Chargeback Help Seller Data Processing Agreement

Last Updated: November 12, 2021

This seller data processing agreement (“DPA“) is an agreement between you and the entity you represent or have the authority to bind that entity to this agreement (“Seller” or “you“), and Chargeback Help, LLC, a California limited liability company (“CBHelp“). This DPA forms part of any written or electronic agreement between you and CBHelp under which CBHelp Processes Personal Information on your behalf (each, an “Agreement“), except with respect to any Agreement under which you and CBHelp have entered into data processing terms that address the subject matter of this DPA. Capitalized terms used here but not defined in this DPA will have the meanings given to them in the Agreement.

  1. Processing of Seller Personal Information
  1. Processor designation. The parties acknowledge that CBHelp Processes on Seller’s behalf Personal Information to provide the CBHelp Services (as defined in the Agreement), which Processing may include, by way of example and for illustrative purposes, the Processing detailed on the Details of Processing Seller Personal Information (Exhibit 2), and that CBHelp is a “processor” or “service provider” under Applicable Data Protection Law acting on Seller’s instructions (referred to as “Processor” for purposes of this DPA).
  2. Authorization to Process. Processor will Process Seller Personal Information on Seller’s behalf to provide CBHelp Services, and Processor is authorized to Process Seller Personal Information solely in connection with the applicable Agreement(s), including, without limitation, any statement of works, exhibits, and schedules, to provide the CBHelp Services, and any Processing required under applicable laws or regulations.
  1. Seller obligations
  1. Seller shall provide its Data Subjects with all privacy notices, information, and any necessary choices and shall obtain any necessary consents to enable CBHelp to comply with Applicable Data Protection Law;
  2. Where required by Applicable Data Protection Law, Seller shall promptly inform Processor when Seller Personal Information must be corrected, updated, or deleted;
  3. Seller shall ensure that at the point of transferring Seller Personal Information to Processor, the Seller Personal Information is adequate, relevant, and limited to what is necessary in relation to the Processing contemplated under the Agreement and this DPA; and
  4. Seller shall comply (and as applicable, ensure that its third-party auditors comply) with Processor’s relevant security policies and appropriate confidentiality obligations as set out in the Agreement.
  1. CBHelp obligations
  1. Applicable Data Protection Law. To the extent necessary to enable Seller to comply with its obligations under Applicable Data Protection Law, CBHelp shall comply with any required provisions of the GDPR Schedule (other than when acting under Section 1.2 of this DPA) or CCPA Schedule, each to the extent applicable.
  2. Data Subject Rights. Processor shall, to the extent legally permitted, provide reasonable assistance to Seller to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (e.g., rights to access or delete Personal Information) in a manner that is consistent with the nature and functionality of CBHelp Services. In the event that CBHelp receives any such request, it shall notify the Seller and the Seller is responsible for handling those requests by a Data Subject under Applicable Data Protection Law.
  3. Engaging with Sub-Processors. Processor shall ensure that when engaging with another data processor (a “Sub-Processor“) for the purposes of carrying out specific Processing activities on Seller’s behalf, there is an agreement between Processor and the relevant Sub-Processor that provides at least the same level of protection for Seller Personal Information as set out in this DPA.
  4. Staff. Processor shall ensure that persons authorized to Process Seller Personal Information are under an appropriate obligation of confidentiality under applicable laws or regulations governing it.
  5. Security of Processing. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk to the rights and freedoms of natural persons, Processor shall implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Processor shall, in particular, take into account the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Seller Personal Information transmitted, stored, or otherwise Processed. Processor shall provide reasonable assistance to Seller in ensuring Seller meets its own compliance obligations with respect to these same security measures.
  6. PCI Compliance. Processor’s storage, processing, and transmission of any payment instrument data shall comply with the Payment Card Industry (PCI) Security Standard, and Processor shall regularly validate its compliance as determined by its status as a Service Provider (as Service Provider is defined in the PCI Security Standard). On Seller’s request, CBHelp shall provide Seller with written confirmation of its PCI compliance status.
  7. Security Breach

