Amazon Payments Solution Provider Terms

Last updated: 28 May 2020.

View or download a PDF version of this Amazon Payments Solution Provider Terms.

1. Definitions. Unless otherwise defined in these Terms, capitalized terms have the meanings set forth in Exhibit 1.
2. Integration Responsibilities.

(a)     Company will comply with all Specifications in connection with the design, development, operation and maintenance of the Solution. Prior to making the Solution generally available for commercial use, Company must ensure that the Solution satisfies the Acceptance Criteria and, if Company developed the Solution, the Development Criteria.

(b)     Company will designate an implementation team to be trained on the Amazon Service. Company’s Account Manager will act as the single point of contact for Amazon, handle communications and scheduling between both parties, route technical inquiries and requirements to the appropriate teams, and ensure that all sales leads and inquiries related to the Amazon Service are referred to Amazon through means designated by Amazon.

(c)      Company will assign an integration manager and have in place a support platform (for example, online help, documentation, and video tutorials, some of which may be provided by Amazon from time to time) to guide registered Sellers through the integration process and provide post-integration Seller support for the Solution. Company will provide Amazon with ongoing access to the integration manager and support platform.

(d)     If Amazon provides the Account Manager with notice of a support, service, or integration issue related to the Solution resulting in a material impact on a Seller’s ability to utilize the Amazon Service, Company will promptly, and in any event within one (1) business day, acknowledge receipt of the notice, and will resolve the issue to the satisfaction of Amazon within thirty (30) days.

(e)     If Amazon makes any Updates, Company will test and, as necessary, modify the Solution to ensure that it continues to operate properly with the then-current version(s) of the Amazon Service and Specifications.

(f)      Amazon may provide Specifications to Company for any available Enhancements. Company will provide an Estimate within two (2) weeks from the date any Enhancement is requested by Amazon and implement the Enhancements subject to Amazon’s written approval of the Estimate, which may be via email. Estimate rates, if any, will be mutually agreed between Company and Amazon; provided, however, that any rate charged to Amazon will at all times be as favorable as any offered to Company’s other customers receiving similar services. Payment terms are net sixty (60) days of receipt and acceptance by Amazon of the Estimate Invoice. Company will ensure that the Enhancements operate properly with the then-current version of the Solution, and that the Solution operates properly following the implementation of any Enhancements. Company will make the Enhancements available to Sellers for commercial use only after such Enhancements have satisfied the Development Criteria.

(g)     In the event that the Solution at any time does not comply with the Specifications or the Agreement, (i) Amazon may suspend the licenses granted under these Terms and the Agreement and/or remove Company as an authorized provider of the Solution from the Seller Central Website and other materials (as applicable); and (ii) at Amazon’s request, Company will no longer make the Solution available to Sellers.

3. Promotion; Availability.

(a)     Company will promote the Amazon Service and Solution in a manner at least as favorable as any other comparable e-commerce or payment solutions in any materials, communications, or promotions and on any platforms (including websites) that Company provides to Sellers or Prospective Sellers for implementation options related to Company’s services.

(b)     Company is solely responsible for services it offers Sellers and the terms and conditions pursuant to which it provides them. However, Company will at all times make available the Solution to Sellers and Prospective Sellers on terms at least as favorable as the terms offered to such parties for other comparable e-commerce or payment solutions.

4. Promises. Company represents and warrants that (i) it has all right, power, and authority necessary to enter into and perform its obligations under the Agreement; and (ii) Company and its Affiliates and agents will: (a) comply with all applicable laws, regulations, and Amazon Policies in the performance of their respective obligations and exercise of their rights under the Agreement and in connection with their use of any Amazon Properties, including any licensing requirements; (b) perform all obligations under the Agreement in a manner that reflects favorably on Amazon; (c) accurately represent their relationship with Amazon and the capabilities and features of the Amazon Service, and not engage in deceptive or unethical practices, including expressing or implying any level of Amazon support, sponsorship or endorsement; (d) promptly investigate and report to Amazon all complaints received relating to the Amazon Service; (e) not hold themselves out as an agent or representative of Amazon; and (f) access and use the Amazon Properties solely to develop the Solution as needed and integrate Sellers to the Amazon Service, and not access or misuse the Amazon Properties in any way that may interfere with any Amazon site or otherwise cause harm to Amazon or any other person. Company further represents and warrants to Amazon that: (x) it and its financial institution(s) are not subject to sanctions or otherwise designated on any list of prohibited or restricted parties or owned or controlled by such a party, including but not limited to the lists maintained by the United Nations Security Council, the US Government (e.g., the US Department of Treasury’s Specially Designated Nationals list and Foreign Sanctions Evaders list and the US Department of Commerce’s Entity List), the European Union or its member states, or other applicable government authority; and (y) it will not directly or indirectly export, re-export, transmit, or cause to be exported, re-exported or transmitted, any commodities, software or technology to any country, individual, corporation, organization, or entity to which such export, re-export, or transmission is restricted or prohibited, including any country, individual, corporation, organization, or entity under sanctions or embargoes administered by the United Nations, US Departments of State, Treasury or Commerce, the European Union, or any other applicable government authority.
5. Amazon’s Support Responsibilities. Subject to Company’s compliance with this Agreement and any relevant Amazon Policies, Amazon will provide Company access to certain Amazon Properties. Company may use the materials and support solely in developing and/or integrating the Solution. Amazon may at any time, in its sole discretion, modify, remove, or deny Company, any Seller or any Prospective Seller access to the Amazon Properties or any other Amazon products or services. Further, Amazon may amend, discontinue, deprecate or republish the Amazon Properties from time to time, without notice.
6. Information.

(a)     Company will promptly upon request provide Amazon on a non-aggregated basis with feedback from named Sellers and Prospective Sellers on roadblocks to integrating or utilizing the Amazon Service. Such feedback will include listing any Prospective Sellers that did not implement the Solution and all specific information that Company obtained regarding the reasons for the implementation failure, provided such requests do not compromise an existing Company confidentiality agreement.

(b)     Amazon may contact Sellers to conduct periodic surveys in order to ascertain Sellers’ general level of satisfaction with the Solution and Sellers’ related integration activities.

(c)      Company and Amazon will institute a quarterly business review at Amazon’s option, where both parties discuss the previous quarter’s implementation activities, conversion rates and feedback, and identify new strategies, features or functions for implementation. Company may also be requested to help validate requirements and test new features or functions pertaining to new Amazon Service releases.

7. Licensed Marks.

(a)     Subject to the Agreement and conditioned upon Company’s compliance with the Trademark Usage Guidelines attached hereto as Exhibit 2 (“Trademark Guidelines”), Amazon grants Company a non-exclusive, non-transferable, non-assignable, revocable right and license to reproduce and display the Amazon Logo (an image of which is set forth in Exhibit 2) (the “Trademark”) as described in the Trademark Guidelines solely (i) on or in connection with the development and/or support of the Solution, (ii) in and on the Marketing Materials, and (iii) in the forms designated by Amazon. Company may not use the Trademark except as expressly provided herein, and may not sublicense these rights or otherwise permit any party to use the Trademark. Company acknowledges that Amazon and its Affiliates are the sole owner of the Trademark, and Company agrees to do nothing inconsistent with that ownership. All goodwill arising out of Company’s use of the Trademark will inure to the sole benefit of Amazon and its Affiliates. Amazon may revoke Company’s license at any time in its sole discretion. Upon the termination or expiration of the Agreement, Company will immediately cease and discontinue all further use of the Trademark.

