Seller Data Processing Agreement

Last updated: December 18, 2024
This seller data processing agreement (“DPA”) is an agreement between you and the entity you represent or have the authority to bind that entity to this DPA (the “Seller” or “you”), and Chargebackhelp, LLC, a California limited liability company (“CBH”). This DPA forms part of any written or electronic agreement between you and CBH under which CBH Processes Personal Information for you (each, an “Agreement”), except regarding any Agreement under which you and CBH have entered into data processing terms that address the subject matter of this DPA. Capitalized terms used but not defined in this DPA will have the meanings given to them in the Agreement.
  1. Processing of Seller Personal Information.
    • Processor Designation. The parties acknowledge that CBH Processes for the Seller, Personal Information to provide the Services, which Processing may include, for example, the Processing detailed on the Details of Processing Seller Personal Information set out in exhibit 2, and that CBH is a “processor” or “service provider” under Data Protection Law acting on the Seller’s instructions (referred to as the “Processor” for purposes of this DPA).
    • Authorization to Process. The Processor shall Process the Seller Personal Information for the Seller to provide the Services, and the Processor may Process the Seller Personal Information solely in connection with the applicable Agreement, including, without limitation, any statement of works, exhibits, and schedules, to provide the Services, and any Processing required under law or regulation.
  2. Seller Obligations.
    • The Seller shall provide its Data Subjects with all privacy notices, information, and any necessary choices and shall obtain any necessary consents to allow CBH to comply with Data Protection Law.
    • Where required by Data Protection Law, the Seller shall promptly inform the Processor when the Seller Personal Information needs to be corrected, updated, or deleted.
    • The Seller shall ensure that at the point of transferring the Seller Personal Information to the Processor, the Seller Personal Information is adequate, relevant, and limited to what is necessary for the Processing contemplated under the Agreement and this DPA.
    • The Seller shall comply (and, as applicable, shall cause its third-party auditors to comply) with the Processor’s relevant security policies and appropriate confidentiality obligations as set out in the Agreement.
  3. CBH Obligations.
    • Data Protection Law. If necessary to enable the Seller to comply with its obligations under Data Protection Law, CBH shall comply with the application provisions of the GDPR schedule (other than when acting in accordance with section 1.2 of this DPA) and the
CCPA schedule, as applicable.
  • Data Subject Rights. The Processor shall, to the extent legally permitted, provide reasonable assistance to the Seller to respond to requests from Data Subjects to exercise their rights under Data Protection Law (e.g., rights to access or delete Personal Information) in a manner that is consistent with the nature and functionality of the Services. If CBH receives any such request, it shall promptly (but in any event no later than five business days after CBH receives that request) notify the Seller, and the Seller is responsible for handling those requests by a Data Subject in accordance with Data Protection Law.
  • Engaging with Sub-Processors. The Processor shall ensure that when engaging with another data processor (a “Sub-Processor”) for the purposes of carrying out specific Processing activities for the Seller, there is an agreement between the Processor and the relevant Sub-Processor that provides at least the same level of protection for the Seller Personal Information as set out in this DPA.
  • The Processor shall ensure that persons authorized to Process the Seller Personal Information are under an appropriate obligation of confidentiality in accordance with laws or regulations governing it.
  • Security of Processing. Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of natural persons, the Processor shall implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, the Processor shall, in particular, take into account the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Seller Personal Information transmitted, stored, or otherwise Processed. The Processor shall provide reasonable assistance to the Seller in ensuring the Seller meets its own compliance obligations for these same security measures.
  • PCI Compliance. The Processor shall ensure that its storage, processing, and transmission of any payment instrument data comply with the Payment Card Industry (PCI) Security Standard. The Processor shall regularly validate its compliance in accordance with its status as a Service Provider (as defined in the PCI Security Standard). On the Seller’s request, CBH shall provide the Seller with written confirmation of its PCI compliance status.
  • Security Breach.