  1. In the event of an actual Security Breach affecting Seller Personal Information contained in Processor’s systems, Processor shall (i) investigate the circumstances, extent, and causes of the Security Breach and report the results to Seller and continue to keep Seller informed on a regular basis of the progress of Processor’s investigation until the issue has been effectively resolved; and (ii) cooperate with Seller in any legally required notification by Seller to affected Data Subjects. The obligations here do not apply to Security Breaches caused by Seller or Seller’s Data Subjects.

  2. Processor shall notify Seller without undue delay on Processor or any Sub-Processor becoming aware of an actual Security Breach affecting Seller Personal Information, providing the Seller with sufficient information and reasonable assistance to allow Seller to meet its obligations under Applicable Data Protection Law to (i) notify a Supervisory Authority (as defined under Applicable Data Protection Law) of the Security Breach; and (ii) communicate the Security Breach to the relevant Data Subjects.

  3. Except as required by applicable law or regulation, Processor shall not make (nor permit any third party to make) any statement concerning the Security Breach that directly or indirectly references Seller, unless Seller provides its explicit written authorization.

  1. Deletion and Retention. Processor shall, at Seller’s option, delete all Seller Personal Information on termination of the Agreement and delete existing copies unless storage is required by applicable law.
  1. Miscellaneous. The terms of this DPA shall apply only to the extent required by Applicable Data Protection Law. To the extent not inconsistent with this DPA, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term of this DPA, this DPA does not apply to any data or information that does not relate to one or more identifiable individuals, which has been aggregated or de-identified under Applicable Data Protection Law, or to the extent that Processor and you have entered separate data processing terms that address the subject matter of this DPA.
  2. Definitions. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA have the definitions given to them in Applicable Data Protection Law.
  1. Applicable Data Protection Law” means any law or regulation pertaining to data protection, privacy, or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, “Applicable Data Protection Laws” include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR“)), UK Data Protection Laws, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA“), Swiss DP Laws, and any associated regulations or any other legislation or regulations that transpose or supersede the above.
  2. EEA Standard Contractual Clauses” means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679, as amended or replaced from time to time by a competent authority under the Applicable Data Protection Law.
  3. Personal Information” means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject“) or household or that is regulated as “personal data,” “personal information,” or otherwise under Applicable Data Protection Law, including any information relating to a Data Subjects as defined in the Agreement.
  4. Process” or “Processed” or “Processing” means any operation or set of operations that is performed on Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure, or destruction.
  5. Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system,” or similar term (as defined in any other applicable privacy laws) as well as any other event that compromises the security, confidentiality, or integrity of Personal Information.
  6. Swiss DP Laws” means the Federal Act on Data Protection of June 19, 1992 (as updated, amended, and replaced from time to time), including all implementing ordinances.
  7. Transfer” means to transmit or otherwise make Seller Personal Information available across national borders in circumstances that are restricted by Applicable Data Protection Law.
  8. UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR“), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions.
  9. UK Standard Contractual Clauses” means, together: the controller to processor standard contractual clauses as set out in Commission Decision C(2010)593 dated 5 February 2010 made under Directive 95/46/EC of the European Parliament and of the Council (“UK C2P SCCs“) and the controller to controller standard contractual clauses (adopted by Commission Decision 2004/915/EC dated 27 December 2004 made under Directive 95/46/EC of the European Parliament and of the Council as amended or superseded from time to time) (“UK C2C SCCs“).

Schedule A

California Consumer Privacy Act

This CCPA Schedule applies in addition to any terms set out in the body of the DPA (and is incorporated in it) when the CCPA applies to your use of CBHelp Services. Capitalized terms not defined here have the meaning assigned to them under the DPA. To the extent there are any conflicts between this CCPA Schedule and the DPA, this CCPA Schedule will prevail.

