Contact Sales Log In
Contact Sales Log In

United States Data Processing Addendum

This United States Data Processing Addendum (“DPA”), which forms part of the Merchant Services Agreement between Forter, Inc. (“Forter”) and (“Merchant”), dated   (the “Agreement”), reflects the parties’ agreement with regards to the processing of Personal Data in connection with the Agreement.

Except as expressly stated herein or in the Agreement, in the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall take precedence. Terms not defined herein shall have the meaning provided in the Agreement.

1. Definitions:

1.1 “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199), as may be amended from time to time, including as amended by the California Privacy Rights Act of 2020.

1.2 “Contracted Business Purpose” means the Services and any other purpose specifically identified in this DPA or the Agreement for which Forter processes Personal Information.

1.3 “Personal Information means information provided to Forter by or on behalf of Merchant or collected by Forter on the Merchant Sites in connection with the Agreement, in each case, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

1.4 “US Data Protection Law” means all applicable United States federal or state privacy and data protection laws and regulations including, without limitation, the CCPA.

1.5 “Business Purpose”, “Consumer”, “Processor,” “Process or Processing” “Sale,” “Service Provider”, and “Share” have the meanings given to them in the applicable US Data Protection Law.

2. Scope. This DPA will only apply to Personal information subject to US Data Protection Laws. For the purposes of US Data Protection Laws, Forter Processes Personal Information as a Service Provider/Processor. Forter shall Process Personal Information in accordance with Schedule 1 to this DPA.

3. Forter’s Obligations. As Service Provider/Processor, Forter shall:

3.1 not Sell or Share any Personal Information, except as otherwise required or permitted under US Data Protection Laws;

3.2 not retain, use or disclose any Personal Information (i) outside of the direct business relationship between Forter and Merchant, or (ii) for any purpose other than for the specific purpose of providing the Services to Merchant or as otherwise permitted in the Agreement or US Data Protection Law;

3.3 comply with any applicable obligations under US Data Protection Law and provide the same level of protection to Personal Information as is required by US Data Protection Law;

3.4 upon reasonable request from Merchant, but no more than once in any twelve (12) month period, provide Merchant with information reasonably necessary for Merchant to ensure that Forter’s use of Personal Information under the Agreement is in compliance with US Data Protection Laws. Merchant acknowledges and agrees that the information provided by Forter pursuant to this Section will constitute Forter Confidential Information and be subject to the the confidentiality provisions of the Agreement;

3.5 promptly comply with any request from Merchant requiring Forter to stop or mitigate any unauthorized processing, as required under US Data Protection Laws;

3.6 not combine the Personal Information with personal information that Forter receives from, or on behalf of, another person or persons, or collects from its own interaction with an applicable consumer, except in accordance with US Data Protection Law; and

3.7 promptly notify Merchant if it determines that it can no longer meet its obligations under US Data Protection Law.

4. Personnel. Forter shall restrict its personnel from processing Personal Information without Forter’s authorization and will limit its personnels’ processing of Personal Information to that which is needed to provide the Services under the Agreement. Forter will impose appropriate obligations on its personnel, including relevant obligations regarding confidentiality, data protection, and data security, in each case, as required by US Data Protection Laws. 

5. Data Subject Rights.  Forter shall provide reasonable assistance to Merchant to enable Merchant to fulfill its obligations under US Data Protection Law to respond to requests by Consumers to exercise their rights under US Data Protection Law, as required by US Data Protection Laws. If Forter receives a request from a Consumer under US Data Protection Law with respect to Personal Information, Forter will advise the Consumer to submit the request directly to Merchant and Merchant will be responsible for responding to any such request. Merchant acknowledges and agrees that any Consumer requests passed through to Forter by Merchant shall be submitted through Forter’s Privacy API, Decision Dashboard, or another method approved by Forter.

6. Destruction of Personal Information.  Following termination or expiration of the Agreement, Forter shall delete Personal Information in its possession, as required by applicable US Data Protection Law.

7. Audit. Upon Merchant’s request, and no more than once in any twelve (12) month period, Forter shall allow for and contribute to audits, including inspections, by Merchant (or an auditor mandated by Merchant) in relation to the Processing of the Personal Information by Forter. The parties shall mutually agree upon the timing and scope of any audit.

8. Security. Forter agrees to implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.

9. Subprocessor. Forter shall inform Merchant in writing of its intention to add or replace a subprocessor within a reasonably sufficient amount of time to allow Merchant to object to such subprocessor. Merchant acknowledges and agrees that such notice may be provided to an Authorized User through Forter’s Decision Dashboard. Merchant shall have 5 days from receipt of such notice to object to a new subprocessor. Forter shall: (i) execute an appropriate written agreement with each subprocessor that is no less protective than the provisions of this DPA; and (ii) remain fully liable for performance of such subprocessors’ obligations and for the acts and omissions of its subprocessor.

Schedule 1

Scope of Processing 

1. Nature and Purpose of Processing:

  • To provide fraud and abuse prevention and payment optimization services, or as otherwise permitted in the Agreement or under applicable US Data Protection Law.

2. Duration of Processing:

  • For as long as Merchant is Forter’s customer.

3. Types of Personal Data:

  • Contact information: this includes information such as name, phone number, email and mailing address.
  • Transaction data: this includes information about a completed transaction on a Merchant Site, including name, email address, billing and shipping mailing addresses, items purchased, price paid, order status and chargeback information, as well as basic information about consumer payment and billing method.
  • Account information: this includes information about user account and preferences on Merchant Sites.
  • Browser, device and connection data: this includes information about the personal computer or mobile device used to access Merchant Site.
  • Behavioral data: this includes information regarding users’ activity on a Merchant Site, such as the time and frequency of access, the referrer page domain, pages viewed.

4. Categories of data subjects:

  • Actual and potential End Customers on the Merchant Sites.