(b)     Company grants Amazon and its Affiliates a fully paid-up, non-exclusive, non-transferable, non-assignable right and license during the Term to reproduce and display the Company Licensed Marks in order to provide information on the Solution and obtain Seller feedback. All goodwill arising out of Amazon’s or its Affiliates’ use of the Company Licensed Marks will inure to the sole benefit of Company and its licensors.

8. Proprietary Rights.

(a)     As between Company and Amazon, all right, title, and interest (including any Intellectual Property Rights throughout the world) in and to the Amazon Properties are owned by Amazon, its Affiliates or its licensors. Subject to the Agreement, Amazon grants Company a limited, revocable, non-exclusive, non-sublicensable, non-transferrable license to access and use the Amazon Service and the Amazon Properties solely in connection with the development and support of the Solution. Company obtains no rights (including any Intellectual Property Rights) under these Terms or the Agreement to the Amazon Properties from Amazon, its Affiliates or its licensors.

(b)     Company may not use the Amazon Properties in any manner or for any purpose other than as expressly permitted by the Agreement. Company may not, nor may Company attempt to, (i) modify, alter, tamper with, repair, or otherwise create derivative works of any software included in the Amazon Properties (except to the extent software included in the Amazon Properties is provided to Company under a separate license that expressly permits the creation of derivative works); (ii) reverse engineer, disassemble, or decompile the Amazon Properties or apply any other process or procedure to derive the source code of any software included in the Amazon Properties; (iii) access or use the Amazon Properties in a way intended to avoid incurring fees or exceeding usage limits or quotas; or (iv) resell or sublicense the Amazon Properties. At no time will Company assert, nor authorize, assist, or encourage any third party to assert, against Amazon or any Amazon Affiliates, customers, vendors, business partners, or licensors, any patent infringement or other intellectual property infringement claim against Amazon or its Affiliates.

(c)      Company grants to Amazon and its Affiliates a worldwide, non-exclusive, royalty-free, fully-paid, irrevocable, and sublicensable right to use in any manner and for any purpose any information, technology, feedback, suggestions, content, images, or other materials Company makes available to Amazon or its Affiliates for the maximum period of time applicable to the protection of Intellectual Property Rights and as permitted by applicable law in each jurisdiction. Company is responsible and assumes all liability for any information, technology, feedback, suggestions, content, images, or other materials Company makes available to Amazon or its Affiliates, and Company represents that their use by Amazon or its Affiliates or licensees will not infringe or violate the rights of any third party.

9. Protected Information.

(a)     Company will process Protected Information only for the purposes of the Agreement and Seller’s use of the Amazon Service pursuant to the terms of a Merchant Agreement. When processing the Protected Information, Company will at all times comply with all applicable laws. Without limiting the above, Company will (i) take appropriate technical and organizational measures against unauthorized or unlawful processing of Protected Information and against accidental loss or destruction of, or damage to, Protected Information; (ii) maintain all Protected Information logically separate from other information relating to Company or Company’s customers; and (iii) at all times have documented the location of all copies of Protected Information stored by or for Company. Company must notify Amazon in advance of the nature and scope of any disclosure of Protected Information that does not comply with the terms of this Section. Protected Information constitutes Amazon Confidential Information.

(b)     In the event that Company offers Sellers an integration based on delegation via the services currently branded as Amazon MWS or Amazon Pay Proxima, or any successor thereto, whereby Sellers permit Company to transmit API calls on their behalf directly or through tokenisation or a similar system, the provisions in Exhibit 3 apply.

10. Confidentiality. During the course of Company’s development and maintenance of the Solution, either party (the “Receiving Party”) may receive information relating to the other party (the “Disclosing Party”) or, in the case of Company, information relating to the Amazon Service, that is not known to the general public (“Confidential Information”). The Receiving Party agrees that (i) all Confidential Information will remain the exclusive property of the Disclosing Party, (ii) the Receiving Party will use Confidential Information only as is reasonably necessary to comply with its obligations under the Agreement, (iii) the Receiving Party will not otherwise disclose Confidential Information to any individual, company, or other third party, and (d) the Receiving Party will take all reasonable measures to protect the Confidential Information against any use or disclosure that is not expressly permitted in the Agreement. Notwithstanding anything in the foregoing, the Disclosing Party acknowledges that the Receiving Party may now have, or in the future may develop or receive, information that is the same as, or similar to, Confidential Information without having breached the Agreement. Nothing in the Agreement (a) prevents the Receiving Party from using, for any purpose and without compensating the Disclosing Party, information retained in the memory of the Receiving Party’s personnel who have had access to Confidential Information; or (b) obligates the Receiving Party to restrict the scope of employment of the Receiving Party’s personnel; provided, however, that this Section does not create a license under any copyright or patent of the Disclosing Party.
11. Expenses and Taxes.

(a)     Company is solely responsible for the payment of costs and expenses Company incurs in connection with the Agreement. Company will pay all applicable fees and other amounts payable in connection with the use of the Amazon Service and the Solution without offset. Amazon may offset any amounts owed by Company to Amazon or its Affiliates, charge or reverse any payments or credits to Company’s accounts with Amazon or its Affiliates, or invoice Company for amounts Company owes Amazon or its Affiliates.

(b)     Taxes imposed with respect to Company’s sales of products and services in connection with the Agreement (excluding taxes imposed on Amazon's net income) will be Company’s responsibility. Company will be responsible for the collection and payment of any and all Taxes. Amazon will not be responsible for the collection and payment of any Taxes. Company will indemnify Amazon and its Affiliates against any claim or demand for payment of any Taxes, and reimburse Amazon immediately for any such sums that Amazon may incur. Amazon may deduct or withhold any Taxes that Amazon determines it is obligated to withhold from any amounts payable to Company under the Agreement, and payment to Company as reduced by such deductions or withholdings will constitute full payment and settlement to Company of such amounts.

(c)      Company may charge and Amazon will pay applicable Transaction Taxes, provided that (i) such Transaction Taxes are stated on the original invoice that Company provides to Amazon, and (ii) Amazon may provide Company with an exemption certificate or equivalent information acceptable to the relevant taxing authority, in which case Company will not charge and or collect the Transaction Taxes covered by such certificate. Amazon may deduct or withhold any taxes Amazon determines it is obligated to deduct or withhold from any amounts payable to Company under the Agreement, and payment to Company as reduced by such deductions or withholdings will constitute full payment and settlement to Company of amounts payable under the Agreement. Throughout the Term, Company will provide Amazon with any forms, documents, or certifications as may be required for Amazon to satisfy any information reporting or withholding tax obligations with respect to any payments under the Agreement.

