Semy Merchant Agreement
Merchant Agreement Last updated: March 20, 2023
1. Rights and Obligations of Semy
a. Semy is a service designed to enable users (“Semy Users”) to purchase Gifts to send to other Semy Users from Merchant via Semy’s proprietary ordering, advertising, logistics and billing system available via the Semy Platform. Semy Users may then redeem Gifts with Merchant to receive applicable products and services from Merchant (such products and services, “Merchant Products”). The “Semy Platform” is the Semy Mobile App in conjunction with Semy’s hosted web-based dashboard.
b. Semy may include Merchant on the Semy Platform and will enable the transmission of orders for Gifts from Semy Users to Merchant; provided that Semy has sole discretion, control and decision-making authority over whether to offer a Merchant Product as a Gift on the Semy Platform and over the appearance and presentation of products on the Semy Platform, including, without limitation, using pictures or other artwork (or none at all) to represent Merchant Product listed on your Menu.
c. Semy may refuse to offer any Merchant Product on the Semy Platform in its sole discretion without notice to the Merchant.
You can always see which of your Merchant Products are offered on the Semy Platform by accessing the Semy Platform to view your Merchant Products. Please Contact Us at https://semy.app/contact/ if you have any questions.
e. Subject to all terms and conditions of the Agreement, Semy hereby grants Merchant, for the term of this Agreement, a limited, non-exclusive, royalty-free, revocable, non-
sublicensable, non-transferable, worldwide license and right to use, reproduce, publicly display, perform, distribute and transmit the images, graphics, videos and artwork prepared by or on behalf of Semy for the marketing of the Semy Platform, solely for the promotion of your own participation on the Semy Platform (the “Semy Marketing Materials”). You acknowledge and agree that Semy may at any time and in its sole discretion, revoke this limited license or change the scope of your license to the Semy Marketing Materials, by giving you ten (10) days’ written notice (email sufficing). You acknowledge and agree that Semy owns all rights, title, and interests in and to the Semy Platform, the Semy Marketing Materials and any other content supplied by Semy, and Semy will have sole editorial control over the Semy Platform, including the presentation of any content provided by Merchant (“Merchant Content”). Merchant Content may include, without limitation, menus, text, video, audio, graphics, photographs, trademarks and logos. For the term of the Agreement and for six (6) months thereafter, Merchant hereby grants to Semy a royalty-free, worldwide, sub-licensable, (including through multiple tiers of sublicensees), transferable, fully paid-up, irrevocable right and license to use the Merchant Content on the Semy Platform, for Semy’s business purposes and for marketing and promotional purposes via any means now known or hereinafter developed. Merchant owns all right, title, and interest in and to the Merchant Content, subject to the license granted to Semy herein. Semy may remove Merchant Content from the Semy Platform at any time, in its sole discretion, including if it believes that such Merchant Content violates any applicable laws, infringes upon any third-party rights, or otherwise impacts the integrity of the Semy Platform.
2. Rights and Obligations of Merchants
a. Merchant represents, warrants and covenants: (i) it has the authority to enter into the Agreement and to grant the rights granted hereunder, and doing so will not violate any other agreement to which it is a party; (ii) it is duly organized, validly existing and in good standing under the laws of the jurisdiction of its origin; (iii) the Merchant Content and the Merchant Products offered on the Semy Platform do not and will not infringe or otherwise violate the rights of any third party; (iv) it will comply with all applicable retail food, beverage (including alcohol) or other health and safety codes, rules or regulations, as well as any other laws applicable to its business and its performance of its obligations under this Agreement, including, if applicable the United States Credit CARD Act of 2009; (v) it will provide accurate tax rates and calculations to Semy; (vi) any Merchant Product purchased via the Semy Platform will be available upon request for redemption by a Semy User, regardless of whether Merchant is an active participant in the Semy Platform at the time the certificate is presented by the Semy User; (vii) Merchant’s redemption of the Gift will result in the bona fide provision of Merchant Products by Merchant to a Semy User; (viii) Merchant Products are free from defects in workmanship, materials and design and (ix) it will remit to the applicable taxing authority all legally-required taxes and will file all required tax returns and forms. Merchant represents and warrants that it has all required permits and licenses to sell and offer for sale the Merchant Products included in its Menu, including, to the extent Merchant includes alcohol in its Menu on the Semy Platform. Merchant further represents and warrants that, to the extent Merchant includes Merchant Products containing alcohol in its Menu, it maintains a valid and active liquor license and all other applicable licenses, permits and registrations for the sale and distribution of alcohol (“Liquor License”). If applicable, Merchant will provide Semy with a copy of the Liquor License and all renewals thereof and will immediately notify Semy if any Liquor License is not renewed or is revoked, cancelled or surrendered at any time during the term.