  1. CBHelp shall not:
  1. sell Seller Personal Information; or
  2. retain, use, or disclose Seller Personal Information other than as set out in the body of the DPA, except as required or permitted by Applicable Data Protection Law.
  1. When providing or making available Personal Information to CBHelp, Seller shall only disclose or transmit that Personal Information that is necessary for CBHelp to perform its obligations under the applicable Agreement(s).
  2. To the extent required by Applicable Data Protection Law, this CCPA Schedule constitutes its certification to the Processing restrictions here.

Schedule B

General Data Protection Regulation

This GDPR Schedule applies in addition to any terms set out in the body of the DPA (and is incorporated in it) when the GDPR applies to your use of CBHelp Services. Capitalized terms not defined here have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule will prevail.

  1. Processor Obligations
  1. Processing of Seller Personal Information. CBHelp shall Process Seller Personal Information only on documented reasonable instructions from Seller (including instructions with respect to transfers of Seller Personal Information to a third country, if applicable) unless required to do so by Applicable Data Protection Law. In those circumstances, Processor shall inform Seller of that legal requirement before processing, unless that law prohibits that information on important grounds of public interest.
  2. Use of Sub-Processor

  1. Processor reserves the right to maintain its Sub-Processor list through means such as publication of its Sub-Processor list online and also update it accordingly. Under Section 1.2(b) of this GDPR Schedule, Seller provides authorization for Processor to engage with those Sub-Processors. Processor currently engages the Sub-Processors listed in Exhibit 3 to this DPA.

  2. Processor shall inform Seller of any intended changes concerning the addition or replacement of other Sub-Processors to give Seller the reasonable opportunity to object to those changes. In the event Seller objects to Processor’s change or addition of Sub-Processor, Seller shall promptly notify Processor of its objections in writing within 10 business days after receipt of Processor’s notice of that change or addition.

  3. Processor may, at its option, undertake reasonable efforts to make available to Seller a change in CBHelp Services or recommend a commercially reasonable change to Seller’s configuration or use of CBHelp Services to avoid Processing of Seller Personal Information by the objected-to new Sub-Processor. If Processor is unable to make available that change within a reasonable period, which shall not exceed 30 days, Seller may terminate the Agreement with respect to only those aspects of CBHelp Services that cannot be provided by Processor without the use of the objected-to new Sub-Processor by providing written notice to Processor.

  1. Data Protection Impact Assessments and Prior Consultation with Regulator
  1. Processor shall immediately inform Seller if, in Processor’s opinion, Seller’s instructions would be in breach of Applicable Data Protection Law. Seller acknowledges that Processor is not required to take actions designed to form any such opinion.
  2. Processor shall provide reasonable assistance to Seller with any legally required (a) data protection impact assessments; and (b) prior consultations initiated by the Seller with its regulator in connection with those data protection impact assessments. That assistance shall be strictly limited to the Processing of Seller Personal Information by Processor on Seller’s behalf under the Agreement taking into account the nature of the Processing and information available to Processor.
  1. Demonstrating Compliance with this DPA
  1. Processor shall make available to Seller information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by Seller or another auditor under the instruction of the Seller for the same purposes of demonstrating compliance with the obligations set out in this DPA.
  2. Seller’s right under Section 3.1 of this GDPR Schedule is subject to the following:

  1. If requested by Seller, on no more often than an annual basis during the term of the Agreement, CBHelp shall (i) provide Seller with a copy of the result of its annual SOC 2, Type II audit within a reasonable period after receiving the report from its auditor; and (ii) provide Seller with a copy of the Attestation of Compliance resulting from its annual PCI audit within a reasonable period after receiving the report from its Qualified Security Assessor.

To the extent that Processor can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification, or by providing Seller with an audit report issued by an independent third-party auditor (on condition that Seller shall comply with appropriate confidentiality obligations as set out in the Agreement and shall not use that audit report for any other purpose), Seller shall not conduct an audit or inspection under Section 3.1 above.

