PayPal Data Protection Addendum for Business Management Products

This PayPal Data Protection Addendum for Business Management Products (“Addendum”) forms part of and is subject to the terms and conditions of PayPal User Agreement and the Bill Pay for Business Accounts Terms and Conditions, as applicable and as further described in those terms, (together, the “Agreements”) by and between you (“you” or “Company”), as defined in the Agreements, and PayPal (“PayPal”) (each a “Party” and together, the “Parties”).

1. Subject Matter. This Addendum reflects the Parties’ commitment to abide by Data Protection Laws concerning the Processing of Company Personal Information in connection with PayPal’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement or applicable Data Protection Laws. If and to the extent language in this Addendum conflicts with the Agreement, this Addendum shall control.
2. Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign this Addendum if it is completed after the effective date of the Agreement. PayPal’s obligations and Company’s rights under this Addendum will continue in effect so long as PayPal Processes Company Personal Information.

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

1. “Company Personal Information” means Personal Information designated in the Agreements to be Processed by PayPal on behalf of Company.
2. “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations, case law, and other regulatory guidance to which the Company Personal Information is subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act (“CCPA”); the Gramm-Leach-Bliley Act (“GLBA”); and industry self-regulatory standards, such as the Payment Card Industry Data Security Standard (“PCI DSS”).
3. “Personal Information” has the meaning assigned to the terms “personal data” or “personal information” or similar terminology used under applicable Data Protection Laws, and will, at a minimum, mean any information relating to an identified or identifiable natural person.
4. “Process” or “Processing” means any operation or set of operations which is performed on Company Personal Information or sets of Company Personal Information, whether or not by automated means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
5. “Security Incident(s)” means a breach of security leading to the unavailability of or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Information.
6. “Services” means any and all services that PayPal performs related to Company Personal Information under the Agreement.
7. “Subprocessor(s)” means PayPal’s vendors and third-party service providers that Process Company Personal Information.

1. Limited Purpose for Disclosure. Company Personal Information disclosed to PayPal shall be only for the limited and specified purposes in the Agreement: including without limitation Bill Pay for Business Accounts with account-syncing functionality enabled. PayPal will not retain, use, or disclose Company Personal Information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing Company Personal Information for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by Data Protection Laws. PayPal will not retain, use, or disclose Company Personal Information outside of the direct business relationship between the PayPal and Company.
2. Documented Instructions. PayPal shall Process Company Personal Information solely for the purpose of providing the Services to Company, and solely to the extent necessary to provide the Services to Company, in each case, in accordance with the documented instructions by Company, the Agreement, this Addendum, and Data Protection Laws. PayPal will, unless legally prohibited from doing so, inform Company in writing if it reasonably believes that there is a conflict between Company’s instructions and applicable law or otherwise seeks to Process Company Personal Information in a manner that is inconsistent with Company’s instructions.
3. Authorization to Use Subprocessors. To the extent necessary to fulfill PayPal’s contractual obligations under the Agreement, Company hereby authorizes PayPal to engage Subprocessors. PayPal will take reasonable steps to select and retain Subprocessors that are capable of maintaining appropriate safeguards for Company Personal Information. PayPal shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Company Personal Information that imposes on such Subprocessors data protection and information security requirements for Company Personal Information that are at least as protective as the obligations in this Addendum; and (ii) remain fully liable to Company for PayPal’s Subprocessors’ failure to perform their obligations with respect to the Processing of Company Personal Information.
4. Right to Object to Subprocessors. If Company has objections to the appointment of any new Subprocessor, PayPal may terminate the Services performed under the Agreement.
5. Subprocessor List. Company may contact PayPal’s customer service to obtain a list of subprocessors PayPal uses to provide the Services.
6. Confidentiality. Any person authorized to Process Company Personal Information must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
7. Personal Information Inquiries and Requests. PayPal agrees to provide reasonable assistance to enable the Company to comply with consumer requests, and PayPal agrees to comply with all reasonable instructions from Company related to any requests from individuals exercising their rights in Company Personal Information granted to them under Data Protection Laws (e.g., access, deletion, etc.). If a request is sent directly to PayPal, PayPal shall refer the requestor to Company for resolution. PayPal will notify Subprocessors who may have accessed Company Personal Information from or through PayPal to similarly provide reasonable assistance and comply with all reasonable instructions from Company related to any requests from individuals exercising their rights in Company Personal Information granted to them under Data Protection Laws.
8. Sale or Sharing of Company Personal Information Prohibited. PayPal shall not sell or share Company Personal Information as the term “sell” or “share” is defined by the CCPA or other Data Protection Laws.
9. Data Protection Impact Assessment and Prior Consultation. PayPal agrees to provide reasonable assistance to Company where, in Company’s judgement, the type of Processing performed by PayPal requires a data protection impact assessment and/or prior consultation with a relevant data protection authority.
10. Demonstrable Compliance. PayPal is required to comply with all applicable obligations under Data Protection Laws and must provide the same level of privacy protection to Company Personal Information as is required by Company under Data Protection Laws. PayPal agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Company’s reasonable request. PayPal will notify Company if PayPals makes a determination that it can no longer meet its obligations under any Data Protection Laws or this Addendum.
11. Privacy Notices. PayPal will distribute to PayPal’s employees any privacy notices required by Company to be provided to PayPal’s employees before Company collects or uses any Personal Information about PayPal’s employees in the course of such employees’ roles in performing any of the Services under the Agreement.