b. You agree, at no cost to Semy to: (i) provide Semy with a current list of all the Merchant Products that may be offered by you on the Semy Platform (“Menu”); (ii) keep such list current by either (a) providing Semy with an updated Menu after any changes thereto; or (b) updating such list yourself via the self-service Semy dashboard; (iii) designate from the Menu a minimum of twenty (20) Merchant Products that may be offered for sale to Semy Users on the Semy Platform (“Designated Products”); (iv) redeem or provide the Merchant Products that are listed on the Menu to Semy Users who purchase them via the Semy Platform; (v) provide appropriate support, training and information to your employees on use of and interaction with the Semy Platform and how to redeem Gifts through the Semy Platform and your point of sale system; and (vi) periodically complete a short survey, if requested by Semy, pertaining to Merchant level of satisfaction with Semy. You represent and warrant that all Designated Products will satisfy the local governing health regulation for food and beverage preparation. You further acknowledge and agree that violating these standards will be grounds for immediate termination of this Agreement by Semy, as well as for an action by Semy against you for damages. You authorize Semy to sell, offer for sale and promote Designated Products on your behalf through the Semy Platform. Merchant is responsible for providing the descriptions of each Merchant Product for use on the Semy Platform and is further responsible for ensuring the accuracy of all such descriptions and such Merchant Product descriptions, along with the Semy Marketing Materials, will not constitute false, deceptive or unfair advertising or disparagement under any applicable law. Merchant assumes all liability for inaccuracies or misstatements regarding the Merchant Product on the Semy Platform.
c. In order to benefit both you and Semy by helping Semy to offer Merchant Products of interest to consumers, you agree to provide Semy with aggregated, non-identifying information about all the transactions you process through electronic point-of-sale technology that relate to Designated Products, whether or not such Designated Products have been purchased through Semy for as long as you participate in the Semy Platform and are subject to the Agreement (“Transaction Data”). Transaction Data will be collected by you and made available to Semy via an exported report on a monthly basis or as required by Semy. In the event a request is made you have 48 hours to produce such report. You hereby grant to Semy, its affiliates and each of their respective licensors, service providers, suppliers, subcontractors and distributors a royalty-free, worldwide, perpetual, irrevocable, non-exclusive and transferable right and license, including the right to grant and authorize sublicenses through multiple levels, to access, process use, reproduce, modify, edit, publicly display or perform, adapt, sublicense (including through multiple tiers of sublicensees), publish, translate, distribute and create derivative works from (in whole or in part) Transaction Data and/or to incorporate the same in other works in any form, for any purpose. Without limiting the foregoing, you hereby expressly authorize Semy to share such Transaction Data with its third-party brand partners for the purposes of determining the effectiveness of the Semy Platform.
d. Merchant will maintain the confidentiality of all non-public information that it acquires in the course of performing its obligations and exercising its rights under the Agreement, including without limitation all User Information, (collectively, “Semy’s Confidential Information”). Merchant will not disclose to any third party(s) or use in any way other than as necessary to perform its obligations hereunder, Semy’s Confidential Information. Merchant will ensure that Semy’s Confidential Information will only be made available to those of its employees and agents who have a need to know Semy’s Confidential Information and who are aware of the obligations of confidentiality set forth herein. Upon expiration or termination of the Agreement and as requested by Semy, Merchant will deliver to Semy (or destroy at Semy’s election) any and all materials or documents containing Semy’s Confidential Information, together with all copies thereof in whatever form.
