Language navigation-language-uk-flat.svg
Language navigation-language-uk-flat.svg

Support

Menu

Amazon Payments Addendum

View or download a PDF version of this Addendum.

Last updated: 30 April 2020

This Amazon Payments Addendum (this “Addendum”) contains terms and conditions which supplement the master services agreement (the “Agreement”) pursuant to which Supplier (as defined below) provides certain services to Amazon (as defined below). The supplier (the “Supplier”) named in the Agreement or any work order (a “Work Order”) issued pursuant to the Agreement has agreed to provide certain services to (i) Amazon Payments Europe s.c.a. (a Luxembourg electronic money institution, having its registered office at 38, Avenue John F. Kennedy, L-1855, Luxembourg (“APE”); and/or (ii) Amazon Payments UK Limited (an authorised payment institution in the UK, having its registered office at 1 Principal Place, Worship Street, London EC2A 2FA) (“APUK”, and together with APE, “Amazon”).   This Addendum applies when Supplier provides Services to Amazon under a Work Order executed by Amazon and Supplier.

The parties agree as follows.

  1. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this Addendum will have the meanings given to them below:

    2. i.    "Amazon Data" means all Data (including, without limitation, any Data related to users or Amazon’s or its Affiliates’ websites or services, whether personally identifiable or not, including any information regarding any natural person) (a) collected, received, stored or maintained by Supplier in connection with Amazon’s use of the Services or Supplier’s performance of its obligations under the Work Order, (b) provided by Amazon to Supplier, or (c) derived from (a) or (b).

    ii.    "Data" means any data, records, files, content or information, in any form or format, including interim, processed, compiled, summarized, or derivative versions of such data, content or information.

    iii.    "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any replacement directive or regulation imposing equivalent obligations.

    iv.    "EEA" means the European Economic Area.

    v.    "Privacy Shield" means the EU Privacy Shield and the Swiss Privacy Shield frameworks as agreed with the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union and Switzerland.

    vi.    "processing" has the meaning given to it in GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

    vii.    "Security incident" means a singular event or a series of linked events unplanned by Amazon, which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.

    viii.    "Service Levels" means the specific requirements applicable to the Services, based on the Amazon’s requirements in relation to the respective Services, set forth in the appendix to Work Order for the corresponding Services.

    ix.    "Standard Contractual Clauses" means Annex 1 attached to and forming part of this Addendum pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under GDPR.

  2. Data Protection.   

    3. 2.1.    Subject to the terms of any applicable Laws, in particular but without limitation any applicable data protection regulation (including GDPR and any amendments thereof, as and when they are applicable to the parties), the parties acknowledge that in the performance of the Services, Supplier will have access to Amazon Data. Amazon hereby authorizes Supplier to receive and process such data for the purpose as stated in this Addendum. Supplier acknowledges and agrees that Amazon does not authorize Supplier to use such data for any purposes other than for the performance of Services under the Agreement and the Work Order.

    2.2.    Supplier may collect, use, store and retain only the Amazon Data that is expressly authorized under the Work Order, and then may only collect, use, store and retain that Amazon Data solely as necessary for Supplier to perform the Services in accordance with the Agreement and the Work Order.  Supplier (including its affiliates and their employees) will not otherwise collect, monitor, use or retain any Amazon Data. Supplier will not collect Amazon Data by means other than those authorized in the Work Order, or as otherwise agreed in writing. In performing the Services, Supplier will at no time monitor, collect, use or store any personally identifiable information other than on behalf of, and as directed by, Amazon, except as required in compliance with Laws.  Without limiting any rights and remedies available to Amazon, Amazon may terminate the Work Order immediately upon written notice to Supplier in the event of breach of the provisions of this Section 2.2.