12. Disclaimers. Amazon makes no representations or warranties to Company with respect to the Agreement, the Amazon Properties or any other services, information, technology, content, images, or materials provided or made available to Company pursuant to this Agreement, whether express or implied, arising by operation of law or otherwise (including, without limitation, any express or implied warranty of title, merchantability, or fitness for a particular purpose, non-infringement, or warranty arising out of course of performance, course of dealing, or usage of trade).
13. Limitation of Liability. To the maximum extent permitted by applicable law, Amazon and its Affiliates, licensors, and suppliers will not be liable to Company for any indirect, incidental, special, consequential, or exemplary damages or for any loss of profits, goodwill, use, or data even if any of them has been advised of the possibility of those damages or losses. Except for liabilities arising out of (i) any breach of Sections 7(a) (Licensed Marks) or 9 (Protected Information) of these Terms, or Section 2.1 of the Agreement (Marketing Activities); (ii) losses against which either party is entitled to indemnification pursuant to Section 14 (Indemnification); and (iii) either party’s gross negligence, fraud, or willful misconduct, each party’s entire liability arising out of or in connection with the Agreement will not exceed seven million Euros (€7,000,000). Nothing in these Terms or the Agreement excludes or limits (a) Company’s obligation to pay amounts accrued or payable to Amazon.
14. Indemnification. Company will defend, indemnify, and hold harmless Amazon and its Affiliates, licensors, and suppliers, and their respective employees, officers, directors, and representatives against all claims, damages, losses, liabilities, taxes, costs, and expenses (including attorneys’ fees and other legal expenses) directly or indirectly arising out of or relating to any third party claim concerning: (i) the design, development, manufacture, production, advertising, promotion, marketing, or use of Company’s products or services, including but not limited to any Solution; (ii) any negligent act or omission or willful misconduct on the part of Company or Company’s employees, contractors, agents, or representatives; (iii)any actual or alleged infringement or misappropriation of any third-party rights by any of the Solution, Company’s Intellectual Property Rights, or other items or services Company provides; (iv) any actual or alleged infringement of third-party rights arising out of the combination of the Solution with the Amazon Service to the extent that infringement would not occur but for such combination; (v) any actual or alleged breach of these Terms or the Agreement; and (vi) any sales, use, excise, value added, or similar tax or duty (including penalties and interest) on goods or services sold by Amazon or its Affiliates to the extent that such a tax claim is attributable to Company’s failure to comply with the advertising restrictions set forth herein.
15. Injunctive Relief. Company acknowledges that a breach of its obligations under the Agreement could cause irreparable harm to Amazon for which monetary damages may be inadequate or difficult to determine. Consequently, Company agrees that Amazon will have the right, in addition to its other rights and remedies, to seek injunctive relief for any violation of the Agreement.
16. Notices. Amazon may provide notice to Company under the Agreement by sending an e-mail message to Company’s Account Manager or, in the event of termination of the Agreement, by sending a letter to the address provided by Company therein. To give Amazon notice under the Agreement, Company must send all notices and other communications to Amazon Payments Europe S.C.A., c/o VP Legal Department, 38 avenue J.F. Kennedy, L-1855, Luxembourg. Notwithstanding the foregoing, any approvals required from Amazon under the Agreement must be obtained from a Director or Vice President of Amazon, and may be requested and granted via email.
17. Assignment. Company may not assign or transfer any rights, obligations, or privileges that Company has under this Agreement without Amazon prior written consent. Amazon may assign or transfer any rights, obligations or privileges that Amazon has under this Agreement to an Affiliate. Subject to the foregoing, this Agreement will be binding on each party's successors and permitted assigns. Any assignment or transfer in violation of this section will be deemed null and void.
18. Governing Law and Venue. The Agreement, including these Terms, will be governed by the laws of the Grand-Duchy of Luxembourg, without reference to rules governing choice of law. The parties hereby irrevocably consent to the exclusive jurisdiction and venue of the courts of the district of the City of Luxembourg with respect to any claims, suits, or proceedings arising out of or in connection with these Terms or the Agreement. Notwithstanding the foregoing, Amazon may seek injunctive or other relief in any court of competent jurisdiction for any actual or alleged infringement or other misuse of any Amazon Properties or the Intellectual Property Rights of any third party.
19. Entire Agreement and Severability. The Agreement represents the complete understanding between Company and Amazon regarding Company’s integration and development of the Solution. Amazon may modify these Terms at any time by posting updated Terms to the Amazon Website, which will be effective at the end of the Modification Notice Period. Provided Company does not terminate the Agreement during the Modification Notice Period, Company will be deemed to accept the modified Terms. If any portion of the Agreement is held to be invalid or unenforceable, the remaining portions will remain in full force and effect. Section headings of the Agreement, including these Terms, are for convenience only and have no interpretive value.

Amazon Payments Solution Provider Terms

EXHIBIT 1

Definitions

“Acceptance Criteria” means, collectively, that for any Solution Company integrates hereunder, it must: (i) be integrated with Company’s applicable e-commerce, online shopping cart, or mobile platforms for use by Sellers; and (ii) be made commercially available generally to Sellers in at least one of the countries where Amazon provides its services.

“Account Manager” means the person Company designates to Amazon in writing from time to time, including via email, as Company’s contact person for matters relating to the Agreement.

“Affiliate” means with respect to any person or entity (including either party), any other person or entity that directly or indirectly controls, is controlled by or is under common control with that person or entity.

“Agreement” means the Solution Provider Integration Agreement.

“Amazon” means Amazon Payments Europe, S.C.A, a licensed Electronic Money Issuer established in Luxembourg.

“Amazon APIs” means application program interface(s) consisting of various tools and protocols for building software applications to work in conjunction with the Amazon Service.

“Amazon Extranet” means a website (or portion thereof) designated by Amazon to include informational content, tools, or features of the Amazon Service. The Amazon Extranet may include developer portions of the Amazon Websites or the Seller Central Website.

“Amazon Policies” means the policies, notices, procedures, Specifications, FAQs, guides, and guidelines that are provided or made available by Amazon to Company, appear on the Amazon Website or the Seller Central Website or are referenced in these Terms or the Agreement.

“Amazon Properties” means software (including machine images), sample code, data, command line tools, text, audio, video, images, or other related technology or other content that Amazon or any of its Affiliates makes available in connection with these Terms, including the Amazon Service, the Amazon APIs, the Trademark, the Amazon Extranet, the Seller Central Website and the Specifications. Amazon Properties do not include third-party content.

“Amazon Service” means the Amazon electronic money service offered to Sellers and related software created or operated by or for Amazon or its Affiliates currently branded as Advanced Payments APIs (or any successor service).

“Amazon Website(s)” means the websites located at, http://pay.amazon.de and/or any successors thereto and certain other platforms owned and operated by Amazon or its Affiliates, as specified by Amazon from time to time.

“Company” means the Company identified in the Agreement.

“Company Licensed Marks” means logos, trademarks, service marks, trade dress, or other protectable source or business identifiers owned by Company, and designated from time to time by Company as being a “Company Licensed Mark” for purposes of these Terms. Company may change the Company Licensed Marks from time to time upon written notice to Amazon.

“Confidential Information” is defined in Section 10.

“Development Criteria” means, collectively, that for any Solution Company develops hereunder, it must: (i) support the functionality described in the Specifications; and (ii) have been successfully tested and approved by Amazon for compliance with the Specifications.

“Enhancements” means any enhancements to the Amazon Service that Amazon deems require significant modifications to the Solution.

“Estimate” means a binding, man hours-based cost estimate for the modifications required for Company to implement any Enhancements, including the date Company anticipates making such Enhancements available to Sellers for commercial use.

“Intellectual Property Rights” means any and all patents, copyrights, trademarks, trade secrets, service marks, designs, mask works, domain names and registrations, trade names, secret formulae, secret processes, confidential information, know-how and any other intellectual property or proprietary rights; any and all enhancements or derivative works of any of the foregoing; and any and all applications for any of the foregoing, in all countries in the world.