f. Merchant will comply with the terms of the Data Processing Addendum attached to this Merchant Agreement as Exhibit A.
g. Merchant will indemnify, defend and hold Semy (including its directors, employees, officers, agents) harmless from any and all third party claims, actions, proceedings and damages arising out of or related to Merchant’s activities under this Agreement and on the Semy Platform or in breach of this Agreement, including, without limitation, (i) any claims related to third-party transactions or payment arrangement; (ii) Merchant’s provision, calculation, reporting or remission of taxes; (iii) any claim arising out of or relating to the Merchant Products, including but not limited to, any claims for false advertising, product defects, personal injury, death or property damage; (iv) any breach or alleged breach of the representations, warranties or covenants set forth in the Agreement; or (v) Merchant’s fraud, gross negligence or willful misconduct, or (vi) any third party claim that any use of the Merchant Content on or in connection with the Semy Platform or Merchant Products, infringes, misappropriates or violates any third party intellectual property or right of privacy or publicity. Semy will provide prompt notice to Merchant of any potential claim subject to indemnification hereunder. Merchant will assume the defense of the claim through counsel designated by it and reasonably acceptable to Semy, provided that Semy may use counsel of its choice at its own expense and Merchant agrees to cooperate with such counsel. Merchant will not settle or compromise any claim or consent to the entry of any judgment without the written consent of Semy, which will not be unreasonably withheld. Semy will reasonably cooperate with Merchant in the defense of the claim, at Merchant’s expense.
h. Merchant is responsible for all customer service in connection with the Merchant Product, including any of Merchant’s loyalty programs, and for supplying all goods and services stated in the Merchant Product.
3. Pricing and Payment
a. You hereby authorize Semy to receive collect the funds paid by the Semy User to purchase a Merchant Product and after deducting amounts owed to Semy in accordance with this Merchant Agreement, remit the remaining balance to the Merchant. The amount collected by Semy will be inclusive of amounts to cover applicable sales taxes, where required and calculated from rates and other information provided by Merchant, and any gratuity paid by a Semy User. If Semy incurs any third-party charges or processing fees (including, without limitation, credit card fees), such fees will be deducted and passed on to you. We will also deduct from the amounts collected Semy’s fees (as defined in the Merchant Enrollment) for the applicable item. Semy will remit the resulting net amounts to you within 15 days of the end of each month; provided, however, that if the amount to be remitted to you by Semy is less than $100 on the scheduled payment date, Semy may defer remitting such funds to you until the amount reaches $100, at which time it will remit the funds to you on the scheduled payment date of the applicable monthly cycle. Semy will invoice Merchant for any fees and other amounts not deducted from funds received by Semy from Semy Users (e.g. one-time setup fees, fees for cancellation of onboarding meetings, etc.), and all invoiced fees are due within thirty (30) days of the invoice date (“Due Date”). All payments made under this Agreement shall be in United States dollars. Any payment not received from Merchant by the Due Date shall accrue late charges at the rate of 1.5% per month of the outstanding balance, or the maximum rate permitted by law, whichever is lower, from the Due Date until the date paid.
b. You are responsible for reporting and remitting all applicable taxes and income derived from gratuities associated with the sale of your Merchant Products to the appropriate governmental authorities.
c. After a purchase, Semy will issue a receipt to the Semy User purchasing the Merchant Products that states that payment to Semy is deemed payment to the applicable Merchant. You understand and agree that if Semy fails to remit proceeds to you for any reason, your only recourse is to seek direct damages against Semy, that you waive any claims you may have against Semy User, there will be no risk of loss to the Semy User for such failure, and you will treat the Semy User as though you have received the applicable proceeds from Semy User.
