This Data Processing Addendum (“DPA”) shall be incorporated into and form part of the Fast Direct Seller Integration Agreement (the “Agreement”), under which Fast AF, Inc., a Delaware corporation, (“Fast”) provides the Services to Seller, as defined in the applicable Order Form. By using the Services, Seller agrees to the terms of this DPA, which sets out the parties’ roles and obligations in compliance with Data Protection Laws. Any terms not defined in this DPA shall have the meaning set forth in the Agreement. If any term or provision of this DPA conflicts with the Agreement, the term or provision of this DPA shall prevail, unless an applicable Order Form specifically identifies the provision(s) of this DPA to be amended, in which case such amended terms shall apply only to the Services provided under that individual Order Form and not to any other Order Form. Capitalized terms used but not defined herein have the meanings assigned to them in the Agreement. This Addendum terminates after the termination of the Agreement, at the point when Fast no longer Processes any Seller Personal Data.
1.1. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process/Processing”, “Processor”, “Special Categories of Data”, and “Supervisory Authority” mean the same as those defined terms in the GDPR, or where other Data Protection Laws are applicable, the same meaning as analogous terms in those Data Protection Laws. For example: (i) “Controller” means the person or entity that determines the purposes and means of Processing Personal Data, and includes, as applicable, any “business” as that term is defined by the CCPA; and (ii) “Processor” means an entity that Processes Personal Data on behalf of a Controller, and includes, as applicable, any “service provider” as that term is defined by the CCPA.
1.2. “Applicable Laws” means all binding national, federal, state, and international laws, rules, and regulations, including legally binding orders imposed by any governmental or regulatory authority or court.
1.3. “Data Protection Laws” means applicable laws, statutes, regulations, and binding obligations in relation to the Processing of Personal Data, including, without limitation, the EU General Data Protection Regulation (the “GDPR”), the California Consumer Privacy Act (the “CCPA”), the UK Data Protection Act 2018, the Australian Privacy Act 1988 (Cth), and the New Zealand Privacy Act 2020, as those laws may be amended from time to time.
1.5. “Subprocessor” means a Processor appointed by Fast to assist Fast in providing the Services. A Subprocessor Processes Seller Personal Data on Seller’s behalf.
2. General Terms.
2.1. Each party shall comply with its respective obligations under Data Protection Laws.
2.3. Fast shall Process Seller Personal Data on Seller’s behalf in accordance with the Agreement, this Addendum, and Seller’s written instructions. The subject matter, duration, nature, and purpose of the Processing of Seller Personal Data to be carried out by Fast under this Addendum, and the type of Seller Personal Data and categories of Data Subjects to be Processed, is specified in Schedule 1. Fast shall not retain, use, or disclose Seller Personal Data for any purpose other than to provide the Services, or as otherwise permitted by Applicable Law.
2.4. Fast shall not Process Seller Personal Data for additional purposes unless required to do so under Applicable Laws. In such case, Fast will inform Seller of the applicable legal requirement unless prohibited by Applicable Laws. Fast shall not “sell,” as that term is defined by CCPA, Seller Personal Data.
2.5. In the event of a conflict between Applicable Laws and this Addendum, the parties shall endeavor to comply with the terms of this Addendum but without contravening Applicable Laws.
2.6. Each party will promptly notify and cooperate with the other party if it believes that it may no longer be able to comply with the terms of this Addendum.
2.7. Fast will take reasonable steps so that its personnel involved in the Processing of Seller Personal Data undertake to maintain its confidentiality.
2.8. Following termination or expiration of the Services and having received written instructions from Seller, Fast will either delete or return Seller Personal Data unless Applicable Law requires or permits Fast to continue to Process such Seller Personal Data.
3. Security Measures.
3.1. Fast will implement appropriate technical and organizational security and confidentiality measures to provide a level of security for Seller Personal Data it Processes appropriate to the risk to that Seller Personal Data, as described in Schedule 2 of this Addendum.
3.2. As required by Data Protection Laws, where Fast becomes aware of a Personal Data Breach involving Seller Personal Data Processed by Fast, Fast will notify Seller about the Personal Data Breach in accordance with Data Protection Laws, and Seller will be responsible for notifying Data Subjects if required by Data Protection Laws. In this case, Fast will provide reasonable assistance to Seller with respect to Seller’s investigation of the breach and Seller’s compliance with Data Protection Laws related to the breach including, but not limited to, any legal obligation to issue notifications about the Personal Data Breach.