    2.3.    Each party undertakes to comply with its respective obligations under GDPR and any implementation of GDPR in the governing law or any other applicable law (including any variation or addition to GDPR and to any implementation of thereof) and any applicable codes of practice and best practice guidance issued by any applicable authorities (together, the “Data Protection Requirements”).  In particular and without limitation, where in the course of providing the Services Supplier processes personal data (as defined in the Data Protection Requirements) on Amazon’s behalf Supplier will: (a) act only as a data processor on instructions from Amazon as data controller, (b) take appropriate technical and organizational measures against unauthorised or unlawful processing of such personal data and against accidental loss or destruction of, or damage to the personal data; (c) not transfer any such personal data outside the countries of the EEA, without the prior written consent of  Amazon which may be refused at Amazon’s sole discretion and subject to the Supplier (i) being a participant in the Privacy Shield for the relevant type of personal data and processing being done under the Work Order, (ii) being located in a country outside the EEA that is recognized by the European Commission as providing an adequate level of protection for personal data or (iii) entering into the Standard Contractual Clauses; (d) allow Amazon access to any relevant premises owned or controlled by Supplier on reasonable notice to inspect Supplier’s procedures in relation to the processing of the personal data and will, on request from time to time, prepare a report for Amazon as to Supplier’s current technical and organizational measures used to protect any such personal data; and (iv) keep all materials containing such personal data in a safe and secure place (or if held electronically Supplier shall ensure it has appropriate electronic security systems in place) and shall return them to Amazon (or if held electronically Supplier shall ensure all files containing data are deleted and shall provide written confirmation of this to Amazon) immediately on termination or expiry of this Agreement or sooner on Amazon’s written request.

    2.4.    Amazon owns and reserves all right, title and interest in and to the Amazon Data and all Proprietary Rights in or to any of the Amazon Data (“Amazon Intellectual Property”). Except as may expressly be set forth in the Work Order, no right, title, or interest to any of the Amazon Intellectual Property is transferred or licensed to Supplier. Amazon’s use of Services will be considered Amazon’s Confidential Information and subject to the confidentiality provisions of the Agreement.  

    2.5.    Supplier will not disclose Amazon Data to any law enforcement authority, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement authority sends Supplier a demand for Amazon Data, Supplier will attempt to redirect the law enforcement agency to request that data directly from Amazon. As part of this effort, Supplier may provide Amazon’ basic contact information to the law enforcement agency. If compelled to disclose Amazon Data to a law enforcement agency, then Supplier will give Amazon reasonable notice of the demand to allow Amazon to seek a protective order or other appropriate remedy unless Supplier is legally prohibited from doing so.

    2.6.    If Supplier engages a subcontractor for the provision of any part of the Services, Amazon will have the right to monitor and inspect subcontractor’s performance of the Services in accordance with the terms of this Addendum and the Data Protection Requirements. This includes the right of Amazon to request and receive information from Supplier, within five (five) days of Amazon’s written request, on the substance of the agreement with the subcontractor and the implementation of the data protection obligations set forth in this Addendum by the subcontractor, and where necessary, inspect the relevant documents.

    2.7.    Supplier acknowledges and understands that Amazon Payments Europe S.C.A. is bound by professional secrecy under Luxembourg law, the breach of which is criminally sanctioned.

  3. Security Responsibilities of Supplier.

    4. Supplier will comply the Amazon Infosec Policy that forms an integral part of the Agreement, which Amazon may change from time to time upon providing advance written notice to Supplier. In addition, Supplier will implement and maintain technical and organizational measures to, without limitation, maintain physical security of the Supplier’s premises, Supplier’s computer and operations systems, to restrict access to Amazon Data solely to Supplier’s employees that are performing Services for Amazon under the Work Order pursuant to Section 2.2 of the Infosec Policy. Supplier will promptly notify Amazon about any security breaches relating to the Supplier’s systems utilized by Supplier to provide the Services and to Services that may involve Amazon’s Confidential Information or Amazon Data.
    Supplier will promptly, and in any case within 24 hours of becoming aware or suspecting, notify Amazon about any (a) “personal data breach,” as that term is defined under GDPR; or (b) Security Incident, as defined above.