d. You understand and agree that Semy Users may purchase Merchant Products on the Semy Platform at prices that differ from those offered directly by you and that any positive difference between the prices for Merchant Products paid by Semy Users and the prices for Merchant Products offered by you will be retained by Semy. Semy may offer Merchant Products at a discount, for example in special “package deals,” but only after informing you of such intent and obtaining your prior consent. In such case, you will absorb the cost stemming from any such discount.
e. If you fail to redeem or provide any of Merchant Products offered for sale on the Semy Platform listed on the Menu and which were purchased by a Semy User, or if such Merchant Products are not as described on the Semy Platform (each a “default”), Semy will withhold payment for the Merchant Products, and you will be liable for all additional transaction charges, chargebacks and other incurred costs resulting from such default. Without prejudice to any other right or remedy it may have, Semy reserves the right to set off at any time any amount owed to Semy by Merchant, including the incurred costs described in this Section 3(e), against any amount payable by Semy to Merchant under this Agreement.
4. Term and Termination; Onboarding
a. The Agreement will begin on the date you execute the Merchant Enrollment and will continue until terminated as provided herein. This Agreement may be terminated by either party at any time by giving the other party 60 days’ written notice. Semy may, in its sole discretion, elect to discontinue, restrict or limit the offering of Merchant Products on the Semy Platform during the time between receipt of a termination notice and the termination becoming effective.
b. Shortly after executing the Enrollment Form, Semy will schedule an onboarding session. To cancel an onboarding meeting, please notify Semy at least 48 hours in advance of the scheduled appointment. If notification is not received 48 hours in advance, a $50.00 cancellation fee will be assessed and deducted from the first payment cycle.
This Agreement constitutes the entire agreement between the Merchant and Semy with respect to its subject matter, and supersedes all other proposals, negotiations, representations or communications relating to the subject matter. Both parties acknowledge that they have not been induced to enter this Agreement by any representations or promises not specifically stated in this Agreement. The protections of this Agreement will apply to actions of the parties performed in preparation for and anticipation of the execution of this Agreement. Any amendment to this Agreement must be in writing and signed by duly authorized representatives of the parties. Merchant Agreement is governed by, and will be interpreted in accordance with, the laws of the State of Delaware, excluding those laws that direct the application of the laws of another jurisdiction.
Data Processing Addendum
This Data Processing Addendum (the “Addendum”) is attached to the Semy Merchant Agreement (the “Merchant Agreement”) to clarify and confirm Merchant’s obligations to safeguard and maintain the security of the Personal Information it collects from or on behalf of Semy related to employees, dependents and beneficiaries, consultants, workers, visitors, shareholders, and/or customers of Semy and its subsidiaries under the Merchant Agreement.
NOW, THEREFORE, in consideration of the mutual covenants and promises contained herein and in the Merchant Agreement, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Semy and Merchant agree as follows:
- DEFINITIONS. Solely for purposes of this Addendum, the following terms shall have the meanings set out below. Capitalized terms used in this Addendum, but not defined have the meanings given to them in the Merchant Agreement.
Personal Information. “Personal Information” means any and all information provided by Semy, its subsidiaries, affiliates, agents, officers, directors, or current and former employees, to Merchant and that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular individual. “Personal Information” also includes all Sensitive Personal Information.
Sensitive Personal Information and “SPI”. “Sensitive Personal Information” or “SPI” is a form of Personal Information that consists of one or more of the following elements of information about an individual:
- Unique identification numbers including, but not limited to: social security number, military identification; passport, visa, alien registration, driver’s license number, or other government-issued identification number.
- Financial information including, but not limited to: account number, card number, routing number, passcode, account log-in, security code, access code, password, personal identification number (“PIN”), or credentials allowing access for a checking or savings account, investment account, personal or company-sponsored credit or debit card, or any other financial account;
- precise geolocation;
- racial or ethnic origin, religious or philosophical belief or union membership; contents of an individual’s mail, email and text messages;
- genetic data;
- biometric information;
- citizenship or immigration status;
- the personal information of a known child;
- sex life or sexual orientation;
- health and medical information, including but not limited to health insurance information; or
SPI also consists of information that is capable of being associated with a particular individual through a combination of an individual’s name with one or more of the following identifiers:
- access code or password for an information system such as e-mail or cloud storage;
- mother’s maiden name or date of birth;
- digital or electronic signature.