4. Country Specific Terms.
4.1. To the extent the Services involve the Processing of Seller Personal Data originating from a member state of the European Economic Area, the United Kingdom, or Switzerland, the parties agree to the following terms with respect to that specific Seller Personal Data:
4.1.1. Fast will notify Seller if Fast believes that an instruction issued by Seller with respect to Fast’s Processing of Seller Personal Data poses a material risk of putting either party in breach of their respective obligations under Data Protection Laws.
4.1.2. Upon Seller’s request and taking into account the nature of the Processing, Fast will make commercially reasonable efforts to assist Seller by appropriate technical and organizational measures to enable Seller to comply with all lawful requests relating to Seller Personal Data arising from a Data Subject or from a Supervisory Authority. Fast reserves the right to seek reimbursement from Seller for reasonable costs associated with responding to inquiries from Supervisory Authorities.
4.1.3. Fast will make commercially reasonable efforts, taking into account the nature of the Processing and information available to Fast, to assist Seller where reasonably requested by Seller in fulfilling its obligations to ensure an adequate level of security while Processing Seller Personal Data and to carry out a data protection impact assessment and/or consultation with Supervisory Authorities relating to Seller Personal Data. Seller will reimburse Fast for its reasonable costs associated with Fast providing such assistance.
4.1.4. If Fast receives a valid request to exercise rights granted to a Data Subject under Data Protection Laws, and Fast Processes Seller Personal Data that contains Personal Data about that Data Subject, Fast will instruct, within a reasonable period, the requestor to contact Seller with such request.
4.1.5. Where Fast has appointed or wishes to appoint a Subprocessor under this Addendum to Process Seller Personal Data: Fast will impose on the Subprocessor substantially similar data protection obligations as those imposed by this Addendum on Fast, to the extent such obligations are applicable to the services provided by that Subprocessor, including appropriate contractual provisions and security measures designed to protect Seller Personal Data in accordance with Data Protection Laws. A list of our current subprocessors is available upon request by emailing [email protected]. Provided that your objection is reasonable, you may object to the engagement of any Subprocessor by emailing [email protected], and, the parties shall discuss a resolution in good faith, and in response Fast may choose to: (i) not use the Subprocessor to Process Seller Personal Data or (ii) take corrective steps to mitigate the risk posed by the Subprocessor. If none of these options are reasonably possible and Seller continues to object for a legitimate reason, Seller may terminate the Agreement and this Addendum. The use of a Subprocessor does not release Fast from its responsibility for its obligations under this Addendum or Agreement. Fast is responsible for the Processing of Seller Personal Data by such Subprocessor as provided in Data Protection Laws.
4.1.6. Fast assesses its compliance against data protection and information security standards on a regular basis. Such assessments are conducted by Fast or by third parties engaged by Fast. Upon Seller’s written request, and subject to obligations of confidentiality, Fast will make available to Seller a summary of its most recent relevant assessment report and/or other documentation reasonably required by Data Protection Laws which Fast makes generally available to its customers, so that Seller can verify Fast’s compliance with this Addendum (“Seller’s Audit Rights”). Seller’s Audit Rights may be exercised only once in any twelve-month period starting from the date of the execution of this Addendum. Seller is responsible for reasonable costs and fees for the time Fast expends responding to Seller’s Audit Rights, in addition to the rates for services performed by Fast. For the avoidance of doubt, no access to any part of Fast systems, data hosting sites or centers, or infrastructure will be permitted, unless required by Data Protection Laws.