  4. Subcontracting.

    5. 4.1.    Amazon agrees that Supplier may use subcontractors to provide Services under the Agreement, including providing access to Amazon Data to subcontractors.  Supplier’s use of subcontractors in connection with the performance of the Services will be governed by the following provisions:

    i.    Supplier may not subcontract the performance of the Services without Amazon’s prior written consent;

    ii.    Supplier warrants and represents that the subcontractor engaged by Supplier for the provision of Services is a qualified, reputable provider of the applicable services; 

    iii.    Supplier will be fully liable for any obligations, services and functions performed by the subcontractor, to the same extent as if such obligations, services and functions were performed by Supplier and, for purposes of the Agreement and/or the respective Work Order, such work will be deemed work performed by Supplier;

    iv.    Supplier will be Amazon’s sole point of contact regarding any portion of the Services performed by a subcontractor and Amazon’s sole responsibility in relation for the payment for the Services is towards Supplier;

    v.    Supplier will be fully liable for subcontractor’s compliance with any applicable Laws and where necessary or pursuant to Amazon’s instructions take such action and/or instruct subcontractor to take such action so as to ensure subcontractor is compliant with Laws;

    vi.    Supplier will disclose Amazon Data to subcontractor only for the purposes as specified in this Addendum and will not disclose any Amazon Data to a subcontractor unless and until such subcontractor needs to have access to such information in order to perform its obligations relating to the provision of Services;

    vii.    Supplier will provide to Amazon, within five (5) days of Amazon’s written request, information about the substance of the agreement with any subcontractor engaged by Supplier according to the terms of this Addendum for the provision of the Services and the information about the implementation of the data protection obligations specified in this Addendum by the subcontractor, and where necessary, documentation confirming such compliance, if requested by Amazon; and

    viii.    Supplier will impose appropriate contractual obligations in writing upon any subcontractor that are no less protective that this Addendum.  

    4.2.    Supplier confirms that as of the effective date of the respective Work Order Supplier has notified Amazon about all of the subcontractors that will be engaged by Supplier for the provision of Services. For each subcontractor, Supplier will provide the following documentation as soon as Supplier notifies Amazon of the respective subcontractor: financial statements for the year preceding the then current year, audited ISAE-3402 or SSAE-16, as applicable, and subcontractor’s business continuity plan and disaster recovery plan (“Subcontractor Information”). Supplier will not use any subcontractor without Amazon’s prior written consent. In the event of engagement of any subcontractor other than the subcontractors notified by Supplier to Amazon as of the effective date of the Work Order, Supplier will notify Amazon in writing about any subcontractors to be engaged by Supplier for the provision of the Services no less than 30 calendar days in advance and provide the Subcontractor Information together with such notification. If Amazon does not approve of a subcontractor, then without prejudice to any termination rights of Amazon under the Agreement, law and otherwise, Amazon may suspend the use of the Services until an alternative subcontractor is approved by Amazon.  For the avoidance of doubt, the absence of Amazon’s approval of the subcontractor will not mean that the subcontractor is approved by Amazon and Supplier shall not proceed with the engagement of the subcontractor unless Amazon’s written approval, via email, has been provided to Supplier.

  5. Record keeping and audit.

    6. 5.1.    Supplier will comply with records retention provisions of any Laws which are applicable to its business, and in any event shall maintain during the term of the Agreement and for a period of no less than five (5) years thereafter full and accurate records relating to its provision of the Services (including performance against the Service Levels). Supplier shall provide copies of such records to Amazon, a governmental or regulatory body having sufficient jurisdiction and responsibility for regulating Amazon and/or Amazon’s services (the “Regulator”) and independent auditors appointed by Amazon (the “Auditors”)  upon request within five (5) days from the date of the request or as otherwise may be specified by the Regulator.