Privacy Laws. “Privacy Laws” are all applicable laws, rules, regulations, directives and governmental requirements in any jurisdiction in which Semy or Merchant operates and relating in any way to the privacy, confidentiality, or security of Personal Information processed by Merchant.
- CONTROL OF PERSONAL INFORMATION. Semy shall retain all ownership and control over the Personal Information disclosed to Merchant. Semy also has the exclusive authority to determine the purposes of processing of all Personal Information by Merchant.
- LIMITED USE OF PERSONAL INFORMATION. At all times during the term of this Addendum and thereafter, Merchant shall receive, collect (including, without limitation, caching or storing), access, use, disclose, process or retain Personal Information solely for the purpose of providing services to Semy, including taking and fulfilling orders from Semy Users for Merchant’s products and services through the Semy Platform (the “Services”) and not for any other purpose.
a. Merchant shall not:
i. disclose any Personal Information to any third party except as expressly permitted herein;
ii. use any Personal Information to violate or attempt to violate the security of the Semy Platform or Semy’s other systems, or any third party networks, system, server, website, application or account;
iii. sell or share any Personal Information except as expressly. permitted by this Addendum; or
iv. combine any Personal Information obtained from Semy or Semy Users with the Personal Information collected by Merchant from third parties.
- AGENTS. Merchant shall not contract any of its rights or obligations hereunder, or share, transfer, disclose or otherwise provide access to any Personal Information to any contractors, subcontractors, third-party service providers, or agents (collectively, “Agents”) without the prior written consent of Semy. Where Merchant contracts any rights or obligations, or provides access to Personal Information, to an Agent, then (a) Merchant shall enter into a fully-executed written agreement with each Agent that imposes obligations on the Agent that are at least as restrictive as those imposed on or required of Merchant under this Addendum; (b) Merchant shall not be relieved of any of its obligations under this Addendum; and (c) Merchant shall remain liable and responsible for the performance or non-performance of its Agents with respect to the Agent’s collection, use, disclosure, storage, processing and disposal of Personal Information. Merchant shall also require that each of its employees who handles Personal Information is contractually required to maintain the confidentiality of that Personal Information.
- COMPLIANCE WITH LAW. Merchant agrees that its collection, use, disclosure, storage, processing and disposal of Personal Information shall at all times comply with all Privacy Laws and any representations made by Merchant to any person from whom such Personal Information was collected. Merchant further agrees that it will reasonably cooperate with Semy’s efforts to comply with Semy’s legal obligations related to the privacy and security of Personal Information.
- DATA SECURITY. Merchant shall, and shall contractually require and cause any Agents to, implement and maintain security procedures and practices for Personal Information, including without limitation, establishing, implementing and maintaining an Information Security Program as set forth in Section 7, that will: (i) comply with all Privacy Laws and applicable industry standards; (ii) ensure its security and confidentiality, (iii) protect against any anticipated or actual threats or hazards to its security or integrity, and (iv) prevent unauthorized access, acquisition, destruction, use, modification and/or disclosure. Merchant and its Agents shall each ensure that its security infrastructures are consistent with high industry standards for virus protection, firewalls and intrusion prevention technologies to help prevent Merchant’s network, systems, servers and applications from unauthorized access. Merchant will restrict and track access to Personal Information and Semy systems, including the Semy Platform, at all times to only those employees and Agents whose access is essential to performing the services for which Merchant has been contracted, and such employees and Agents will be required (including during the term of their employment or retention and thereafter) to protect Personal Information in accordance with the requirements of this Addendum. Merchant shall segregate Personal Information from all other Merchant and third party data. Merchant must ensure proper user authentication for all employees, and Agents with access to Personal Information, including, without limitation, by assigning each employee or Agent unique access credentials for access to any system on which Personal Information can be accessed and prohibiting employees and Agents from sharing such access credentials. Merchant shall ensure that upon termination of any employee or Agent, the terminated person’s access to Personal Information and Semy systems must be immediately revoked.