    • In the event of an actual Security Breach affecting the Seller Personal Information contained in the Processor’s systems, the Processor shall (1) investigate the circumstances, extent, and causes of the Security Breach and report the results to the Seller and continue to keep the Seller informed on a regular basis of the progress of the Processor’s investigation until the issue has been effectively resolved, and (2) cooperate with the Seller in any legally required notification by the Seller to affected Data Subjects. The obligations in this section 3.7(a) do not
apply to Security Breaches caused by the Seller or the Seller’s Data Subjects.
  • The Processor shall promptly (but in any event no later than 72 hours) notify the Seller on the Processor or any Sub-Processor becoming aware of an actual Security Breach affecting the Seller Personal Information, providing the Seller with sufficient information and reasonable assistance to allow the Seller to meet its obligations under Data Protection Law to (1) notify a Supervisory Authority (as defined under Data Protection Law) of the Security Breach, and (2) communicate the Security Breach to the relevant Data Subjects.
  • Except as required by law or regulation, the Processor shall not make (nor permit any third party to make) any statement concerning the Security Breach that directly or indirectly references the Seller, unless the Seller provides its written authorization.
  • Deletion and Retention. The Processor shall delete all Seller Personal Information on termination of the Processor retention period unless storage is required by law.
  1. The terms of this DPA will apply only to the extent required by Data Protection Law. To the extent not inconsistent with this DPA, the applicable provisions of the Agreement (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) will apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA will prevail solely regarding data processing terms where required by Data Protection Law, and, in all other respects, the terms of the applicable Agreement will prevail. This DPA does not apply to any data or information that does not relate to one or more identifiable individuals, which has been aggregated or de-identified in accordance with Data Protection Law, or to the extent that you and the Processor have entered separate data processing terms that address the subject matter of this DPA.
  2. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA will have the definitions given to them in Data Protection Law.
Data Protection Law” means any law or regulation pertaining to data protection, privacy, or the Processing of Personal Information, to the extent applicable for a party’s obligations under the Agreement and this DPA. This includes, but is not limited to, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”)), UK Data Protection Laws, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and their implementing regulations (the “CCPA”), Swiss DP Laws, and any associated regulations or any other legislation or regulations that transpose or supersede the above. “EEA Standard Contractual Clauses” means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679, as amended or replaced on one or more occasions by a competent authority under the Data Protection Law, including the Swiss amendments to the EU Standard Contractual Clauses required by the Swiss Federal Data Protection Information Commissioner (the “Swiss Addendum”) to the extent applicable. “Personal Information” means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household or that is regulated as “personal data,” “personal information,” or otherwise under Data Protection Law. This includes any information relating to a Data Subject as defined in the Agreement and data relating to legal entities to the extent they are protected under Swiss DP Laws. This also includes any information relating to an end user. “Process” or “Processed” or “Processing” means any operation or set of operations that is performed on Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure, or destruction. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system” or similar term (as defined in any other privacy laws), and any other event that compromises the security, confidentiality, or integrity of Personal Information. “Swiss DP Laws” means the Federal Act on Data Protection of June 19, 1992 (as updated, amended, and replaced on one or more occasions), including all implementing ordinances. In this DPA, in circumstances where and solely to the extent that the Swiss DP Laws apply, references to the GDPR and its provisions will be construed as references to the Swiss DP Laws and their corresponding provisions. “Transfer” means to transmit or otherwise make the Seller Personal Information available across national borders in circumstances that are restricted by Data Protection Law. “UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force on one or more occasions in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions will be construed as references to the UK GDPR and its corresponding provisions. “UK IDTA” means the International Data Transfer Addendum to the EEA Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.   Schedule A

California Consumer Privacy Act

This schedule A applies in addition to any terms set out in the body of the DPA when the CCPA applies to your use of the Services.
    • This schedule A is applicable solely to the extent that any Personal Information Processed by CBH while performing the Services is subject to the CCPA. Despite anything else to the contrary, this schedule A does not apply to any information that is collected, processed, sold, or disclosed by the parties subject to the Gramm Leach Bliley Act (“GLBA”).