“Invoice” meansan invoice in form and content acceptable to Amazon that (i) contains sufficient information to allow Amazon to determine the accuracy of the amount billed; and (ii) is VAT compliant and shows VAT as required, where chargeable.

“Merchant Agreement” means an agreement between Amazon and a third party whereby the third party agrees to use the Amazon Service.

“Modification Notice Period” means the sixty (60)-day period following the date on which modified Terms are posted to one (1) or more Amazon Websites.

“Prospective Seller” means any person or entity that Company reasonably believes to have a genuine interest in integration services pursuant to these Terms and utilizing the Amazon Service pursuant to a Merchant Agreement.

“Protected Information” means (i) information relating to Amazon’s or any Seller’s pricing, sales volume, transaction volume, profit margins, inventory quantities, or any information of a similar nature; and (ii) all personally identifiable information related to users of the Amazon Service (including customers or users of websites operated by or for Amazon or its Affiliates) including, but not limited to, name, address, e-mail, phone number, payment card number, survey responses and purchases.

“Seller” means any person or entity that enters into a Merchant Agreement with Amazon and a service agreement with Company in order to use the Solution.

“Seller Central Website” means any website (or area thereof) to which Amazon may direct Sellers from time to time in order to facilitate the Seller’s management of its payments through the Amazon Service.

“Solution” means an integration solution for one or more Sellers that is either provided to Company by Amazon or developed by Company hereunder that: (i) automates the transfer of data between computer systems, the Amazon Service, the Amazon APIs, and a Seller; and (ii) enhances Sellers’s ability to use the Amazon Service.

“Specifications” means any technical and operational specifications and other documentation or policies (including developer guides, getting started guides, user guides, quick reference guides, and other technical and operations manuals) provided or made available by Amazon with respect to the Amazon Service from time to time.

“Taxes” meansany and all sales, use, excise, import, export, value added, withholding and other taxes and duties assessed, incurred or required to be collected or paid for any reason in connection with Company’s offer or sale of products or services.

“Term” means the Term of the Agreement, as set forth therein.

“Terms” means these Amazon Payments Solution Provider Terms, as amended from time to time.

“Trademark” is defined in Section 7(a).

“Trademark Guidelines” is defined in Section 7(a).

“Transaction Taxes” means, for payments by Amazon to Company, applicable national, state or local sales or use taxes or value added taxes that Company is legally obligated to charge.

“Updates” means changes constituting modifications or updates to the Amazon Service or Specifications, as determined by Amazon, including, without limitation, those modifications or updates which are business-critical or required by law.

Amazon Payments Solution Provider Terms

EXHIBIT 2

Trademark Usage Guidelines

These Trademark Guidelines apply to Company’s use of the Trademark in accordance with the Terms and the Agreement. Strict compliance with these Trademark Guidelines is required at all times, and any use of a Trademark in violation of these Trademark Guidelines will automatically terminate any license related to Company’s use of the Trademark.

1. Company may use the Trademark solely for the purpose expressly authorized by Amazon in writing and Company’s use must (i) comply with the most up-to-date version of these Trademark Guidelines; and (ii) comply with any other terms, conditions, or policies that Amazon may issue from time to time that apply to the use of the Trademark and of which Amazon makes Company aware in writing (email is acceptable).
2. Amazon will supply an approved Trademark image for Company to use. Company may not alter the Trademark in any manner, including but not limited to, changing the proportion, colour, or font of the Trademark, or adding or removing any element(s) to or from the Trademark without Amazon’s prior written consent.
3. Company may not use the Trademark in any manner that implies sponsorship or endorsement by Amazon other than by using the Trademark as specifically authorized in writing by Amazon.
4. Company may not use the Trademark to disparage Amazon, its products or services, or in a manner which, in Amazon’s sole discretion, may diminish or otherwise damage or tarnish Amazon or Amazon’s goodwill in the Trademark.
5. The Trademark must appear by itself, with reasonable spacing between each side of the Trademark and other visual, graphic or textual elements. Under no circumstance should the Trademark be placed on any background which interferes with the readability or display of the Trademark.
6. Company must include the following statement in and on any materials that display the Trademark (written or electronic): “Amazon Payments and the Amazon Payments logo are trademarks of Amazon.com, Inc. or its Affiliates."
7. Company acknowledges that all rights to the Trademark are the exclusive property of Amazon or its Affiliates, and all goodwill generated through Company’s use of the Trademark will inure solely to the benefit of Amazon or its Affiliates. Company will not take any action that is in conflict with Amazon’s or its Affiliates’ rights in, or ownership of, the Trademark.

Amazon reserves the right, exercisable at its sole discretion, to modify these Trademark Guidelines and/or the approved Trademark at any time and to take appropriate action against any use without permission or any use that does not conform to these Trademark Guidelines as provided in writing to Company.

For any questions about these Trademark Guidelines, please contact trademarks@amazon.com.

Approved Logo:

 

Amazon Payments Solution Provider Terms

EXHIBIT 3

Data Processing Terms

These Data Processing Terms (“Processing Terms”) applies to Amazon (also referred to herein as the “controller”) and Company (also referred to herein as the “Processor”) in their performance of their obligations under the Agreement. Amazon and Processor may be referred to collectively as the “parties” and individually as a “party.”

These Processing Terms enable Amazon to comply with its obligations when providing or allowing access to Personal Data by the Processor.

(A) In the event that Processor processes information outside the EU, Processor will ensure that the Parties have sign the EU Standard Contractual Clauses made available by the EU Commission.

1. Definitions. For the purposes of these Processing Terms:

   (a)     "personal data", "special categories of data", "process/processing", "controller", "processor", "data subject" and "supervisory authority" shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and the Council (also known as EU General Data Protection Regulation).

   (b)     "subprocessor" means any processor engaged by the Processor or by any other subprocessor of the Processor, which agrees to receive from the Processor, or from any other subprocessor of the Processor, Personal Data exclusively intended for processing activities to be carried out on behalf of Amazon and in accordance with its written instructions, the terms of these Processing Terms and the terms of the written subcontract.

2. Details of the processing activities. The details of the processing activities to be carried out by the Processor on behalf of the controller under these Processing Terms and in particular the special categories of personal data where applicable, are specified below:

   (a)     Data subjects: The Personal Data concerns the data subjects listed in Annex 1.

   (b)     Categories of data: The Personal Data concerns the data subject categories listed in Annex 1.

   (c)     Special categories of data: No special categories of Personal Data will be processed as part of the Solution.

   (d)     Processing operations: Where the Processor uses the data for purposes of global fraud management for payment methods offered to its customers, including the payment method proposed by Amazon (collectively, “Processor Payment Methods”), global reports and reconciliation, and enabling authentication, refund, capture, claims and chargebacks on Processor’s back-end for all Processor Payment Methods.

   (e)     Duration: The Personal Data will be processed by the Processor for as long as the Processor makes the Solution available to Sellers.

