United States Data Processing Addendum

1. Definitions:

1.1 “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199), as may be amended from time to time, including as amended by the California Privacy Rights Act of 2020.

1.2 “Contracted Business Purpose” means the provision of  fraud and abuse prevention and payment optimization Services to Merchant and any other purpose specifically identified in this DPA or the Agreement for which Forter processes Personal Information.

1.3 “Personal Information” means information provided to Forter by or on behalf of Merchant or collected by Forter on the Merchant Sites in connection with the Agreement, in each case, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

1.4 “US Data Protection Law” means all applicable United States federal or state privacy and data protection laws and regulations  including, without limitation, the CCPA.

1.5 “Business Purpose”, “Consumer”, “Processor,” “Process or Processing” “Sale,” “Service Provider”, and “Share” have the meanings given to them in the applicable US Data Protection Law.

2. Scope. This DPA will only apply to Personal information subject to US Data Protection Laws. For the purposes of US Data Protection Laws, Forter Processes Personal Information as a Service Provider/Processor. Forter shall Process Personal Information in accordance with Schedule 1 to this DPA for the Contracted Business Purpose.

3. Forter’s Obligations. As Service Provider/Processor, Forter shall:

3.1 not Sell or Share any Personal Information, except as otherwise required or permitted under US Data Protection Laws;

3.2 not retain, use or disclose any Personal Information (i) outside of the direct business relationship between Forter and Merchant, or (ii) for any purpose, including any commercial purpose,  other than for the Contracted Business Purpose or as otherwise permitted by US Data Protection Law;

3.3 comply with any applicable obligations under US Data Protection Law and provide the same level of protection to Personal Information as is required by US Data Protection Law;

3.4 upon reasonable request from Merchant, make available to  Merchant information in its possession necessary for Merchant to ensure that Forter’s use of Personal Information under the Agreement is in compliance with US Data Protection Laws. Merchant acknowledges and agrees that the information provided by Forter pursuant to this Section will constitute Forter Confidential Information and be subject to the the confidentiality provisions of the Agreement;

3.5 promptly comply with any request from Merchant requiring Forter to stop or mitigate any unauthorized processing, as required under US Data Protection Laws;

3.6 not combine or update the Personal Information with personal information that Forter receives from, or on behalf of, another person or persons, or collects from its own interaction with an applicable consumer, except in accordance with US Data Protection Law;

3.7 provide Merchant necessary information to enable Merchant to conduct and document data protection assessments required under US Data Protection Law; and

3.8 promptly notify Merchant if it determines that it can no longer meet its obligations under US Data Protection Law.

4. Security Incident. Forter shall assist Merchant in meeting its obligations in relation to the security of processing the Personal Information and in relation to the notification of a breach of security of Forter’s system that compromises Personal Information, as required by US Data Protection Law.

5. Personnel. Forter shall restrict its personnel from processing Personal Information without Forter’s authorization and will limit its personnels’ processing of Personal Information to that which is needed to provide the Services under the Agreement. Forter will impose appropriate obligations on its personnel, including relevant obligations regarding confidentiality, data protection, and data security, in each case, as required by US Data Protection Laws.

6. Data Subject Rights.  Forter shall provide reasonable assistance to Merchant to enable Merchant to fulfill its obligations under US Data Protection Law to respond to requests by Consumers to exercise their rights under US Data Protection Law, as required by US Data Protection Laws. If Forter receives a request from a Consumer under US Data Protection Law with respect to Personal Information, Forter will advise the Consumer to submit the request directly to Merchant and Merchant will be responsible for responding to any such request. Merchant acknowledges and agrees that any Consumer requests passed through to Forter by Merchant shall be submitted through Forter’s Privacy API, Decision Dashboard, or another method approved by Forter.

7. Destruction of Personal Information.  Following termination or expiration of the Agreement, Forter shall delete Personal Information in its possession, as required by applicable US Data Protection Law.

8. Audit.  Merchant may take reasonable and appropriate steps to ensure that Forter uses the Personal Information in a manner consistent with the business’s obligations under US Data Protection Law. Upon Merchant’s request, and no more than once in any twelve (12) month period, Forter shall allow for and contribute to audits, including inspections, by Merchant (or an auditor mandated by Merchant) in relation to the Processing of the Personal Information by Forter. The parties shall mutually agree upon the timing and scope of any audit. In the event the audit is completed by an independent auditor, Forter shall provide a report of such assessment to Merchant upon request.

9. Security. Forter agrees to implement and maintain appropriate technical and organizational measures and practices designed to ensure a level of security appropriate to the risk and to protect against unauthorized or illegal access, destruction, use, modification, or disclosure of Personal Information.

10. Subprocessor. Forter shall inform Merchant in writing of its intention to add or replace a subprocessor within a reasonably sufficient amount of time to allow Merchant to object to such subprocessor.  Merchant acknowledges and agrees that such notice may be provided to an Authorized User through Forter’s Decision Dashboard.  Merchant shall have 5 days from receipt of such notice to object to a new subprocessor. Forter shall: (i) execute an appropriate written agreement with each subprocessor that is no less protective than the provisions of this DPA and that complies with the requirements of US Data Protection Law; and (ii) remain fully liable for performance of such subprocessors’ obligations and for the acts and omissions of its subprocessor.

Schedule 1

Scope of Processing 

1. Nature and Purpose of Processing:
   • To provide fraud and abuse prevention and payment optimization services, or as otherwise permitted in the Agreement or under applicable US Data Protection Law.
2. Duration of Processing:
   • For as long as Merchant is Forter’s customer.
3. Types of Personal Data:
   • Contact information: this includes information such as name, phone number, email and mailing address.
   • Transaction data: this includes information about a completed transaction on a Merchant Site, including name, email address, billing and shipping mailing addresses, items purchased, price paid, order status and chargeback information, as well as basic information about consumer payment and billing method.
   • Account information: this includes information about user account and preferences on Merchant Sites.
   • Browser, device and connection data: this includes information about the personal computer or mobile device used to access Merchant Site. 
   • Behavioral data: this includes information regarding users’ activity on a Merchant Site, such as the time and frequency of access, the referrer page domain, pages viewed.
4. Categories of data subjects:
   • Actual and potential End Customers on the Merchant Sites.