    • Capitalized terms used but not defined in this schedule A will have the meanings assigned to those terms in the Agreement or, if not defined in the Agreement, in the CCPA. In the event of a conflict between this schedule A and the Agreement, this schedule A will prevail, to the extent necessary to ensure compliance with the CCPA.
  2. Data Privacy Roles and Obligations.
    • For purposes of this schedule A, for Personal Information that CBH processes for the Seller under the Agreement that is not processed under the GLBA, (1) the Seller acts as a Business as defined under the CCPA, and (2) CBH acts as a Service Provider as defined under the CCPA.
    • CBH is not acting as a Third Party, nor is CBH providing Cross-Contextual Behavioral Advertising under this schedule A. If the Seller seeks to use CBH for those services, the parties shall agree to a separate schedule with the required clauses and obligations, as required in the CCPA, as described in California Civil Code § 1798.145(d).
    • Each party shall comply with its obligations under the CCPA for any Personal Information Processed under this schedule A. The Seller’s use of the Services must not violate the rights of any Consumer, including those that have opted out from sales or other disclosures of Personal Information to the extent applicable under the CCPA.
  3. CBH Obligations.
    • In its role as a Service Provider, CBH:
      • shall protect and secure Personal Information in accordance with the CCPA and shall provide the same level of privacy protection as is required by the CCPA;
      • shall Process Personal Information only for the specific business purposes set out in the Agreement;
      • except as permitted by the CCPA, shall not sell or share Personal Information or retain, use, or disclose Personal Information (1) for any purpose other than as necessary to fulfill the business purposes set out in the Agreement, including retaining, using, or disclosing Personal Information for a commercial purpose
other than the business purpose set out in the Agreement, or (2) outside of the direct business relationship between CBH and the Seller;
  • shall not combine the Personal Information with Personal Information that it receives from or for any other persons or entities or collects from its own interaction with an individual, except as otherwise permitted by the CCPA;
  • shall implement reasonable security procedures and practices, appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure;
  • shall promptly notify the Seller of any material changes in CBH’s ability to meet its obligations under the CCPA, including but not limited to any determination that CBH can no longer meet its obligations under this schedule A;
  • shall ensure that CBH’s agreement with any sub-processors used to Process Personal Information complies with the CCPA, including, without limitation, the contractual requirements for Service Providers and Contractors;
  • shall provide reasonable cooperation to the Seller, on request, to enable the Seller to comply with consumer requests made under the CCPA;
  • grants the Seller the right to take reasonable and appropriate steps in accordance with the Agreement to ensure that CBH uses Personal Information in a manner consistent with the Seller’s obligations under the CCPA;
  • grants the Seller the right, upon notice and in accordance with the Agreement, to take reasonable and appropriate steps to stop and remediate CBH’s unauthorized use of Personal Information; and
  • certifies that it understands its obligations, including restrictions, imposed on it by the CCPA regarding Personal Information and will comply with them.
  • Despite section 3.1 of this schedule A, CBH may retain, use, or disclose Personal Information as permitted under the CCPA, including:
    • to retain and employ another Service Provider or Contractor as a subcontractor in accordance with section 3.1(g) of this schedule A and any other applicable terms of the Agreement where the subcontractor meets the requirements for a Service Provider or Contractor under CCPA;
    • for its internal use to build or improve the quality of the Services, on condition that CBH does not use the Personal Information to perform services for another person;
    • to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity;
    • for the purposes enumerated in California Civil Code § 1798.145(a)(1)–(7); or
    • for any other purpose contemplated or permitted by the CCPA or other law.
Schedule B General Data Protection Regulation, UK GDPR, and Swiss DP Laws This schedule B applies in addition to any terms set out in the body of the DPA when the GDPR, UK GDPR, or Swiss DP Laws apply to your use of the Services. Capitalized terms not defined in this schedule B will have the meaning assigned to them under the DPA. If there are any conflicts between this schedule B and the DPA, this schedule B will prevail.