3. Obligations of the Controller. The Controller agrees to comply with all of the obligations applicable to Controller under the EU General Data Protection Regulation.
4. Obligations of the Processor. The Processor agrees and warrants:

   (a)     to process Personal Data only:

   (i)     on behalf of Amazon and in accordance with its documented instructions unless otherwise required by European Union or, if applicable, European Member State law to which the Processor is subject;

   (ii)     within the European Economic Area. The Processor shall notify Amazon prior to any relocation of Personal Data, even within this region;

   (iii)     for the purpose of carrying out the Services or as otherwise instructed by Amazon, and not for the Processor's own purposes; and

   (iv)     in compliance with these Processing Terms.

   (b)     that if it is legally required to process Personal Data otherwise than as instructed by Amazon, it shall notify Amazon in writing before such processing occurs, unless the law requiring such processing prohibits the Processor from notifying Amazon on an important ground of public interest, in which case it shall notify Amazon as soon as that law permits it to do so.

   (c)     not to assume any responsibility for determining the purposes for which and the manner in which Personal Data is processed.

   (d)     that it has no reason to believe that any legislation applicable to it prevents it from fulfilling either the instructions received from Amazon or its obligations under these Processing Terms.

   (e)     that it has implemented and will maintain appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and, in particular, where the processing involves the transmission of data over a network, against all other unlawful forms of processing. Having regard to the state of the art and cost of their implementation, the Processor agrees that such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of Personal Data to be protected and will at a minimum include those measures described in Annex 2.

   (f)     to provide upon request of Amazon, a detailed description of the security measures implemented by the Processor pursuant to the above provisions within ten (10) calendar days of Amazon’s request.

   (g)     that it will treat all Personal Data as confidential information and will not disclose such confidential information without Amazon’s prior written consent except:

   (i)     to those of its personnel who need to know the confidential information in order to carry out the Services; and

   (ii)     where it is required by a court to disclose Personal Data, or there is a statutory obligation to do so, but only to the minimum extent necessary to comply with such court order or statutory obligation.

   (h)     to take reasonable steps to ensure that its personnel who have access to the Personal Data:

   (i)     are reliable;

   (ii)     are both informed of the confidential nature of the Personal Data and obliged to keep such Personal Data confidential; and

   (iii)     are aware of and comply with the Processor´s duties and their personal duties and obligations under these Processing Terms.

   (i)     that it will promptly notify Amazon in writing about:

   (i)     any instruction which, in its opinion, infringes applicable law;

   (ii)     any actual or suspected security breach, unauthorised access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of Personal Data processed by Processor or a subprocessor ("Security Breach");

   (iii)     any complaint, communication or request received directly by the Processor or a subprocessor from a data subject and pertaining to their personal data, without responding to that request unless it has been otherwise authorised to do so by Amazon; and

   (iv)     any change in legislation applicable to the Processor or a subprocessor which is likely to have a substantial adverse effect on the warranties and obligations in these Processing Terms.

   (j)     that upon discovery of any Security Breach, it shall:

   (i)     immediately take action to prevent any further Security Breach; and

   (ii)     provide Amazon with full and prompt cooperation and assistance in relation to any notifications that Amazon is required to make as a result of the Security Breach.

   (k)     to provide Amazon with full and prompt cooperation and assistance in relation to any complaint, communication or request received from a data subject, including by:

   (i)     providing Amazon with full details of the complaint, communication or request;

   (ii)     where authorised by Amazon, complying with a request from a data subject in relation to their Personal Data within the relevant timescales set out by applicable law and in accordance with Amazon’s instructions;

   (iii)     providing Amazon with any Personal Data it holds in relation to a data subject, if required in a commonly-used, structured, electronic and machine-readable format;

   (iv)     providing Amazon with any information requested by Amazon relating to the processing of Personal Data under these Processing Terms;

   (v)     correcting, deleting or blocking any Personal Data; and

   (vi)     implementing appropriate technical and organisational measures that enable it to comply with this paragraph (k).

   (l)     to provide Amazon with full and prompt cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that Amazon is legally required to make in respect of Personal Data.

   (m)     to appoint, and identify to Amazon, an individual to support Amazon in monitoring compliance with these Processing Terms, and to make available to Amazon upon request all information and evidence necessary to demonstrate that the Processor is complying with its obligations under these Processing Terms.

   (n)     at the request of Amazon, to submit its data processing facilities for audits and inspections of the processing activities covered by these Processing Terms, which shall be carried out by Amazon or any independent or impartial inspection agents or auditors selected by Amazon and not reasonably objected to by the Processor.

   (o)     that it shall not subcontract any of its processing operations under these Processing Terms unless:

   (i)     it has obtained the prior written consent of Amazon to do so; and

   (ii)     the subprocessor is subject to a written agreement which is governed by European Member State law to the extent that the agreement relates to Personal Data and which imposes the same obligations on that subprocessor as are imposed on the Processor under these Processing Terms. This does not preclude the Processor and the subprocessor from adding clauses on business related issues where required as long as they do not contradict these Processing Terms.

   (p)     upon request, to promptly send a copy of any agreement it concludes with a subprocessor relating to Personal Data to Amazon.

5. Liability. The Processor shall remain fully liable to Amazon for any subprocessors' processing of Personal Data.
6. Indemnity. The Processor agrees to indemnify and keep indemnified and defend at its own expense Amazon against all costs, claims, damages or expenses incurred by Amazon or for which Amazon may become liable due to any failure by the Processor or its employees or agents to comply with any of its obligations under these Processing Terms or under applicable data protection laws.
7. Allocation of costs. Each party shall perform its obligations under these Processing Terms at its own cost.
8. Governing Law. These Processing Terms shall be governed by the law of the Member State where the controller is established.
9. Termination of the Services

   9.1     Amazon is entitled to suspend and/or terminate the Agreement with immediate effect, in so far as it relates to the processing of Personal Data if:

   (a)     the Processor commits any material breach of these Processing Terms; or

   (b)     Amazon gives notices to the Processor to remedy the breach (or to the extent that the breach is not capable of remedy, to give compensation for it) and the Processor fails to do so within twenty-eight days of the notice.

   9.2     The parties agree that upon termination of the Services in so far as they relate to Personal Data, the Processor and all subprocessors shall, at the choice of Amazon and as soon as reasonably or technically possible, return all Personal Data and the copies thereof to Amazon, or securely destroy all Personal Data and certify to Amazon that it or they have done so, unless a European Union or, if applicable, European Member State law to which the Processor or a subprocessor are subject prevent the Processor or subprocessor from returning or destroying all or part of the Personal Data. In such a case, the Processor warrants that it will guarantee the confidentiality of Personal Data and will not actively process Personal Data anymore, and will guarantee the return and/or destruction of the Personal Data as requested by Amazon when the legal obligation to not return or destroy the information is no longer in effect.

   9.3     Upon request of Amazon, the Processor will submit its data processing facilities for an audit of the measures referred to in paragraph 9.2.

10. Miscellaneous

    10.1     In the event of inconsistencies between the provisions of these Processing Terms and other agreements between the parties, the provisions of these Processing Terms shall prevail with regard to the parties' data protection obligations relating to Personal Data. In cases of doubt, these Processing Terms shall prevail, in particular, where it cannot be clearly established whether a clause relates to a party's data protection obligations.

    10.2     Should any provision or condition of these Processing Terms be held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of these Processing Terms shall remain valid. Such an invalidity, unlawfulness or unenforceability shall have no effect on the other provisions and conditions of these Processing Terms to the maximum extent permitted by law. The provision or condition affected shall be construed either: (a) to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the parties' intentions, or if that is not possible, (b) as if the invalid, unlawful or unenforceable part had never been contained in these Processing Terms.

