ACH Services Addendum

This ACH Services Addendum (this “Addendum”) applies to services offered by PayPal, Inc. (“PayPal”) that allow merchants to originate Automated Clearing House (“ACH”) credit and debit entries to a bank account (the “ACH Services”). This Addendum forms part of the applicable agreement between you (“you” or “Merchant”) and PayPal that governs PayPal’s provision of ACH Services to you (the “Agreement”) and is incorporated by reference therein. In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum will control. Capitalized terms used but not defined in this Addendum have the meaning set out in the Agreement.

This Addendum is effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice posted or provided to you in connection with this Addendum. We may amend this Addendum from time to time. The revised version will be effective at the time we post it on our website, unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the "Policy Updates" page of our website within the timeframe required by the Agreement. If you do not agree with any change to this Addendum, you may discontinue your use of the ACH Services.

1. PayPal may offer to Merchant the ability to validate bank account information of Merchant’s customers (including account number, routing number, and/or account holder name) in connection with the ACH Services (“PayPal’s Validation”). In that case, PayPal may share certain data related to Merchant’s customer with PayPal’s third-party service providers (“Data Sources”) and Data Sources may collect certain Data related to Merchant’s customers from third-party information sources where such customers hold accounts and share it with PayPal.
2. To the extent that Merchant obtains access to Data in connection with PayPal’s Validation, Merchant shall comply with the obligations set forth below:
   1. Merchant shall follow a written privacy policy describing how it uses, collects, stores, handles and shares Data. Merchant’s customers must be able to access the privacy policy and Merchant shall clearly and conspicuously reference or display such policy (including, at a minimum, via a link on Merchant’s website and within Merchant’s mobile application, if applicable).
   2. When applicable, Merchant shall obtain its customer’s consent for Merchant to use, collect, store, handle and share the customer’s Data in accordance with Merchant’s privacy policy.
   3. If a Merchant customer submits a request for Merchant to delete its Data, Merchant shall promptly: (i) Securely Delete the Data, subject to any legal or regulatory requirements to maintain copies, and (ii) notify PayPal.
   4. Upon PayPal’s request Merchant shall Securely Delete all Data that may be at risk from a Security Issue.
   5. While Merchant keeps a customer’s Data, and for three (3) years thereafter (or a longer period if required under applicable law or regulation), Merchant must keep records sufficient for PayPal to verify its compliance with this Addendum and the Agreement.
   6. For so long as Merchant receives Data from PayPal, and for three (3) years thereafter (or a longer period if required under applicable law or regulation), PayPal may by itself or through a third-party, audit Merchant’s policies, procedures, books and records, data, and systems, to verify: (i) the security and integrity of Merchant’s systems, policies, and procedures for storing and using Data, and (ii) Merchant’s compliance with this Addendum and the Agreement. PayPal may provide to any Data Source from which Data was collected a summary of a Merchant audit.
   7. If PayPal becomes aware of a Security Issue or any violation of the obligations under this Addendum, Merchant shall fix or implement a mutually agreed plan to fix the issue within the period determined by PayPal and communicate to Merchant in writing. PayPal may report any Security Issue, investigations and/or remediation efforts to Data Sources.
   8. Merchant must promptly respond to PayPal’s requests for information about its use, storage, handling, and sharing of Data, including by providing all information in Merchant’s possession that PayPal may reasonably request in connection with such investigations.

3. PayPal may immediately suspend Merchant’s access to Data, in whole or in part if: (i) Merchant fails to comply with the obligations under this Addendum and the Agreement; (ii) PayPal becomes aware of a Security Issue, or (iii) PayPal reasonably believes that Merchant violated the Nacha Rules or any applicable law, regulation or court order. In such cases, PayPal will use commercially reasonable efforts to give prior notice of any suspension but may immediately suspend access without prior notice if appropriate under the circumstances to protect Merchant’s customers or Data Sources from harm. PayPal may notify a Data Source of any condition permitting suspension (and related circumstances) if the condition relates to Data obtained from such Data Source (including the nature of such condition, whether access has been suspended, and the status of Merchant’s efforts to cure the condition).

4. NEITHER PAYPAL NOR ANY DATA SOURCE MAKE ANY WARRANTIES TO MERCHANT OF ANY KIND (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE). PAYPAL, DATA SOURCES AND RELATED PARTIES WILL HAVE NO LIABILITY WHATSOEVER TO MERCHANT RELATING TO (i) ACCESSING OR USING DATA; (ii) FOR ANY EXPENSES, LOSSES, OR DAMAGES RELATING TO MERCHANT’S ACCESS OR USE OF DATA, FOR ANY LOST PROFITS OR OTHER SPECIAL, CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES. THE LIMITATIONS IN THIS SECTION WILL APPLY TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND REGARDLESS OF THE FORM OF ACTION UNDER WHICH RECOVERY FOR ANY LOSS, DAMAGE, OR EXPENSE IS SOUGHT (INCLUDING NEGLIGENCE).

5. If any inconsistency exists between this Addendum and any applicable law or regulation (including rules implementing Section 1033 of the Consumer Financial Protection Act of 2010), then the terms of the applicable law and/or regulation shall control.

“ACH” has the meaning provided in the first paragraph of this Addendum.
“ACH Services” has the meaning provided in the first paragraph of this Addendum.
“Agreement” has the meaning provided in the first paragraph of this Addendum.
“Data” means any personal, financial, or transaction data.
“Data Sources” has the meaning provided in Section 1 of this Addendum.
“PayPal’s Validations” has the meaning provided in Section 1 of this Addendum.
“Securely Delete” means to delete using an industry standard method that ensures the deletion is permanent and information unrecoverable.
“Security Issue” means any: (i) unauthorized or unlawful access, transmission, corruption, deletion, or use of any Data; (ii) unauthorized access to systems storing, processing, or providing access to the same; (iii) Merchant’s material failure to comply with its information security requirements under this Agreement; or (iv) any reasonably suspected case of, or flaw in, Merchant’s policies, procedures, or systems reasonably likely to give rise to an incident described in the foregoing definition.