  1. Cross-Border Transfers
  1. Processor shall comply with Seller’s documented instructions concerning the Transfer of Seller Personal Information to a third country.
  2. The Processor shall only Transfer any Seller Personal Information outside the European Economic Area (“EEA“), the UK, or Switzerland in compliance with the Applicable Data Protection Law.
  3. Seller acknowledges that Processor transfers and stores certain Seller Personal Information (relating to individuals located in the EEA, Switzerland, or the UK) in the United States.
  4. Transfers subject to the GDPR or Swiss DP Laws. Module 2 (controller to processor) of the EEA Standard Contractual Clauses shall apply with respect to any Transfer of Seller Personal Information from the EEA or Switzerland to CBHelp and any of its affiliated entities in the United States or other third countries (“CBHelp Entities“). The parties acknowledge that Module 2 (controller to processor) of the EEA Standard Contractual Clauses is incorporated by reference and:

  1. Seller and any of its commonly owned or controlled affiliates that have signed an Agreement for CBHelp Products and Services (“Seller Entities“) shall be deemed to be “data exporters” and the CBHelp Entities shall be the “data importer;”

  2. Clause 7 — Docking clause applies;

  3. Clause 9 — Use of subprocessors Option 2 applies and the “time period” is 10 business days;

  4. Clause 11(a) — Redress the optional language does not apply;

  5. Clause 13(a) — Supervision

  1. Where the data exporter is established in an EU Member State the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority;

  2. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority;

  3. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of the GDPR, the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority;

  1. Clause 17 — Governing law Option 1 applies and the “Member State” is Romania;

  2. Clause 18 — Choice of forum and jurisdiction the Member State is Romania; and

  3. the information in Exhibit 1 (Table 1) of this GDPR Schedule is incorporated into Annexes 1, 2, and 3 of the EEA Standard Contractual Clauses.

  1. Transfers subject to the UK GDPR. The UK C2P SCCs shall apply with respect to any Transfer of Seller Personal Information from the UK to CBHelp Entities. The parties acknowledge that:

  1. the UK C2P SCCs are incorporated by reference;

  2. the Seller Entities will be deemed to be “data exporters” and the CBHelp Entities will be the “data importer;”

  3. The information in Exhibit 1 (Table 2) of this GDPR Schedule is incorporated into Appendices 1 and 2 of the UK C2P SCCs; and

  4. If and when the UK government or the Information Commissioner approves the use of the EEA Standard Contractual Clauses for the purposes of the UK GDPR, the EEA Standard Contractual Clauses shall instead apply as provided for under Section 4.5 (Transfers subject to the GDPR or Swiss DP Laws) above (but shall be deemed to incorporate any modifications required under the UK GDPR or recommended by the Information Commissioner, and the competent supervisory authority is the UK Information Commissioner’s Office and the governing law is England & Wales).

  1. If there is any conflict or inconsistency between a term in the body of this DPA, an Agreement, and a term in Module 2 (controller to processor) of the EEA Standard Contractual Clauses (or, as applicable, the UK C2P SCCs), incorporated into this DPA, the term in Module 2 (controller to processor) of the EEA Standard Contractual Clauses (or, as applicable, the UK C2P SCCs) shall take precedence.

Exhibit 1

Information Required for the EEA and UK Standard Contractual Clauses

Table 1

Information to be incorporated into the EEA Standard Contractual Clauses

Annex I A. List of Parties

Data EXPORTER identity and contact details

Name

Seller Entities

Address

To be provided on request

Contact person’s name, position and contact details:

To be provided on request

Activities relevant to the data transferred under these Clauses:

As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.”

Role (controller/processor):

Controller

Data IMPORTER identity and contact details

Name

CBHelp Entities

Address

7360 El Camino Real, Suite A

Atascadero, California 93422

U.S.A.