    10.3     Any amendments to these Processing Terms shall be in writing duly signed by authorised representatives of the parties hereto.

    10.4     Any affiliate of Amazon located in the EEA, UK and/or Switzerland, may become data exporter under these Processing Terms by unilateral declaration of accession without the requirement of further action by the Processor.

 

ANNEX 1

For purposes of this Annex 1, the following definitions apply:

“Amazon” “we” “us” or “our” means Amazon Payments Europe S.C.A.

“Merchant” “you” or “your” means a customer of Processor who has enabled the Amazon payment processing service and related products and services currently branded as Advanced Payments APIs.

Information name or field name	Description	Required	Data Format	Example value
SellerId	The Amazon-designated ID associated with your Merchant account.	Yes	Alphanumeric	A1XX111XXX111XXX
SettlementStartDate	Start date and time for the current settlement period. The maximum date range is 30 days.	Yes	ISO 8601 format	2015-05- 18T14:37:01-0700
SettlementEndDate	End date and time for the current settlement period. The maximum date range is 30 days.	Yes	ISO 8601 format	2015-05-21T14:37:03-0700
TransactionPostedDate	Date and time when the transaction was debited or credited to your Merchant account.	Yes	ISO 8601 format	2015-05- 18t15:48:50-0000
SettlementId	Amazon-designated identifier for the current settlement period.	Yes	Alphanumeric	5044561311
AmazonTransactionId	Amazon-designated identifier for a transaction.	Conditional. Only present for the following TransactionType values: Authorization Capture Refund A-to-Z Guarantee Claim Chargeback Dispute	Alphanumeric	P01-2400747-7767109-C084595
TransactionType	Type of transaction, corresponding to: Authorization – Funds debited from the Merchant account for an uncaptured authorization. Capture – Funds captured against an authorization using the Capture operation. Refund – Funds refunded against a previous Capture using the Refund operation. Debt – Funds debited from a Merchant account when the merchant does not have a sufficient balance to cover a refund. A-to-z Guarantee Claim – Funds debited from the Merchant account to resolve a consumer dispute filed with Amazon. Chargeback – Funds debited from the Merchant account to resolve a consumer dispute filed with their financial institution. Dispute – Funds debited from the Merchant account to initiate a dispute. Adjustments – A miscellaneous credit or debit made by Amazon to your account. Reserve – Funds held in your account to cover future refunds, A-to-z claims or chargebacks (see policy). Carryover – Undisbursed funds carried over from previous settlement periods. Transfer – Funds transferred by Amazon to your bank account.	Yes	Alphanumeric, one of Authorization Capture Refund Debt A-to-z Guarantee Claim Chargeback Dispute Adjustments Reserve Carryover Transfer	Capture
AmazonOrderReferenceId	Amazon-designated identifier for the Order Reference this transaction is associated with. A unique AmazonOrderReferenceId is provided to you when a buyer clicks the “Amazon Pay” button and signs in using their Amazon username and password, or when loading one of the widgets. This Id can be associated with multiple transactions.	Conditional. Only present for the following TransactionType values: Capture Refund A-to-Z Guarantee Claim Chargeback Authorization Dispute	Alphanumeric	P12-4323454-0987678
SellerOrderId	Merchant-specified Id for the Order Reference this transaction is associated with. This corresponds to the SellerOrderId specified in the SetOrderReferenceDetails operation. This Id can be associated with multiple transactions.	Conditional. Only present for the following TransactionType values if specified by the merchant: Capture Refund A-to-Z Guarantee Claim Chargeback Authorization Dispute	Alphanumeric	OALP1234
CurrencyCode	Currency of the transaction.	Yes	Alphanumeric (ISO 4217 standard), one of: EUR GBP USD	EUR
TransactionDescription	Merchant’s or Amazon’s description of the transaction. For Capture and Refund TransactionType values, this corresponds to the optional SellerNote parameter in the API. For all other TransactionType values, this is a human readable field set by Amazon, which may change from time to time.	Conditional. Only present for the following TransactionType values if specified by the merchant: Capture Refund Present for the following TransactionType values as determined by Amazon: A to Z Guarantee Claim Chargeback Dispute Adjustment Reserve Carryover Transfer	Alphanumeric	Charge for Blue Sweater.
TransactionAmount	Amount of the transaction that is credited or debited to your Merchant account: Authorizations are debits to your account for uncaptured authorizations. Captures are credits to your account. Refunds are debits to your account. A-to-z Claims and Chargebacks can be credits or debits to your account. Disputes are debits to your account. Two Reserve entries will be listed in each report: A credit representing Reserves held in the prior settlement period. A debit representing Reserves held in the current settlement period. Carryovers may be credits or debits depending on un-disbursed account balance in the prior settlement period. Adjustments may be credits or debits. Transfer is a debit to your account.	Yes	Numeric	1.000,00
TransactionPercentageFee	Amazon’s percentage fee (also referred to as a processing fee) associated with the transaction. See our Fee Schedule for more information. Fees: Debited for Captures (including Cross Border fees if applicable) Credited for Refunds, A-to-z Claims, and Chargebacks Not assessed (zero) for Adjustments, Reserves or Carryovers and Transfers	Yes	Numeric	2.2
TransactionFixedFee	Amazon’s percentage fee (also referred to as a processing fee) associated with the transaction. See our Fee Schedule for more information. Fees: Debited for Captures (including Cross Border fees if applicable) Credited for Refunds, A-to-z Claims, and Chargebacks Not assessed (zero) for Adjustments, Reserves or Carryovers and Transfers	Yes	Numeric	2.2
NetTransactionAmount	Total amount credited or debited to your account. This is equal to the TransactionAmount less the TransactionFee.	Yes	Numeric	96.85
Buyer identification	Amazon's specific fields embracing : BuyerName, BuyerEmailAddress, BillingAddressLine, BillingAddressCity, BillingAddressDistrictOrCounty, BillingAddressStateOrRegion, BillingAddressPostalCode, BillingAddressCountryCode	Conditional, only present if the merchant wants to be covered by A-to-Z garantee on physical goods delivered at home.	Alphanumeric	John Doe

 

ANNEX 2

Technical and organisational security measures

Description of the technical and organisational security measures implemented and maintained by the Supplier in accordance with Clause (e):

1. SCOPE; DEFINITIONS

   1.1     Security Policy. Supplier will comply in all respects with Amazon’s information security requirements set forth in this Annex 2 (the “Security Policy”). The Security Policy applies to Supplier’s performance under the Agreement and all access, collection, use, storage, transmission, disclosure, destruction or deletion of, and security incidents regarding, Amazon Information. This Security Policy does not limit other obligations of Supplier, including under the Agreement or laws that apply to Supplier, Supplier’s performance under the Agreement, the Amazon Information or the Permitted Purpose. To the extent this Security Policy directly conflicts with the Agreement, Supplier will promptly notify Amazon of the conflict and will comply with the requirement that is more restrictive and more protective of Amazon Information (which may be designated by Amazon). Amazon may change this Security Policy from time to time at its sole discretion upon providing written notice to the Supplier, provided that if such changes are not commercially reasonable, the parties will meet and agree on appropriate additional fees.

