NOTE: Credit cards are NOT processed on servers.
Credit card transactions are hosted and processed through Authorize.net's gateway.
Below is Authorize.net's privacy statement.
This Data Processing Agreement
This Data Processing Agreement (“DPA”) is an agreement between you and the entity you represent (“Customer” or “you”), on the one hand, and Authorize.net LLC (“Authorize.net”), on the other hand. It forms part of any written or electronic agreement between you and Authorize.net (each, an “Agreement”) under which Authorize.net Processes Personal Information on your behalf (“Customer Personal Information”), except with respect to any Agreement under which you and Authorize.net have entered data processing terms that address the subject matter hereof. This DPA forms a part of the Services Documentation, defined in the Agreement.
Processing of Customer Personal Information
1.1 Processor designation
The parties acknowledge and agree that with respect to the Customer Personal Information that Authorize.net Processes to provide the Transaction Services, which Processing may include, by way of example and for illustrative purposes the Processing detailed on Details of Processing Customer Personal Information (Exhibit 2), that Authorize.net is a “processor” or “service provider” under Applicable Data Protection Laws acting on Customer's instructions (referred to as “Processor” for purposes of this DPA).
1.2 Authorization to Process
Processor will Process Customer Personal Information to provide such Transaction Services, and Processor is authorized to Process Customer Personal Information solely in connection with the following activities:
1.2.1 In accordance with the applicable Agreement(s), including, without limitation, any exhibits, schedules, and applicable price schedule(s), to provide the Transaction Services, and any Processing required under applicable law or regulations;
1.2.2 Based on the instructions of Customer and in its use of the Transactions Services, Authorize.net will transfer Customer Personal Information to acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers performing payer authentication services used by Customer, such as Verified by Visa and Mastercard Identity Check (ID Check);
1.2.3 As reasonably necessary to enable Authorize.net to comply with any other directions or instructions provided by Customer; and
1.2.4 To support the creation of models for Authorize.net’s security and fraud prevention tools for use by the Customer and/or any other customer of Authorize.net. These models ensure Customer is provided with the most up to date scoring as part of the Transaction Services.
Compliance with Law
Each of Authorize.net, in its provision of services to Customer, and Customer, in its use of the services, shall Process Customer Personal Information in accordance with Applicable Data Protection Law.
3.1 Customer shall provide its End-User(s) with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable the parties to comply with Applicable Data Protection Law;
3.2 Where required by Applicable Data Protection Law, Customer shall promptly inform Processor when Customer Personal Information must be corrected, updated, and/or deleted;
3.3 Customer shall ensure that at the point of transferring Customer Personal Information to Processor, the Customer Personal Information is adequate, relevant and limited to what is necessary in relation to the Processing envisaged under the Agreement and this DPA; and
3.4 Customer shall comply (and ensure that its third party auditor’s comply) with Processor’s relevant security policies and appropriate confidentiality obligations as set out in the Agreement.
Applicable Data Protection Law
To the extent necessary to enable Customer to comply with its obligations under Applicable Data Protection Law, Authorize.net further agrees to comply with any required provisions of the GDPR Schedule (other than when acting in accordance with Section 1.2 (Authorization to Process) of this DPA) and/or CCPA Schedule, each, to the extent applicable.
Data Subject Rights
Processor will, to the extent legally permitted, provide reasonable assistance to Customer to respond to requests from End-Users to exercise their rights under Applicable Data Protection Law (e.g., rights to access or delete Personal Information) in a manner that is consistent with the nature and functionality of the Transaction Services. Where Authorize.net receives any such request, it shall notify Customer and the Customer is responsible for handling such requests by an End User in accordance with Applicable Data Protection Law.
Engaging with Sub-Processors
Processor shall ensure that when engaging with another data processor including any Affiliates (a “Sub-Processor”) for the purposes of carrying out specific Processing activities on behalf of Customer, there is a written contract in place between Processor and the relevant Sub-Processor. Such written contracts, to the extent applicable to the nature of the Transaction Services provided by the relevant Sub-Processor, will provide at least the same level of protection for Customer Personal Information as set out in this DPA.
Processor shall ensure that persons authorized to Process Customer Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security of Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Processor shall, in particular, take into account the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information transmitted, stored or otherwise Processed. Processor shall provide reasonable assistance to Customer in ensuring Customer meets its own compliance obligations with respect to these same security measures.
4.6.1 In the event of an actual Security Breach (defined below) affecting Customer Personal Information contained in Processor’s systems, Processor shall (i) investigate the circumstances, extent and causes of the Security Breach and report the results to Customer and continue to keep Customer informed on a regular basis of the progress of Processor’s investigation until the issue has been effectively resolved; and (ii) cooperate with Customer in any legally required notification by Customer of affected End-Users. The obligations herein shall not apply to Security Breaches caused by Customer or Customer’s End-Users.
4.6.2 Processor shall notify Customer without undue delay upon Processor or any Sub-Processor becoming aware of an actual Security Breach affecting Customer Personal Information, providing the Customer with sufficient information and reasonable assistance to allow Customer to meet its obligations under Applicable Data Protection Law to (i) notify a Supervisory Authority (as defined under Applicable Data Protection Law) of the Security Breach; and (ii) communicate the Security Breach to the relevant Data Subjects.
4.6.3 Notice to Customer in accordance with Section 4.6.2 of this Agreement shall be made by sending an email and/or text message to the email address and/or mobile phone number registered by Customer in the Authorize.net Merchant Interface.
4.6.4 Except as required by applicable law or regulation, the notifying party will not make (or permit any third party to make) any statement concerning the Security Breach that directly or indirectly references the other party, unless the other party provides its explicit written authorization.
Deletion and Retention
Processor shall, at the choice of Customer, delete or return all Customer Personal Information upon termination of the Agreement and delete existing copies unless storage is required by applicable law.
The terms of this DPA shall apply only to the extent required by Applicable Data Protection Law. To the extent not inconsistent herewith, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term or condition of the DPA, the DPA does not apply to any data or information that does not relate to one or more identifiable individuals, that has been aggregated or de-identified in accordance with Applicable Data Protection Law, or to the extent that Authorize.net and you have entered separate data processing terms that address the subject matter hereof.
Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Law.
“Applicable Data Protection Law”
means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, Applicable Data Protection Laws include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), UK Data Protection Laws, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), Swiss DP Laws and any associated regulations or any other legislation or regulations that transpose or supersede the above.
“EEA Standard Contractual Clauses”
means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as amended or replaced from time to time by a competent authority under the Applicable Data Protection Law.
means any person that purchases goods or services of Customer, whose information is submitted by Customer to Authorize.net during the course of Customer using the Transaction Services hereunder.
1.1 means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household or that is regulated as “personal data,” “personal information,” or otherwise under Applicable Data Protection Law. For the avoidance of doubt, this includes any information relating to an End-User as defined in the Agreement.
“Process” or “Processed” or “Processing”
means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction.
means a breach of security leading to the accidental or unlawful destruction, loss,alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system” or similar term (as defined in any other applicable privacy laws) as well as any other event that compromises the security, confidentiality or integrity of Personal Information.
“Swiss DP Laws”
means the Federal Act on Data Protection of June 19, 1992 (as updated, amended and replaced from time to time), including all implementing ordinances.
means to transmit or otherwise make Customer Personal Information available across national borders in circumstances which are restricted by Applicable Data Protection Law.
“UK Data Protection Laws”
means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR”), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions.
means the International Data Transfer Addendum to the EEA Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.