1. Safeguards. PayPal shall implement and maintain reasonable administrative, technical, and physical safeguards that protect Company Personal Information (the “Information Security Program”) in compliance with Data Protection Laws. The Information Security Program must include, at a minimum, the following elements:
1. A designated qualified individual responsible for overseeing, implementing, and enforcing Information Security Program;
2. risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks;
3. access controls, including technical and, as appropriate, physical controls to authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and limit authorized users’ access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information;
4. a data inventory that identifies and manages the data, personnel, devices, systems, and facilities that enable PayPal to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy;
5. encryption of all Company Personal Information held or transmitted both in transit over external networks and at rest;
6. secure development practices for in-house developed applications utilized by PayPal for transmitting, accessing, or storing Company Personal Information and procedures for evaluating, assessing, or testing the security of externally developed applications that PayPal utilizes to transmit, access, or store customer information;
7. multi-factor authentication for any individual accessing any information system;
8. procedures for the secure disposal of customer information;
9. a data retention policy;
10. change management procedures;
11. monitoring and logging the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users;
12. monitoring and testing for information systems including continuous monitoring or periodic penetration testing and vulnerability assessments;
13. security awareness training for personnel;
14. oversee Subprocessors;
15. a process to evaluate and adjust the Information Security Program;
16. a written incident response plan; and
17. a Board reporting process.
2. Assessments: PayPal grants Company the right to, at most once annually, assess PayPal based on the risk PayPal presents to Company Personal Information and the continued adequacy of PayPal’s safeguards.

1. Security Incident Procedure. PayPal will deploy and follow policies and procedures to detect, respond to, recover from, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Company Personal Information in a timely manner.
2. Notice. PayPal agrees to provide written notice without undue delay (but in no event longer than seventy-two (72) hours) to Company’s Designated POC if it knows or reasonably suspects that a Security Incident has taken place. Such notice will include all available details required under Data Protection Laws for Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. To the extent that such details are not available at the time of notice, PayPal agrees to provide any information reasonably requested by Company on an ongoing basis.
3. Remediation. PayPal shall: (i) help Company investigate, remediate, and take any other action Company deems necessary regarding the Security Incident and any dispute, inquiry, investigation, or claim concerning the Security Incident; and (ii) provide Company with assurance satisfactory to Company that such Security Incident will not recur. In the event of a Security Incident, Company has the right to control the breach notification process. PayPal will be liable for any costs and expenses incurred by Company in connection with the Security Incident, including: (1) the cost of preparing and delivering notices to affected individuals; (2) the cost of providing credit monitoring services or other credits or benefits extended to affected individuals; (3) reasonable attorneys’ fees associated with investigation, remediation, and response; (4) liability to third parties that Company incurs in connection with the Security Incidents (such as amounts paid or for which Company is liable to third parties in tort or arising out of contracts); and (5) labor and subcontractor costs, including employee time spent and additional costs incurred in connection with call center support.

1. Audit Rights. PayPal grants Company the right to take reasonable and appropriate steps to help ensure that PayPal uses Company Personal Information transferred to PayPal in a manner consistent with Company’s obligations under Data Protection Laws. For example, Company may require PayPal to provide documentation that verifies that PayPal no longer retains or uses the Company Personal Information that have made a valid request to delete with the Company. PayPal further grants Company the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Company Personal Information.
2. Data Storage. PayPal will not store or retain any Company Personal Information except as reasonably necessary to perform the Services under the Agreement or as otherwise required to be retained by Data Protection Laws.
3. Data Restriction. Other than as necessary to provide the Services, PayPal will not combine Company Personal Information that PayPal receives from, or on behalf of, Company with personal information that PayPal receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, provided that PayPal may combine personal information to perform any business purpose as defined in Data Protection Laws or as expressly permitted by Data Protection Laws.

1. Amendment. We may amend or otherwise revise this Addendum in accordance with the terms of the PayPal User Agreement.