- INFORMATION SECURITY PROGRAM. Merchant shall conduct appropriate training and awareness campaigns designed to educate Merchant’s employees of their responsibilities in maintaining the confidentiality and security of Personal Information and for the reporting of incidents involving unauthorized access to or use of Personal Information, consistent with all Privacy Laws and the terms of this Addendum. Merchant represents and warrants that it has implemented and will maintain a variety of administrative, organizational and technical measures (“Information Security Program”) that are consistent with industry standards which include but may not be limited to ISO 27001/2, NIST, and other similar standards that are designed to reasonably and appropriately protect the confidentiality, integrity and availability of information systems or data and which measures are set forth below. Merchant shall review its Information Security Program on at least an annual basis and evaluate whether it needs to be modified to comply with Privacy Laws or industry practices. Merchant shall notify Semy of any material changes to Merchant’s Information Security Program as it relates to the security and integrity of Personal Information, within thirty (30) days of any such change. Notwithstanding the foregoing; at all times, Merchant’s Information Security Program shall include at least the following:
a. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption, at a minimum of 256-bit encryption, for Personal Information that is:
i. transmitted order public networks (i.e. the Internet) or when transmitted wirelessly, or
ii. stored on any Merchant or Agent systems, including any cloud based systems.
b. Logical access controls to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
c. Password controls to manage and control password strength, expiration and usage including prohibiting users from sharing passwords.
d. System auditor event logging and related monitoring procedures to proactively record user access and system activity for routine review.
e. Physical and environmental security of data center, server room facilities and other areas containing Personal Information to protect information assets from unauthorized physical access, and to manage, monitor and log movement of persons into and out of Merchant facilities, and to guard against environmental hazards such as heat, fire and water damage.
f. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Merchant’s possession.
g. Incident management procedures to allow for the proper investigation, response, mitigation and notification of events related to Merchant’s technology and information assets.
h. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures to protect systems from intrusion and limit the scope of any successful attack.
i. Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- TRANSMISSION OF PERSONAL INFORMATION. Merchant shall not electronically transmit a record containing Personal Information outside a secure network environment other than by a secure network connection or communications protected by appropriate encryption technology that is not less than 256-bits in length. Likewise, Merchant shall not require any individual to transmit Personal Information over the Internet unless the connection is secure or the Personal Information is protected by encryption technology meeting this standard. Merchant shall not print Personal Information on mailed material unless required by law and will not make Personal Information visible through any envelope window unless required by law. Notwithstanding the provisions of this Section, when strictly necessary to perform the contracted services and permitted by applicable Privacy Laws, Personal Information may be included in applications and forms sent by mail.
- SUBPOENAS AND LEGAL PROCEEDINGS. Subject to applicable law, Merchant shall notify Semy within three (3) business days of any subpoena or other judicial or administrative order by a court, tribunal, litigant, or government authority seeking access to or disclosure of Personal Information. Subject to applicable law, Semy shall have the right to defend subpoena enforcement proceedings or motions to compel in lieu of and on behalf of Venda, which steal provide mast – amble cooperation to Semy in connection with such defense.