  1. Processor Obligations.
    • Processing of Seller Personal Information. CBH shall Process the Seller Personal Information only in accordance with documented reasonable instructions from the Seller (including instructions regarding transfers of the Seller Personal Information to a third country, if applicable) unless required to do so by Data Protection Law. In those circumstances, the Processor shall inform the Seller of that legal requirement before processing, unless that law prohibits that information on important grounds of public interest.
    • Use of Sub-Processor.
      • The Processor may maintain its Sub-Processor list through means such as publication of its Sub-Processor list online and also update it accordingly. In accordance with section 1.2(b) of this schedule B, the Processor may engage with those Sub-Processors. The Seller acknowledges that the Processor currently engages the Sub-Processors listed in exhibit 3 of this DPA.
      • The Processor shall inform the Seller of any intended changes concerning the addition or replacement of other Sub-Processors to give the Seller the reasonable opportunity to object to those changes. If the Seller objects to the Processor’s change or addition of a Sub-Processor, the Seller shall promptly notify the Processor of its objections in writing within ten business days after receipt of the Processor’s notice of that change or addition.
      • The Processor may undertake reasonable efforts to make available to the Seller a change in the Services or recommend a commercially reasonable change to the Seller’s configuration or use of the Services to avoid the Processing of the Seller Personal Information by the objected-to new Sub-Processor. If the Processor cannot make available that change within a reasonable period, which must not exceed 30 days, the Seller may terminate the Agreement as to only those aspects of the Services that cannot be provided by the Processor without using the objected-to new Sub-Processor by notifying the Processor.
  1. Data Protection Impact Assessments and Prior Consultation with Regulator.
    • The Processor shall promptly inform the Seller if, in the Processor’s opinion, the Seller’s instructions would be in breach of Data Protection Law. The Seller acknowledges that the Processor is not required to take actions designed to form any such opinion.
    • The Processor shall provide reasonable assistance to the Seller with any legally required (1) data protection impact assessments, and (2) prior consultations initiated by the Seller with its regulator in connection with those data protection impact assessments. That assistance will be limited to the Processing of the Seller Personal Information by the Processor for the Seller under the Agreement taking into account the nature of the Processing and information available to the Processor.
  2. Demonstrating Compliance with this DPA.
    • The Processor shall make available to the Seller all information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by the Seller or another auditor under the instruction of the Seller for the same purposes of demonstrating compliance with the obligations set out in this DPA.
    • The Seller’s right under section 3.1 of this schedule B is subject to the following:
      • If requested by the Seller, no more than once annually during the term of the Agreement, CBH shall provide the Seller with a copy of the Attestation of Compliance resulting from its annual PCI audit within a reasonable period after receiving the report from its Qualified Security Assessor.
      • If the Processor can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification, or by providing the Seller with an audit report issued by an independent third-party auditor (on condition that the Seller shall comply with appropriate confidentiality obligations as set out in the Agreement and shall not use that audit report for any other purpose), the Seller shall not conduct an audit or inspection under section 3.1 of this schedule B.
  1. Cross-Border Transfers.
    • The Processor shall comply with the Seller’s documented instructions concerning the Transfer of the Seller Personal Information to a third country.
    • The Processor shall only Transfer any Seller Personal Information outside the European Economic Area (“EEA”), the UK, or Switzerland in compliance with Data Protection Law.
    • The Seller acknowledges that the Processor transfers and stores certain Seller Personal Information (including relating to individuals located in the EEA, Switzerland, and the UK) in the United States.