    5.2.    Amazon, the Regulator and the Auditors will have access to Supplier’s books, records and operations related to the provision of Services at all reasonable times, during Supplier’s normal working hours, on reasonable prior written notice at Amazon’s expense. Supplier will cooperate in all respects necessary to enable Amazon, the Regulator and the Auditors to carry out the intent and purposes of this section. In the event of breach of the provisions of this Section 5.2 by the Supplier, without limiting Amazon’s other rights and remedies, Supplier will reimburse Amazon for all reasonable expenses incurred by Amazon in relation with the respective audit notified to Supplier in advance pursuant to the provisions of this Section 5.2.

    5.3.    Amazon will not be responsible for the payment of any of the costs or fees born by the Supplier to comply with the provisions of Section 5 of this Addendum.

  6. Contingency and recovery plans

    7. 6.1.    Supplier will establish, implement, and maintain contingency plans, recovery plans and risk controls to ensure Supplier’s continued performance under the Agreement (“Business Continuity Plan”). Such Business Continuity Plan must be consistent with industry best practice standards, be in place on the Effective Date of the Work Order, and remain in effect throughout the term of the Agreement. Supplier will provide Business Continuity Plan to Amazon at any time during the term of the Agreement within ten (10) days upon Amazon’s request. If Amazon objects in writing to any of the provisions of such Business Continuity Plan, Supplier will respond in writing within 10 (ten) calendar days, explaining, among other matters, the actions Supplier intends to take to cure Amazon’s objections. Supplier will review and update Business Continuity Plan to reflect the implementation of Amazon’s requirements and following the implementation will conduct disaster recovery exercises to ensure response times meet Service Level requirements. Amazon will have the right to audit Supplier’s compliance with the provisions of this Section 6.1. For the avoidance of doubt, Amazon’s review of the Business Continuity Plan, requirements for the modifications or absence thereof, including the absence of any comments on the provisions of the Business Continuity Plan, shall not constitute confirmation or assurance that the Business Continuity Plan is compliant with any regulatory or legal requirements.

    6.2.    Supplier will establish, implement, and maintain disaster recovery plan for critical applications, systems and services that support such availability of the Services as necessary for Supplier to meet the applicable Service Levels (the “Disaster Recovery Plan”).  Such plan will cover the recovery of the Services in the event of a disaster that makes it impossible or improbable that the Services can continue to function, including the plan of escalation of the disaster to Amazon. Such plan will ensure a recovery time within six (6) hours of a declared disaster or to meet Services availability according to the Service Levels. The Disaster Recovery Plan must be in place on the Effective Date of the Work Order and remain in effect throughout the term of the Agreement. Supplier will provide Disaster Recovery Plan to Amazon at any time during the term of the Agreement within ten (10) days upon Amazon’s request. If Amazon objects in writing to any provision of such Disaster Recovery Plan, Supplier will respond in writing within ten (10) days, explaining the actions Supplier intends to take to cure Amazon’s objections. Supplier will review and update Disaster Recovery Plan to reflect the implementation of Amazon’s requirements and following the implementation will conduct disaster recovery exercises to ensure response times meet Service Level requirements. Amazon will have the right to audit Supplier’s compliance with the provisions of this Section 6.2.

    6.3.    Supplier will review and update each applicable plan specified in Section 7 at least annually upon written notification to Amazon, and will conduct business continuity and disaster recovery exercises to ensure response times meet Service Level requirements. Amazon will have the right to audit Supplier’s compliance with the provisions of this Section 6.3.

  7. Service Levels

    8. 7.1.    Supplier warrants to Amazon that:

    i.    Supplier will perform the Services and shall cause the subcontractors to perform the Services, as the case may be, with reasonable care and skill, at a level of accuracy, completeness, availability, timeliness, quality, responsiveness and performance in accordance with generally recognised commercial practises and standards for the Services;

    ii.    the Services will conform with all descriptions, user guides, manuals and specifications provided to Amazon by Supplier; and

    iii.    the Services will be provided in accordance with the applicable Laws.