4.1.7. Where Fast Processes Seller Personal Data in a jurisdiction that does not provide an adequate level of data protection within the meaning of the originating jurisdiction’s Data Protection Laws, the parties agree to comply with the terms of the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries approved by European Commission Decision of 5 February 2010 (2010/87/EU) (“SCCs”). The parties further agree, if required by law, to enter into any and all further agreements required to adhere to their respective obligations for international data transfers under Data Protection Laws, including but not limited to by inserting the actual text of the SCCs into this Addendum, or by agreeing to a superseding set of SCCs that may be subsequently approved by the relevant authorities. For the purpose of the SCCs:
126.96.36.199. The data exporter is Seller.
188.8.131.52. The data importer is Fast.
184.108.40.206. Clause 5(f) of the SCCs will be satisfied by compliance with Section 4.1.6 of this Addendum.
220.127.116.11. Clause 5(h) of the SCCs will be satisfied by compliance with Section 4.1.5 of this Addendum.
18.104.22.168. For the purposes of Clauses 9 and 11(3), the governing law is that of the EEA Member State in which Seller is established, or if Seller is not established in an EEA Member State, the EEA Member State in which Seller’s representative is established.
22.214.171.124. Appendix 1 of the SCCs is completed with the details of Processing contained in Schedule 1 of this Addendum.
126.96.36.199. Appendix 2 of the SCCs is completed with the data security measures contained in Schedule 2 of this Addendum.
188.8.131.52. Signatures to the Agreement and/or applicable Order Form constitute signatures to the SCCs.
4.2. To the extent the Services involve the Processing of Seller Personal Data originating from Australia, the parties agree to the following terms with respect to that specific Seller Personal Data:
4.2.1. When collecting, using, disclosing and storing the Seller Personal Data, Fast shall comply with the Australian Privacy Principles, as adopted under the Australian Privacy Act 1988 (Cth).
4.2.2. To the extent Fast discloses the Seller Personal Data to a third party, Fast shall enter into an agreement with the third party that contains terms no less stringent than those described under this Addendum.
Schedule 1 – Data Processing Details
Fast can Process the Personal Data to provide the applicable Services to Seller in accordance with the Agreement and Order Form. Where permitted by Data Protection Laws, Fast may also Process Seller Personal Data as reasonably necessary and proportionate to achieve Seller’s and Fast’s operational purposes in support of the Services.
Data Subjects include users of the Fast Services who initiate financial transactions with the Seller.
Seller Personal Data consists of all Personal Data Processed by Fast on behalf of Seller during the period of the provision of the Services, and is comprised of:
Personal Data of users of Fast Services as needed to complete financial transactions between the user and the Seller, including:
The period stated in the Agreement and applicable Order Form(s) for the Services, unless otherwise agreed upon in writing.
Schedule 2 – Description of Security Measures
Fast employs numerous technical and organizational measures to protect the security and privacy of company, buyer and seller data and assets. We have multiple security engineers responsible for maintaining a strong information security program that is customized for Fast’s business objectives and operating architecture. Additionally, threat intelligence and risk management are critical components of Fast’s information security program, and the security team works with relevant stakeholders across the company to identify and remediate security risks.
Fast uses leading cloud service providers to optimize availability and continuity. These providers utilize an array of security equipment, techniques, and procedures designed to control, monitor, and record access to the facilities. We have also implemented solutions designed to protect against and mitigate effects of DDoS attacks.
Fast uses encryption in transit via strong cryptographic protocols, and encrypts personally identifiable information at rest. Fast also leverages SSL certificates to encrypt data in-transit between Sellers and Fast, as well as between Fast and Subprocessors. Fast employs independent third parties to perform penetration testing of Fast services and platforms hosting personal data, and conducts regular vulnerability scans. Fast also implements physical protection measures for critical locations, including badging requirements and fire detection and suppression systems.
Fast employs dedicated teams located in multiple geographies to support our platform and supporting infrastructure, and we use geographically separate data centers and cloud service provider availability zones to facilitate infrastructure and service availability and continuity. Moreover, we have backup copies of critical data, and redundant and resilient systems. We also regularly update software and install security patches. Fast also has an incident response plan and team.
Fast implements user access restrictions and applies role-based access permissions. We also have strong authentication and authorization methods including multi-factor authentication, we utilize a password manager and require complex passwords with mandatory periodic reset, and we employ anti-virus software and intrusion and detection system management. Fast also maintains centralized audit and security logs.
Fast personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, authorized usage, and professional standards. Fast conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Fast’s information security and privacy policies. Personnel are provided with security and privacy training. Fast also uses physical access control systems, including electronic physical access control and video monitoring.
Before onboarding new Subprocessors, Fast conducts a review of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Fast has assessed the risks presented by the Subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.