    • Transfers Subject to the GDPR, UK GDPR, or Swiss DP Laws. Module 2 (transfer controller to processor) of the EEA Standard Contractual Clauses applies to any Transfer of the Seller Personal Information from the EEA, UK, or Switzerland to CBH and any of its affiliated entities in the United States or other third countries (the “CBH Entities”). Module 2 (transfer controller to processor) of the EEA Standard Contractual Clauses is incorporated by reference, and:
 
  • the Seller and any of its commonly owned or controlled affiliates (the “Seller Entities”) that have signed an Agreement for the Services will be deemed to be
“data exporters,” and the CBH Entities will be the “data importers;”
  • clause 7 — Docking clause applies;
  • clause 9 — Use of Subprocessor, option 2 applies, and the “time period” is ten business days;
  • clause 11(a) — Redress, the optional language does not apply;
  • clause 13(a) — Supervision
    • If the data exporter is established in an EU Member State, the following will apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority;”
    • if the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with article 3(2) and has appointed a representative under article 27(1) of the GDPR, the following will apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority;”
    • if the data exporter is not established in an EU Member State but falls within the territorial scope of application of the GDPR as defined in article 3(2), and is not required to appoint a representative under article 27(2) of the GDPR, the following will apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority;”
  • clause 17 — Governing law, option 1 applies, and the “Member State” is Bulgaria;
  • clause 18 — Choice of forum and jurisdiction, the “Member State” is Bulgaria; and
  • the information in exhibit 1 of this schedule B is incorporated into annexes 1, 2, and 3 of the EEA Standard Contractual Clauses.
  • Transfers Subject to the UK GDPR. If the Transfer is subject to the UK GDPR, the EEA Standard Contractual Clauses and section 4.4 of this schedule B will be read in accordance with, and deemed amended by, the provisions of part 2 (Mandatory Clauses) of the UK IDTA. For the purposes of table 4 in part 1 (Tables) of the UK IDTA, the parties select the “neither party” option. Otherwise, the parties acknowledge that the information required for the purposes of part 1 (Tables) of the UK IDTA is set out in exhibit 1.
  • If there is any conflict or inconsistency between a term in the body of this DPA, an Agreement, and a term in module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses, the term in module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses will prevail.
  • Transfers Subject to Swiss DP Laws. If the Transfer is subject to the Swiss DP Laws, the EEA Standard Contractual Clauses and section 4.4 of this schedule B will be read in accordance with this section 4.7. If the Swiss DP Laws are applicable to a data export under the EEA Standard Contractual Clauses set out in this DPA, the following amendments to the EEA Standard Contractual Clauses and section 4.4 of this schedule B will apply:
    • the term “Member State” according to clause 18(c) of the EEA Standard Contractual Clauses must not be interpreted in a way that data subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence;
    • the supervisory authority under clause 13 of the EEA Standard Contractual Clauses is the Swiss Federal Data Protection and Information Commissioner;
    • the law applicable to the EEA Standard Contractual Clauses under clause 17 of the EEA Standard Contractual Clauses will be Swiss DP Laws;
    • the place of jurisdiction under clause 18(b) of the EEA Standard Contractual Clauses will be the courts located in the city of Zurich; and
    • where the EEA Standard Contractual Clauses include references to the GDPR, those references will be understood as references to the Swiss DP Laws.

Exhibit 1

Information Required for the EEA Standard Contractual Clauses, the UK IDTA, and Swiss DP Laws
Annex I A. List of Parties  
Data EXPORTER identity and contact details  
Name Reseller Entities
Address To be provided on request
Contact person’s name, position and contact details: To be provided on request
Activities relevant to the data transferred under these Clauses: As set out in the table in exhibit 2 under “Nature and Purpose of the Processing.”
Role (controller/processor): Processor
Data IMPORTER identity and contact details  
Name CBH Entities
Address 7360 El Camino Real, Suite A, Atascadero, CA 93422, USA
Contact person’s name, position and contact details: privacy@chargebackhelp.com
Activities relevant to the data transferred under these Clauses: As set out in the table in exhibit 2 under “Nature and Purpose of the Processing.”
Role (controller/processor): Processor
Annex I B. Description of Transfer  
Categories of data subjects whose personal data is transferred As set out in the table in exhibit 2 under “Categories of Data Subjects.”