   1.2     Definitions.

   1.2.1      “Aggregate” means to combine or store Amazon Information with any data or information of Supplier or any third party.

   1.2.2     “Anonymize” means to use, collect, store, transmit or transform any data or information (including Amazon Information) in a manner or form that does not identify, permit identification of, and is not otherwise attributable to any user, device identifier, source, product, service, context, brand, or Amazon or its affiliates.

   1.2.3      “Amazon Information” means, individually and collectively: (a) all Amazon Confidential Information (as defined in the Agreement or in the non-disclosure agreement between the parties); (b) all other data, records, files, content or information, in any form or format, acquired, accessed, collected, received, stored or maintained by Supplier or its affiliates from or on behalf of Amazon or its affiliates, or otherwise in connection with the Agreement, the services, or the parties’ performance of or exercise of rights under or in connection with the Agreement (including Personal Data); and (c) derived from (a) or (b), even if Anonymized.

   1.2.4     “Supplier” means the Company.

   1.3     Permitted Purpose. Except as expressly authorized under the Agreement, Supplier may access, collect, use, store, and transmit only the Amazon Information expressly authorized under the Agreement and solely for the purpose of providing the services under the Agreement, consistent with the licenses (if any) granted under the Agreement (the “Permitted Purpose”). Except as expressly authorized under the Agreement, Supplier will not access, collect, use, store or transmit any Amazon Information and will not Aggregate Amazon Information, even if Anonymized. Except with Amazon’s prior express written consent, Supplier will not (1) transfer, rent, barter, trade, sell, rent, loan, lease or otherwise distribute or make available to any third party any Amazon Information or (2) Aggregate Amazon Information with any other information or data, even if Anonymized.

2. AMAZON SECURITY POLICY.

2.1     Basic Security Requirements. Supplier will, consistent with current best industry standards and such other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, maintain physical, administrative and technical safeguards and other security measures (i) to maintain the security and confidentiality of Amazon Information accessed, collected, used, stored or transmitted by Supplier, and (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure and all other unlawful forms of processing. Without limitation, Supplier will comply with the following requirements:

2.1.1     Firewall. Supplier will install and maintain a working network firewall to protect data accessible via the Internet and will keep all Amazon Information protected by the firewall at all times.

2.1.2     Updates. Supplier will keep its systems and software up-to-date with the latest upgrades, updates, bug fixes, new versions and other modifications necessary to ensure security of the Amazon Information.

2.1.3     Anti-malware. Supplier will at all times use anti-malware software and will keep the anti-malware software up to date. Supplier will mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably have been detected.

2.1.4     Encryption. Supplier will encrypt data at rest and data sent across open networks in accordance with industry best practices.

2.1.5     Testing. Supplier will regularly test its security systems and processes to ensure they meet the requirements of this Security Policy.

2.1.6      Access Controls. Supplier will secure Amazon Information, including by complying with the following requirements:

1. Supplier will assign a unique ID to each person with computer access to Amazon Information.
2. Supplier will restrict access to Amazon Information to only those people with a “need-to-know” for a Permitted Purpose.
3. Supplier will regularly review the list of people and services with access to Amazon Information, and remove accounts that no longer require access. This review must be performed at least once every 90 days.
4. Supplier will not use manufacturer-supplied defaults for system passwords and other security parameters on any operating systems, software or other systems. Supplier will mandate and ensure the use of system-enforced “strong passwords” in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to, Amazon Information and will require that all passwords and access credentials are kept confidential and not shared among personnel.
   • Password best practices. Passwords must meet the following criteria:
     • contain at least 8 characters;
     • not match previous passwords, the user’s login, or common name;
     • must be changed whenever an account compromise is suspected or assumed; and
     • are regularly replaced after no more than 90 days.
5. Supplier will maintain and enforce “account lockout” by disabling accounts with access to Amazon Information when an account exceeds more than ten (10) consecutive incorrect password attempts.
6. Except where expressly authorized by Amazon in writing, Supplier will isolate Amazon Information at all times (including in storage, processing or transmission), from Supplier’s and any third party information.
7. If additional physical access controls are requested in writing by Amazon, Supplier will implement and use those secure physical access control measures.
8. Supplier will provide to Amazon, on an annual basis or more frequently upon Amazon’s request, (1) log data about all use (both authorized and unauthorized) of Amazon’s accounts or credentials provided to Supplier for use on behalf of Amazon (e.g., social medial account credentials), and (2) detailed log data about any impersonation of, or attempt to impersonate, Amazon personnel or Supplier personnel with access to Amazon Information.
9. Supplier will regularly review access logs for signs of malicious behavior or unauthorized access.

2.1.7     Supplier Policy. Supplier will maintain and enforce an information and network security policy for employees, subcontractors, agents, and suppliers that meets the standards set out in this policy, including methods to detect and log policy violations. Upon request by Amazon, Supplier will provide Amazon with information on violations of Supplier’s information and network security policy, even if it does not constitute a Security Incident.

2.1.8     Subcontract. Supplier will not subcontract or delegate any of its obligations under this Security Policy to any subcontractors, affiliates, or delegates (“Subcontractors”) without Amazon’s prior written consent. Notwithstanding the existence or terms of any subcontract or delegation, Supplier will remain responsible for the full performance of its obligations under this Security Policy. The terms and conditions of this Security Policy will be binding upon Supplier’s Subcontractors and Personnel. Supplier (a) will ensure that its Subcontractors and Personnel comply with this Security Policy, and (b) will be responsible for all acts, omissions, negligence and misconduct of its Subcontractors and Personnel

2.1.9     Remote Access. Supplier will ensure that any access from outside protected corporate or production environments to systems holding Amazon Information or Supplier’s corporate or development workstation networks requires multi-factor authentication (e.g., requires at least two separate factors for identifying users).

2.1.10     “In Bulk” Access. Except where expressly authorized by Amazon in writing, Supplier will not access, and will not permit access to, Amazon Information “in bulk” whether the Amazon Information is in an Amazon- or Supplier-controlled database or stored in any other method, including storage in file-based archives (e.g., flat files), etc. For purposes of this section, “in bulk” access means accessing data by means of database query, report generation or any other mass transfer of data. Specifically, this section prohibits any access to Amazon Information except for access to individual records as needed for the Permitted Purpose. Supplier will preserve detailed log data on attempted or successful “in bulk” access to Amazon Information, and provide reports from these logs as part of its obligations under Section 2.65 (Security Review). In the event that Amazon provides written authorization for access to Amazon Information “in bulk”, Supplier will (1) limit such access only to specified employees with the ”need to know”, and (2) use tools that limit access and require explicit authorization and logging of all access.

2.1.11     Supplier Personnel. Amazon may condition access to Amazon Information by Supplier personnel on Supplier personnel’s execution and delivery to Amazon of individual nondisclosure agreements, the form of which is specified by Amazon. If required by Amazon, Amazon requests that Supplier’s personnel execute the individual nondisclosure agreement. Supplier will obtain and deliver to Amazon signed individual nondisclosure agreements from Supplier personnel that will have access to the Amazon Information (prior to granting access or providing information to the Supplier personnel). Supplier will also (i) maintain a list of all Supplier personnel who have accessed or received the Amazon Information and provide that list to Amazon upon request within an agreed upon timeframe, and (ii) notify Amazon no later than 24 hours after any specific individual Supplier personnel authorized to access Amazon Information in accordance with this Section: (y) no longer needs access to Amazon Information or (z) no longer qualifies as Supplier personnel (e.g., the personnel leaves Supplier’s employment).