    7.2.    Supplier will provide the Services pursuant to the terms of the Agreement and in accordance with the Service Levels corresponding to the respective Work Order. 

    7.3.    Supplier will implement and use applicable measurement tools and monitoring procedures in order to accurately measure and report performance of the Services with respect to each of the Service Levels.

    7.4.    If Amazon becomes aware of any breach of the Service Levels, it may serve notice upon Supplier communicating the circumstances of such breach. Except as specified in the Service Levels, upon receipt of such notice, Supplier will respond to Amazon within 12 (twelve) business hours with the explanations of the breach of the respective Service Levels and, except as specified in the Service Levels, Supplier will remedy the breach within 24 (twenty four) business hours following the receipt of such notice. The business hours will be 8:00 am Central European Time until 18:00pm Central European Time, Monday to Friday inclusive.

    7.5.    If the breach of Service Levels is not remedied within the term specified in Section 7.4 above and/or within the term applicable to a respective breach as specified in Service Levels, Amazon will, in addition and without prejudice to all other rights and remedies available to it at law or otherwise, have the right, but not the obligation, to terminate the respective Work Order pursuant to the terms of the Agreement.

  8. Nondisclosure. The parties agree that the details of this Addendum are not publicly known and constitute Confidential Information under the confidentiality provisions of the Agreement.
  9. Right to terminate.

    10. 9.1.    Supplier’s obligations set forth in this addendum form a material part of this Agreement.

    9.2.    If Amazon reasonably believes that Supplier has breached any of its obligations pursuant to this addendum, Amazon may provide Supplier with notice of the perceived breach. Upon receipt of such notice, Supplier will have five (5) business days to perform an internal audit and respond to Amazon’s notice, unless provided otherwise in this Addendum. Supplier’s failure to comply with the requirements of this Addendum, including promptly responding to any Amazon’s notice of perceived breach, shall be a material breach of this Agreement and Amazon will, in addition and without prejudice to all other rights and remedies available to it under the Agreement, at law or otherwise, have the right, but not the obligation, to terminate the respective Work Order pursuant to the terms of the Agreement.

  10. Restricted Parties and Export Control. Company represents and warrants to Amazon that:

    11. i.    it and its financial institution(s) are not subject to sanctions or otherwise designated on any list of prohibited or restricted parties or owned or controlled by such a party, including but not limited to the lists maintained by the United Nations Security Council, the US Government (e.g., the US Department of Treasury’s Specially Designated Nationals list and Foreign Sanctions Evaders list and the US Department of Commerce’s Entity List), the European Union or its member states, or other applicable government authority;

    ii.    it will not directly or indirectly export, re-export, transmit, or cause to be exported, re-exported or transmitted, any commodities, software or technology to any country, individual, corporation, organization, or entity to which such export, re-export, or transmission is restricted or prohibited, including any country, individual, corporation, organization, or entity under sanctions or embargoes administered by the United Nations, US Departments of State, Treasury or Commerce, the European Union, or any other applicable government authority; and

    iii.    Company understands that some of the software, technology or related information that Company and its employees or contractors may have access to may be subject to export control laws and regulations (the “Export Controlled Materials”). Company will not, without prior written approval from Amazon, allow any of its employees or contractors to have access to or use of any Export Controlled Materials if such access or use would require an export license.

  11. Effect of Addendum.  Except as expressly provided herein, nothing in this Addendum waives or modifies any of the provisions of the Agreement, or any amendment or addendum thereto. Except as provided in this Addendum, all terms and conditions of the Agreement shall remain in full force and effect, and the parties hereto acknowledge that such terms and conditions are in full force and effect as of the date hereof. In the event of any conflict between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum shall prevail.
  12. Counterparts.  This Addendum may be executed in any number of counterparts, each of which will be deemed an original, but all of which taken together will constitute one and the same instrument. This Addendum may be executed by facsimile or other electronically transmitted copy.