- DATA SECURITY BREACH NOTIFICATION AND INCIDENT RESPONSE. Merchant shall notify Semy, of: (a) any access, possession, use or disclosure of Personal information, or attempt thereof, not expressly permitted by this Addendum; (b) any suspected breach or compromise of Personal Information, or Merchant’s systems or networks that directly or indirectly support Personal Information; or (c) claims or threats thereof made by any personnel, Agent or external person (each or the foregoing a “Data Security Breach”). Merchant shall notify Semy of a Data Security Breach within twenty-four (24) hours after detecting or being notified of the Data Security Broach affecting SPI. Merchant shall notify Semy of the Data Security Breach within forty-eight (48) hours after detecting or being notified of the Data Security Breach affecting all other Personal Information.
a. Other Parties. Unless the Data Security Breach impacts the information of parties other than Semy, Merchant shall not notify any parties other than Semy and relevant law enforcement agencies of any Data Security Breach unless such notification is agreed to in advance by Semy in writing.
b. Resolution. For avoidance of doubt, any Data Security Breach vulnerability shall be resolved to Semy’s satisfaction, at Merchant’s expense.
c. Data Security Breach investigation. In Semy’s sole discretion, upon Semy’s written request, and pursuant to Semy’s instructions, Merchant shall cooperate with Semy and any outside agents hired by Semy: (i) conducting an investigation of any actual or suspected Data Security Breach and (ii) providing Semy and its agents with administrative access to all affected systems or applications that store, process, transmit or otherwise access Personal Information. In addition, Merchant will, upon Semy’s written request and pursuant to Semy’s instructions, at Merchant’s cost, notify any affected persons or entities provided that the method and content or such notice to shall be agreed to in writing by Semy prior to sending such notice. Merchant shall also cooperate with Semy and any relevant authority in the event of litigation or regulatory inquiry concerning a Data Security Breach. Notwithstanding the foregoing, Merchant, at its sole expense shall investigate and remediate all Data Security Breaches.
- CREDIT MONITORING. In the event of a Data Security Breach (including, without limitation, by an unauthorized employee or Agent of Merchant), at the sole discretion of Semy, Merchant will offer Credit Monitoring Services (as defined below) as designated by Semy to any affected individual at Merchant’s cost and expense. Affected individuals will be notified of the availability of Credit Monitoring Services as directed by Semy, at Merchant’s sole cost. “Credit Monitoring Services” mean credit monitoring services for two (2) years, beginning on the date the individual first registers for the service after the Data Security Breach or such period required by Privacy Laws and one (1) free credit report provided by Experian, Equifax, or TransUnion.
- DESTRUCTION AND RETURN OF PERSONAL INFORMATION. As soon as possible after any of the Personal Information (or portion thereof) is no longer needed by Merchant to fulfill its obligations to Semy, and in any event upon termination or expiration of this Addendum for any reason, Merchant shall, and shall cause its Agents, to immediately securely destroy and certify such secure destruction (and produce a written certification upon request by Semy) of any or all of Personal Information and all records of Personal Information, (including, without limitation, all electronic copies such as on hard drives, backup tapes, portable devices, optical, magnetic, or other storage media, as well as all hard copies) or, if requested by Semy, return Personal Information to Semy through a secure method designated by Semy. Merchant shall ensure that Personal Information is destroyed in accordance with the methods described in the Federal Trade Commission’s Disposal Rule, 16 C.F.R § 682.3 and any other Privacy Law. Notwithstanding the foregoing, in the event that Merchant is required by applicable law to maintain a copy of the Personal Information subject to this Addendum, it must notify Semy in writing of the basis for the legal obligation, and absent written objection by Semy, Merchant may keep a single copy of the Personal Information, which Personal Information shall be returned or destroyed, at Semy’s option, once the legal obligation of the Merchant has expired.
- SECURITY AUDIT RIGHTS. At the request of Semy and at Semy’s cost, Merchant shall provide Semy, or an independent third-party auditor selected by Semy, access to, and the right to conduct a security audit of, all records, security policies and procedures, and other practices relating to the use, processing, storage and disclosure of Personal Information. The audit results and Merchant’s plan for addressing or resolving issues identified by the audit shall be shared with Semy within ten (10) days of Merchant’s receipt of the audit results. In addition, subject to Merchant’s advance approval as to scope and timing, Semy also reserves the right to conduct, at its own cost, not more than twice per calendar year, technical security integrity reviews, and penetration tests and monthly Internet security scans to ensure Merchant remains compliant with this Addendum (collectively, “Application Security Assessments”). Semy will provide seven days’ notice prior to penetration testing or the commencement of monthly scanning activities. Merchant shall correct any security flaw discovered by Semy within eight (8) hours. Further, Merchant and any Agent that accesses, stores or collects Personal Information shall conduct, at its own cost, an Application Security Assessment annually using an independent third-party tester.