2.2     Access to Amazon Extranet and Supplier Portals. Amazon may grant Supplier access to Amazon Information via web portals or other non-public websites or extranet services on Amazon’s or a third party’s website or system (each, an “Extranet”) for the Permitted Purpose. If Amazon permits Supplier to access any Amazon Information using an Extranet, Supplier must comply with the following requirements:

2.2.1     Permitted Purpose. Supplier and its personnel will access the Extranet and access, collect, use, view, retrieve, download or store Amazon Information from the Extranet solely for the Permitted Purpose.

2.2.2     Accounts. Supplier will ensure that Supplier personnel use only the Extranet account(s) designated for each individual by Amazon and will require Supplier personnel to keep their access credentials confidential.

2.2.3     Systems. Supplier will access the Extranet only through computing or processing systems or applications running operating systems managed by Supplier and that include: (i) system network firewalls in accordance with Section 2.1.1 (Firewall); (ii) centralized patch management in compliance with Section 2.1.2 (Updates); (iii) operating system appropriate anti-malware software in accordance with Section 2.1.3 (Anti-malware); and (iv) for portable devices, full disk encryption.

2.2.4     Restrictions. Except if approved in advance in writing by Amazon, Supplier will not download, mirror or permanently store any Amazon Information from any Extranet on any medium, including any machines, devices or servers,.

2.2.5     Account Termination. Supplier will terminate the account of each of Supplier’s personnel and notify Amazon no later than 24 hours after any specific Supplier personnel who has been authorized to access any Extranet (a) no longer needs access to Amazon Information or (b) no longer qualifies as Supplier personnel (e.g., the personnel leaves Supplier’s employment).

2.2.6     Third Party Systems.

1. Supplier will give Amazon prior notice and obtain Amazon’s prior written approval before it uses any Third Party System that stores or may otherwise have access to Amazon Information, unless a) the data is encrypted in accordance with this Security Policy, and b) the Third Party System will not have access to the decryption key or unencrypted “plain text” versions of the data. Amazon reserves the right to require an Amazon security review (in accordance with Section 2.5 (Security Review)) of the Third Party System before giving approval.
2. If Supplier uses any Third Party Systems that store or otherwise may access unencrypted Amazon Information, Supplier must perform a security review of the Third Party Systems and their security controls and will provide Amazon periodic reporting about the Third Party System’s security controls in the format requested by Amazon (e.g., SAS 70 or its successor report), or other recognized industry-standard report approved by Amazon).

2.3     Data Retention and Destruction.

2.3.1     Retention. Supplier will retain Amazon Information only for the purpose of, and as long as is necessary for, the Permitted Purpose.

2.3.2     Return or Deletion. Supplier will promptly (but within no more than 72 hours after Amazon’s request) return to Amazon and permanently and securely delete all Amazon Information upon and in accordance with Amazon’s notice requiring return and/or deletion. Also, Supplier will permanently and securely delete all live (online or network accessible) instances of the Amazon Information within 90 days after the earlier of completion of the Permitted Purpose or termination or expiration of the Agreement. If requested by Amazon, Supplier will certify in writing that all Amazon Information has been destroyed.

2.3.3     Archival Copies. If Supplier is required by law to retain archival copies of Amazon Information for tax or similar regulatory purposes, this archived Amazon Information must be stored in one of the following ways:

1. As a “cold” or offline (i.e., not available for immediate or interactive use) backup stored in a physically secure facility; or
2. Encrypted, where the system hosting or storing the encrypted file(s) does not have access to a copy of the key(s) used for encryption.

2.3.4     Recovery. If Supplier performs a “recovery” (i.e., reverting to a backup) for the purpose of disaster recovery, Supplier will have and maintain a process that ensures that all Amazon Information that is required to be deleted pursuant to the Agreement or this Security Policy will be re-deleted or overwritten from the recovered data in accordance with this Section 2.3 within 24 hours after recovery occurs. If Supplier performs a recovery for any purpose, no Amazon Information may be recovered to any third party system or network without Amazon’s prior written approval. Amazon reserves the right to require an Amazon security review (in accordance with Section 2.5 (Security Review)) of the third party system or network before permitting recovery of any Amazon Information to any third party system or network.

2.3.5     Deletion Standards. All Amazon Information deleted by Supplier will be deleted in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014 (available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf ), or through degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, or by shredding or mechanical disintegration, or such other standards Amazon may require based on the classification and sensitivity of the Amazon Information. With respect to Amazon Information encrypted in compliance with this Security Policy, this deletion may be done by permanently and securely deleting all copies of the keys used for encryption.

2.4     Forensic Destruction. Before disposing in any manner of any hardware, software, or any other media that contains, or has at any time contained, Amazon Information, Supplier will perform a complete forensic destruction of the hardware, software or other media so that none of the Amazon Information can be recovered or retrieved in any form. Supplier will perform forensic destruction in accordance with the standards Amazon may require based on the classification and sensitivity of the Amazon Information.

2.4.1     Supplier will not sell, resell, donate, refurbish, or otherwise transfer (including any sale or transfer of any such hardware, software, or other media, any disposition in connection with any liquidation of Supplier’s business, or any other disposition) any hardware, software or other media that contains Amazon Information that has not been Forensically Destroyed by Supplier.

2.5     Security Review.

2.5.1     Amazon reserves the right to periodically request Supplier to complete a new Amazon risk assessment questionnaire.

2.5.2     Certification. Upon Amazon’s written request, Supplier will certify in writing to Amazon that it is in compliance with this Agreement.

2.5.3     Other Reviews. Amazon reserves the right to periodically review the security of systems that Supplier uses to process Amazon Information. Supplier will cooperate and provide Amazon with all required information within a reasonable time frame but no more than 20 calendar days from the date of Amazon’s request.

2.5.4      Remediation. If any security review identifies any deficiencies, Supplier will, at its sole cost and expense take all actions necessary to remediate those deficiencies within an agreed upon timeframe.

2.6     Security Incidents.

2.6.1     Supplier will inform Amazon within 24 hours of detecting any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption or loss of Amazon Information, or breach of any environment (i) containing Amazon Information, or (ii) managed by Supplier with controls substantially similar to those protecting Amazon Information (each, a “Security Incident”). Supplier will remedy each Security Incident in a timely manner and provide Amazon written details regarding Supplier’s internal investigation regarding each Security Incident. Supplier agrees not to notify any regulatory authority, nor any Amazon, on behalf of Amazon unless Amazon specifically requests in writing that Supplier do so and Amazon reserves the right to review and approve the form and content of any notification before it is provided to any party. Supplier will cooperate and work together with Amazon to formulate and execute a plan to rectify all confirmed Security Incidents.

2.6.2      Supplier will inform Amazon within 24 hours when its data is being sought in response to legal process or by applicable law.

 

AMAZON PAYMENTS EUROPE S.C.A., SOCIÉTÉ EN COMMANDITE PAR ACTIONS

38, AVENUE J.F. KENNEDY., L-1855 LUXEMBOURG

R.C.S. LUXEMBOURG : B 153 265 – Agréé en tant qu’établissement de monnaie électronique suivant autorisation ministérielle n° 36/10