (the “Data”) on behalf of Merchant as follows:
  1. Categories of Data Subjects may include:
    1. Merchants’ employees
    2. Merchants’ business customers’ employees
    3. Consumers
  2. Types of Personal Data:
    1. Merchants’ employees: Business contact information: name & last name, job title, work email, work phone number, work address.
    2. Merchants’ business customers’ employees: Business contact information: name & last name, job title, work email, work address.
    3. Merchants’ consumers: email address, phone number.
  3. Nature and Purpose of Processing: The nature and purpose of Processing as set forth in the description of services in the Agreement.
  4. Duration of Processing: The duration of Processing shall be concurrent with the Agreement term or shall cease upon any instruction by Merchant to CSG to cease Processing Data, except and to the extent required by applicable law.
2. Purpose limitation: CSG shall Process the Data as a Processor only as necessary to perform the Services for Merchant under the Agreement, and in accordance with the Merchant’s documented instructions (including those in this DPA and the Agreement) and Applicable Data Protection Law (“Business Purpose”). CSG shall, as soon as reasonably possible, and in no event later than five (5) business days, inform Merchant if it cannot meet the requirements of Applicable Data Protection Laws. CSG shall not sell or share Data as the term “sell” or “share” (or similar terms) are defined by Applicable Data Protection Law. CSG shall not combine Data with Personal Data of another CSG client, except as permitted under Applicable Data Protection Law. In particular, the Parties agree that as part of the services, CSG may Process Personal Data for internal research, development, and analysis purposes in order to improve the services, Merchant experience, products and as needed for related legitimate business purposes.
3. Prohibited data: Merchant shall not disclose, upload, or otherwise provide any sensitive Personal Data to CSG for processing unless specifically provided for in this DPA or agreed in a mutually acceptable written amendment to this DPA.
4. Confidentiality of Processing: CSG will limit access to Data to those individuals who need to access the Data and will require all individuals who have access to the Data to keep such Data confidential.
5. Security: CSG shall implement reasonable security measures and practices appropriate to the nature of the Data to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data; and to preserve the security, integrity and confidentiality of the Data in accordance with the CSG security measures included in the Agreement (“Security Measures”).
6. Security incidents: Upon becoming aware of any unauthorized disclosure, destruction, or loss of access to Data (“Security Incident”), CSG shall inform Merchant without undue delay and shall reasonably cooperate with Merchant to assist Merchant to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. CSG’s obligation to report or respond to a Security Incident does not alter Merchant’s responsibility and liability with regard to a Security Incident under Applicable Data Protection Law and will not be construed as an acknowledgment by CSG of any fault or liability with respect to the Security Incident.
7. Subcontractors (i.e. subprocessors): Merchant provides a general authorization to CSG to engage subcontractors to Process the Data for the Business Purpose provided that: (i) CSG imposes data protection terms on any subcontractor it appoints as required by Applicable Data Protection Law that are materially similar to those set out in this DPA; and (ii) if a subcontractor is unable to fulfil its data protection obligations under Applicable Data Protection Law, CSG shall remain liable to the Merchant for the performance of subcontractor’s obligations under Applicable Data Protection Law. As of the date of this DPA, Merchant authorizes CSG to allow processing of Data by the CSG’s subcontractors listed in Exhibit A.
  1. 2.7.1. CSG will provide Merchant with notice (email will suffice) at least thirty (30) days prior to appointing a new subcontractor or replacing an existing subcontractor.
  2. 2.7.2. If required by Applicable Data Protection Law, Merchant may object to CSG’s appointment or replacement of a subcontractor prior to its appointment or replacement, within ten (10) days of receiving such notice, provided such objection is based on reasonable grounds relating to data protection. In such event, CSG and Merchant shall work in good faith to resolve Merchant’s concerns through dispute resolution provisions in the Agreement. Notwithstanding the foregoing, CSG may add or replace a subcontractor (meeting the requirements of Section 2.7) immediately if it is necessary to ensure continuity of Processing or recovery in case of emergency, except as prohibited by Applicable Data Protection Law. In such case, CSG will provide notice as far in advance as reasonably possible. If such objection right is not exercised by Merchant in the terms described above, silence shall be deemed to constitute an approval of such engagement.
8. Cooperation and individuals’ rights: If required by Applicable Data Protection Law, CSG shall provide reasonable and timely assistance to enable Merchant to respond to: (i) any request from an individual to exercise their rights under Applicable Data Protection Law; and (ii) any other correspondence received from a regulator or public authority in connection with the Processing of the Data. In the event that any such communication is made directly to CSG, CSG shall notify Merchant without undue delay of the same and shall not respond to the communication unless specifically required by Applicable Data Protection Law.
9. Data Protection Impact Assessment: If required by Applicable Data Protection Law, CSG shall provide reasonable assistance to Merchant, at Merchant’s expense, in conducting data protection impact assessments in relation to CSG’s Processing of Personal Data.
10. Deletion or return of Data: Upon termination or expiry of the Agreement, CSG shall delete or return all Data (including copies) in its possession or control. This requirement shall not apply to (i) the extent that CSG is required by applicable law to retain some or all of the Data, or (ii) Data that CSG has archived on its back-up systems, including back-up systems hosted by its Sub-processors, which CSG and/ or its Sub-processor, as applicable, shall securely isolate and protect from any further processing except to the extent required by applicable law, or (iii) if retaining some or all of Data is necessary to protect the legal rights of CSG.
11. Provision of documentation and information: Upon request by Merchant, CSG shall provide information, available and reasonably necessary to demonstrate CSG’s compliance with this DPA.
12. Audit upon regulatory request or following Security Incident: If and only to the extent required by Applicable Data Protection Law and at Merchant’s sole expense, CSG will allow Merchant or, upon CSG’s request, an independent auditor (which possesses the required professional qualifications) appointed by Merchant to conduct audits (including inspections) to verify CSG’s compliance with its obligations under this DPA. These audits shall not be requested by Merchant more than once in a twelve-month period, unless otherwise required by Applicable Data Protection Law.

LIABILITY AND INDEMNITY
1. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations of liability set forth in the Agreement. In particular, any claim or remedy Merchant may have against CSG, its Affiliates, employees, contractors, agents and subcontractors, arising under or in connection with this DPA, whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together.

MISCELLANEOUS
1. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.