Contact person’s name, position and contact details:

privacy@chargebackhelp.com

Activities relevant to the data transferred under these Clauses:

As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.”

Role (controller/processor):

Processor

Annex I B. Description of Transfer

Categories of data subjects whose personal data is transferred

As set out in the table in Exhibit 2 under “Categories of Data Subjects.”

Categories of personal data transferred

As set out in the table in Exhibit 2 under “Types of Personal Information.”

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not Applicable

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.”

Purpose(s) of the data transfer and further processing

As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.”

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data will be retained under CBHelp’s retention policies, for only as long as is required to meet CBHelp’s legal, regulatory, and operational requirements and as necessary to perform services.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.”

Annex I C. Competent Supervisory Authority

Competent supervisory authority/ies

To be provided by the data exporter on request.

Annex II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of The Data

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

As set out in Table 2 of this Exhibit 1 under “Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached).”

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

In respect of Transaction Services: initiatives, products, processes, and supporting technology are assessed from a data privacy perspective, allowing CBHelp to embed privacy controls to mitigate risks at early stages (privacy by design). CBHelp has a robust privacy risk assessment framework, embedding this process in our change vehicles across the business, to ensure that both new and changed personal data processing activities are reviewed. Where Customer requires specific assistance, it may submit those requests for assistance to privacy@chargebackhelp.com.

Annex III List of Sub-Processors

The controller has authorised the use of the following sub-processors:

As set out in Exhibit 3 of this DPA.

Table 2

Information to be incorporated in the UK C2P SCCs

Information to be incorporated into Appendix 1 of the UK C2P SCCs

Category of Information Required by Appendix 1 of the UK C2P SCCs

Information agreed by the parties

Data Exporter

Seller Entities

Data Importer

CBHelp Entities

Data Subjects

As set out in the table in Exhibit 2 under “Categories of Data Subjects.”

Categories of Data

As set out in the table in Exhibit 2 under “Types of Personal Information.”

Special Categories of Data

Not Applicable

Processing Operations

As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.”

Information to be incorporated into Appendix 2 of the C2P Standard Contractual Clauses

Category of Information Required by Appendix 1 of the C2P Standard Contractual Clauses

Information agreed by the parties

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

CBHelp is certified as compliant with all standards established by the Payment Card Industry Data Security Standards (together with any successor organization to it, “PCI DSS“) that are applicable to CBHelp and its affiliates (those standards, “PCI Standards“). As evidence of compliance, CBHelp will provide its current Attestation of Compliance signed by a Payment Card Industry Qualified Security Assessor on Seller’s written request.

CBHelp maintains and enforces commercially reasonable information security and physical security policies, procedures, and standards, that are designed (i) to insure the security and confidentiality of Seller’s records and information, (ii) to protect against any anticipated threats or hazards to the security or integrity of those records, and (iii) to protect against unauthorized access to or use of those records or information that could result in substantial harm (“CBHelp Information Security Program“). At a minimum, the CBHelp Information Security Program is designed to align with the standards set out in ISO 27002 published by the International Organization for Standardization, as well as any revisions, versions, or other standards or objectives that supersede or replace the foregoing.

CBHelp engages its independent certified public accountants to conduct a review of CBHelp’s operations and procedures at CBHelp’s cost. The accountants conduct the review under the American Institute of Certified Public Accounts Statement on Standards for Attestation Engagements No. 18 SOC I Type II (“SSAE 18“) and record their findings and recommendations in a report to CBHelp. On request, and subject to standard confidentiality obligations, CBHelp will provide its most recent SSAE 18, and, in CBHelp’s reasonable discretion, additional information reasonably requested to address questions or concerns regarding the SSAE 18’s findings.

Exhibit 2

Details of Processing Seller Personal Information

Service

Nature and purpose of the processing

Types of personal information

Categories of data subjects to whom the personal information relates to

Order Insight

Issuers access detailed transaction information from Sellers via a global data-sharing network to prevent disputes at first Consumer inquiry.