Categories of personal data transferred As set out in the table in exhibit 2 under “Types of Personal Information.”
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Not Applicable
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous
Nature of the processing As set out in the table in exhibit 2 under “Nature and Purpose of the Processing.”
Purpose(s) of the data transfer and further processing As set out in the table in exhibit 2 under “Nature and Purpose of the Processing.”
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Personal data will be retained in accordance with CBH’s retention policies, for only as long as is required to meet CBH’s legal, regulatory, and operational requirements and as necessary to perform services.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing As set out in the table in exhibit 2 under “Nature and Purpose of the Processing.”
Annex I C. Competent Supervisory Authority
Competent supervisory authority/ies To be provided by the data exporter on request.
Annex II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of The Data
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. CBH is certified as compliant with all standards established by the Payment Card Industry Data Security Standards (“PCI DSS”) that are applicable to CBH and its affiliates (those standards, the “PCI Standards”). As evidence of compliance, CBH will provide its current Attestation of Compliance signed by a Payment Card Industry Qualified Security Assessor on the Reseller’s written request. CBH maintains and enforces commercially reasonable information security and physical security policies, procedures, and standards (the “CBH Information Security Program”) that are designed to (1) ensure the security and confidentiality of the Reseller’s records and information, (2) protect against any anticipated threats or hazards to the security or integrity of those records, and (3) protect against unauthorized access to or use of those records orinformation that could result in substantial harm. At a minimum, the CBH Information Security
Program aligns with the standards set out in ISO 27002 published by the International Organization for Standardization, including any revisions, updates, or successor standards that supersede or replace it.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter Initiatives, products, processes, and supporting technology are assessed from a data privacy perspective, enabling CBH to embed privacy controls and mitigate risks at early stages (privacy by design). CBH maintains a robust privacy risk assessment framework, including privacy impact assessments, which is integrated into its change management processes to ensure that new and modified personal data processing activities are reviewed. Customers requiring specific assistance may submit their requests to privacy@chargebackhelp.com.
Annex III List of Sub-Processors The controller has authorised the use of the following sub-processors:
As set out in exhibit 3 of this DPA.
               

Exhibit 2

Details of Processing Participating Seller Personal Information
Service Nature and purpose of the processing Types of personal information Categories of data subjects to whom the personal information relates to
Order Insight CBH facilitates the transfer of required transaction information to Verifi, acting as a sub-subprocessor. Verifi processes the information to provide detailed transaction data to issuing banks and Consumers, as instructed by the Controller, to prevent disputes at the first inquiry. If the Participating Seller opts to use the Order Insight service, CBH will facilitate the transfer of required transaction information to Verifi, acting as a sub-subprocessor. Verifi will process the transaction information, including order details, as necessary to fulfill the Order Insight request with the issuer. Further details are provided in the applicable service documentation at the time of implementation of the Service. Participating Seller’s employees, agents, advisors, or representatives; Consumers.
CDRN CBH facilitates the transfer of required transaction information to Verifi, acting as a sub-subprocessor. Verifi processes the data to allow Participating Sellers to resolve non-fraud and confirmed fraud pre-dispute cases with refunds or cancellations, thereby avoiding disputes. If the Participating Seller opts to use CDRN, CBH will facilitate the transfer of required transaction information to Verifi, acting as a sub-sub-processor. Verifi will process the transaction information, including order details, as necessary to support the Participating Seller’s decision-making related to a pre-dispute case submitted to the issuer. Further details are provided in the applicable service documentation at the time of implementation of the Service. Participating Seller’s employees, agents, advisors, or representatives; Consumers.
