Data Processing Addendum

Effective 1-1-2025

This Data Processing Addendum (“DPA”) amends and forms part of the executed Merchant Agreement between Merchant and Thanx, Inc. (“Thanx”) (collectively, “the parties”) for the provision of services to Merchant (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

  1. Definitions
    1. In this DPA:
      1. Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.
      2. Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Thanx may Process on Merchant’s behalf in performing the services under the Agreement.
      3. Processing” (including its cognate “Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      4. Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.
      5. Services” means the services that the Thanx provides to Merchant under the Agreement.
    2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
  2. Data Protection
    1. When Thanx Processes Personal Data, it will:
      1. Process the Personal Data to provide the Services in accordance with the Agreement and this DPA;
      2. assist Merchant, taking into account the nature of the Processing and the information available to Thanx, in complying with Merchant’s obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;
      3. implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;
      4. only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; and
      5. upon termination of the Agreement, as instructed by Merchant, delete or return the Personal Data, except where continued retention of Personal Data is in accordance with applicable law or Thanx’s policies, in which case Thanx shall retain such Personal Data in accordance with this DPA.
    2. Thanx will not (a) “sell” or “share” (as defined in Data Protection Law) the Personal Data; (b) retain, use, combine, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Merchant in accordance with the Agreement.
  3. Merchant Responsibilities
    1. 3.1 Merchant is responsible for the lawfulness of Personal Data processing under or in connection with the services. Merchant will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Thanx to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Thanx; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).
  4. Subprocessing
    1. Merchant agrees that Thanx may use the third-party suppliers to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”).
    2. Thanx will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with Thanx requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA.
    3. Thanx will remain liable for any breaches of this DPA caused by its Subprocessors.
  5. Assistance and Notifications
    1. Unless prohibited by Data Protection Law, Thanx must inform Merchant if Thanx:
      1. receives a request, complaint or other inquiry regarding the Processing of Personal Data;
      2. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
      3. is subject to a legal obligation that requires Thanx to Process Personal Data in contravention of Merchant’s instructions; or
      4. is otherwise unable to comply with Data Protection Law or this DPA.
    2. Upon becoming aware of a Security Incident, Thanx will inform Merchant without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Merchant to allow Merchant to fulfil its data breach reporting obligations under applicable Data Protection Law.
  6. Audit
    1. Thanx will make available to Merchant at Merchant’s request reasonable information which is necessary to demonstrate compliance with this DPA as requested by Merchant.
    2. To the extent Thanx makes available to Merchant confidential summary reports (“Audit Report“) prepared by third-party security professionals, upon request from Merchant, Thanx may provide such Audit Report in satisfaction of any audit rights accorded to Merchant pursuant to Data Protection Law.
    3. If Merchant can demonstrate that it requires additional information, beyond the Audit Report, then Merchant may request, at Merchant’s cost, Thanx to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Thanx Merchants or suppliers, Thanx’s technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Thanx’s normal business activities.
  7. General
    1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
    2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
    3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
    4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.