Consumers access and view detailed transaction information from Sellers via Issuers in the Issuer mobile app or online banking website for the Consumer, to prevent disputes at first Consumer inquiry.

CBHelp transfers (according to the instructions of the Controller) Seller Personal Information to issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers providing the Order Insight service used by Sellers.

If the Seller opts to use the Order Insight service, CBHelp will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Order Insight request with the issuer.

Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service.

Seller’s employees, agents, advisors, or representatives; or

Consumers.

CDRN

CDRN allows Sellers to actively process non-fraud and confirmed fraud pre-dispute cases with a refund or cancellation avoiding a Dispute.

If the Seller opts to use CDRN, CBHelp will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Seller’s decisioning as it relates to a pre-dispute case to Issuer.

Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service.

Seller’s employees, agents, advisors, or representatives; or

Consumers.

RDR (Rapid Dispute Resolution)

RDR allows Sellers to process non-fraud and confirmed fraud pre-dispute with an acquirer-initiated funds reversal based on the rules set by Sellers.

If the Seller opts to use RDR, CBHelp will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Sellers automatic rules as it relates to a Dispute to Issuer.

Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service.

Seller’s employees, agents, advisors, or representatives; or

Consumers.

Fraud and Dispute Notices

Fraud and Dispute Notices provides a Seller with direct delivery of fraud and dispute notifications to reduce payment risk.

If the Seller opts to use the Fraud and Dispute Notices service, CBHelp will use required transaction information, to provide real-time, transaction level notification, to enhance and inform fraud detection and modeling to the Seller. Sellers can also stop order fulfillment/shipment when possible.

Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service.

Seller’s employees, agents, advisors, or representatives; or

Consumers.

Dispute Representment

Dispute Representment provides a Seller with managed chargeback representment services.

Seller Personal Information as required by CBHelp and the Card Association in the operation and delivery of the service is used to represent disputes on the Seller’s behalf, based on instructions of the Seller (the Controller).

If Seller opts to use Dispute Representment, CBHelp may use Data Subjects’ cardholder and transaction information as a part of Processing a Dispute under the Card Association rules.

Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service.

Seller’s employees, agents, advisors, or representatives; or

Consumers.

Ethoca Alerts

CBHelp performs monitoring, reporting, data analysis, and data aggregation for the purpose of providing Alerts.

If Seller opts to use Ethoca Alerts, the type of Personal Data being processed includes transaction-related information, such as card or account number, transaction amount, transaction date and time, and merchant identifier and the type of Personal Data listed in the agreement.

Seller’s employees, agents, advisors, or representatives; or

Consumers.

Consumer Clarity Solution

The facilitation of the transfer of Consumer Clarity Data by Ethoca to Participating Issuers / Cardholders for purposes of answering Cardholder queries in respect of Identified Transactions or the investigation of Identified Transactions to confirm whether they are in fact fraudulent or to resolve disputes (and any other purposes as set out in the agreement or as agreed in writing between the parties from time to time).

If Seller opts to use Consumer Clarity Solution, the type of Personal Data being processed includes, without limitation, the following pieces of information in respect of Identified Transactions (which alone, or in combination, may constitute Personal Data):

  • Cardholder name;
  • Cardholder address;
  • Information contained in a Digital Receipt;
  • History of the account;
  • Transaction amount;
  • Transaction date/time; and
  • Names of products purchased in the transaction.

Seller’s employees, agents, advisors, or representatives; or

Consumers.

Exhibit 3

List of Sub-Processors

Company

Functions Performed

Location

Applicable Service

Verifi, Inc.

Service Provider

U.S.A.

Order Insight

CDRN

RDR

Fraud and Dispute Notices

Dispute Representment

Ethoca Limited

Service Provider

Canada

Ethoca Alerts

Consumer Clarity Solution