RDR (Rapid Dispute Resolution) CBH facilitates the transfer of required transaction information to Verifi, acting as a sub-subprocessor. Verifi processes the data to apply the Participating Seller’s automatic rules for resolving nonfraud and confirmed fraud predispute cases, enabling acquirerinitiated funds reversals to avoid disputes. If the Participating Seller opts to use RDR, CBH will facilitate the transfer of required transaction information to Verifi, acting as a sub-sub-processor. Verifi will process the transaction information, including order details, as necessary to apply the Participating Seller’s automatic rules related to a dispute with the issuer. Further details are provided in the applicable service documentation at the time of implementation of the Service. Participating Seller’s employees, agents, advisors, or representatives; Consumers.
Fraud and Dispute Notices CBH facilitates the transfer of required transaction information to Verifi, acting as a sub-subprocessor. Verifi processes the information to provide real-time, transaction-level notifications that enhance fraud detection and allow Participating Sellers to stop order fulfillment or shipment when possible. If the Participating Seller opts to use the Fraud and Dispute Notices service, CBH will facilitate the transfer of required transaction information to Verifi, acting as a sub-sub-processor. Verifi will process the transaction information to provide real-time, transaction-level notifications to enhance and inform fraud detection and modeling for the Participating Seller. Participating Sellers may also stop order fulfillment or shipment when possible. Further details are provided in the applicable service documentation at the time of implementation of the Service. Participating Seller’s employees, agents, advisors, or representatives; Consumers.
Dispute Representment CBH facilitates the transfer of required Participating Seller Personal Information to Verifi, acting as a sub-sub-processor. Verifi processes the information, as If the Participating Seller opts to use Dispute Representment, CBH will facilitate the transfer of required Data Subjects’, Participating Seller’s employees, agents, advisors, or representatives;
  required by Card Association rules, to represent disputes for the Participating Seller based on Controller instructions. cardholder, and transaction information to Verifi, acting as a sub-sub-processor. Verifi will process the information as necessary to manage the dispute in accordance with Card Association rules. Further details are provided in the applicable service documentation at the time of implementation of the Service. Consumers.
Ethoca Alerts CBH facilitates the transfer of required transaction and cardholder information to Mastercard (Ethoca), acting as a sub-sub-processor. Mastercard processes the data to provide fraud and dispute alerts to Participating Sellers, enabling early resolution and prevention of chargebacks. Transaction-related information such as card or account number (full or partial), transaction type, currency and amount, transaction date and time, information about the disputed or queried transaction and its outcome, items purchased, history of the account, merchant order number, cardholder information such as name, address, phone number, IP address, email address location, merchant identifier, as applicable under the Agreement, and any other types of Personal Information listed in the Agreement. Information of the Participating Seller’s representatives such as user ID, name, role, email, phone, as applicable. Participating Seller’s employees, agents, advisors, or representatives; Consumers.
Ethoca Consumer Clarity CBH facilitates the transfer of required transaction and cardholder information to Mastercard (Ethoca), acting as a sub-sub-processor. Mastercard processes the data to provide Consumers with detailed transaction information via issuing banks, thereby reducing inquiries and disputes. Transaction-related information such as card or account number (full or partial), transaction type, currency and amount, transaction date and time, information about the disputed or queried transaction and its outcome, items purchased, history of the account, merchant order number, cardholder information such as name, address, phone number, IP address, email address location, merchant identifier, as applicable under the Agreement, and any other types of Personal Information listed in the Agreement. Information of the Participating Seller’s representatives such as user ID, name, role, email, phone, as applicable. Participating Seller’s employees, agents, advisors, or representatives; Consumers.
   

Exhibit 3

List of Sub-Sub Processors
Company Functions Performed Location Applicable Service
Verifi, Inc. Processing transaction information, chargeback management, dispute resolution, fraud detection, and data transfer facilitation for applicable services. USA Order Insight CDRN RDR Fraud and Dispute Notices Dispute Representment
Mastercard Europe S.A. Processing transaction and cardholder information for fraud alerts, dispute prevention, and detailed transaction clarity. EU Ethoca Alerts  
Ethoca Limited Processing transaction and cardholder information for fraud alerts, dispute prevention, and detailed transaction clarity. Canada Ethoca Consumer Clarity