United States Data Processing Addendum

This United States Data Processing Addendum (“DPA”), which forms part of the Merchant Services Agreement between Forter, Inc. (“Forter”) and (“Merchant”), dated   (the “Agreement”), reflects the parties’ agreement with regards to the processing of Personal Data in connection with the Agreement.

Except as expressly stated herein or in the Agreement, in the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall take precedence. Terms not defined herein shall have the meaning provided in the Agreement.

1. Definitions:

1.1 “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199), as may be amended from time to time, including as amended by the California Privacy Rights Act of 2020.

1.2 “Contracted Business Purpose” means the Services and any other purpose specifically identified in this DPA or the Agreement for which Forter processes Personal Information.

1.3 “Personal Information means information provided to Forter by or on behalf of Merchant or collected by Forter on the Merchant Sites in connection with the Agreement, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

1.4 “US Data Protection Law” means all applicable United States federal or state privacy and data protection laws and regulations  including, without limitation, the CCPA.

1.5 “Business Purpose”, “Consumer”, “Processor,” “Process or Processing” “Sale,” “Service Provider”, and “Share” have the meanings given to them in the applicable US Data Protection Law.

2. Scope. This DPA will only apply to Personal information shared under the Agreement and to the extent US Data Protection Laws are applicable to the Processing of Merchant Data. For the purposes of US Data Protection Laws, Forter Processes Personal Information as a Service Provider/Processor. Forter shall Process Personal Information in accordance with Schedule 1.

3. Forter’s Obligations. As Service Provider/Processor, Forter shall:

3.1 not Sell or Share any Personal Information;

3.2 not retain, use or disclose any Personal Information (i) outside of the direct business relationship between Forter and Merchant, or (ii) for any purpose other than for the specific purpose of providing the Services to Merchant or as otherwise permitted in the Agreement or US Data Protection Law;

3.3 comply with any applicable obligations under US Data Protection Law and provide the same level of protection to Personal Information as is required by US Data Protection Law;

3.4 upon reasonable request from Merchant, but no more than once per year, provide Merchant with information reasonably necessary for Merchant to ensure that Forter’s use of Personal Information under the Agreement is in compliance with Merchant’s obligations under this DPA. The information will constitute Forter Confidential Information under the confidentiality provisions of the Agreement;

3.5 promptly comply with any request from Merchant requiring Forter to stop or mitigate any unauthorized processing;

3.6 not combine the Personal Information with personal information that Forter receives from, or on behalf of, another person or persons, or collects from its own interaction with an applicable consumer, except in accordance with US Data Protection Law;  and

3.7 promptly notify Merchant if it makes the determination that it can no longer meet its obligations under US Data Protection Law. 

4. Personnel. Forter shall restrict its personnel from processing Personal Information without Forter’s authorization and will limit its personnel’s processing to that which is needed for the specific individual’s in connection with Forter’s provision of the Services under the Agreement. Forter will impose appropriate obligations on its personnel, including relevant obligations regarding confidentiality, data protection, and data security. 

5. Data Subject Rights.  Forter shall provide reasonable assistance to Merchant by appropriate technical and organizational measures, for Merchant to fulfill its obligations under US Data Protection Law to respond to requests by Consumers to exercise their rights under US Data Protection Law. If Forter receives a request from a Consumer under US Data Protection Law with respect to Personal Information, Forter will advise the Consumer to submit the request to Merchant and Merchant will be responsible for responding to any such request.

6. Destruction of Personal Information.  Following termination or expiration of the Agreement, Forter shall delete Personal Information, except as required by applicable law.

7. Audit. Upon Merchant’s request and no more than once in any twelve (12) month period, Forter shall allow for and contribute to audits, including inspections, by Merchant or an auditor mandated by Merchant in relation to the Processing of the Personal Information by Forter. The parties shall mutually agree upon the timing and scope of any audit.

8. Security. Forter agrees to implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.

9. Subprocessor. Forter shall inform Merchant in writing of its intention to add or replace a subprocessor within a reasonably sufficient amount of time to allow Merchant to object to such subprocessor. Merchant shall have 5 days from receipt of notice to object. Forter shall: (i) execute an appropriate written agreement with such subprocessor that is not less protective than the provisions of this DPA; and (ii) remain fully liable for performance of such subprocessor’s obligations and for the acts and omissions of its subprocessor.

Schedule 1

Scope of Processing 

1. Nature and Purpose of Processing:

  • To provide fraud and abuse prevention services, or as otherwise permitted in the Agreement and in compliance with US Data Protection Law.

2. Duration of Processing:

  • For as long as Merchant is Forter’s customer.

3. Types of Personal Data:

  • Contact information: this includes information such as name, phone number, email and mailing address.
  • Transaction data: this includes information about a completed transaction on a Merchant Site, including name, email address, billing and shipping mailing addresses, items purchased, price paid, order status and chargeback information, as well as basic information about consumer payment and billing method.
  • Account information: this includes information about user account and preferences on Merchant Sites.
  • Browser, device and connection data: this includes information about the personal computer or mobile device used to access Merchant Site. 
  • Behavioral data: this includes information regarding users’ activity on a Merchant Site, such as the time and frequency of access, the referrer page domain, pages viewed.

4. Categories of data subjects:

  • End Customers on the Merchant Sites