- MALICIOUS CODE. Merchant will ensure that the contracted services will not result in the transmission to Semy of any (a) ‘back door’, ‘time bomb’, ‘Trojan Horse,’ ‘worm’, ‘drop dead device,’ ‘virus’, ‘spyware’ or ‘malware;’ or (b) any computer code or software routine that: (i) permits unauthorized access to or use of Semy’s or its users’ systems or any component thereof; or (ii) disables, damages, erases, disrupts or impairs the normal operation of Semy’s or its users’ systems or any component thereof.
- INTERNATIONAL TRANSFER OF DATA. Merchant shall not transfer Personal Information to, or allow access to Personal Information by, its employees or Agents in any location outside the United States without receiving the prior written consent of Semy. To the extent that the parties agree to the transmission of Personal Information outside of the United States, prior to making any such transfer, the parties will negotiate in good faith and agree to the terms of a data transfer agreement that complies with applicable Privacy Laws governing the cross-border transfer of Personal Information.
- SUSPENSION OF DATA TRANSFERS. Semy reserves the right to suspend or stop data transfers to Merchant at any time. In the event that Merchant is unable to comply with the obligations stated in this Addendum, Merchant shall within forty-eight (48) hours notify Semy, and Semy shall then be entitled (at its option) to suspend the transfer of Personal Information, require Merchant to cease using Personal Information and/or immediately terminate the Addendum.
- DATA SUBJECT REQUESTS. Merchant shall promptly send Semy within three (3) business days of receipt of any communication received from an individual relating to his or her request to access, modify or correct, or delete Personal Information relating to the individual or to opt-out of any program or communication and Merchant shall comply with instructions of Semy before responding to such corn mind canons.
- COOPERATION WITH GOVERNMENT ENFORCEMENT AUTHORITIES. Merchant will provide reasonable cooperation to Semy in connection with Semy’s efforts to respond to any complaint filed with, or investigation conducted by, any government agency or data protection authority resenting the processing of Personal Information by Merchant.
- INDEMNIFICATION. Merchant shall indemnify, hold harmless, and defend Semy and its officers, employees, subcontractors, agents, successors, and assigns from and against any and all claims, losses, liabilities, damages, settlements, expenses and costs (Including without limitation attorneys’ fees and court costs) and any and all threatened claims, losses, liabilities, damages, settlements, expenses and costs arising from, in connection with, or based on allegations of, in whole or in part, any of the following: (a) any violation of the requirements of this Addendum; (b) any negligence or willful misconduct of Merchant, its personnel or Agents or any third party to whom Merchant provides access to Personal Information or systems, with respect to security or confidentiality of Personal is (c) any other costs incurred by Semy with respect to Semy’s rights in this Addendum. Except as otherwise provided herein, Merchant shall be fully responsible for, and shall pay, all costs and expenses incurred by Merchant or its personnel, third-party service providers of Merchant or Agents with respect to the obligations imposed under this Addendum.
- RELATION TO MERCHANT AGREEMENT. A breach of any term of this Addendum will be deemed a breach of the applicable services agreement between the Parties. The provisions of such agreement regarding the subjects of Breach, Choice of Law, and Venue shall govern the parties’ respective rights and obligations under this Addendum. Notwithstanding the foregoing, any indemnification rights of Semy in this Addendum are additive to any rights at law or in equity that Semy has under the applicable services agreement between the Parties. This Addendum shall govern Merchant’s handling Personal Information until it has certified in writing to Semy that Merchant has returned or destroyed all Personal Information in its possession in compliance with Section 12 (Destruction and Return of Personal Information).
- VERIFICATION. Merchant certifies that it understands the restrictions and obligations imposed on it by this Addendum.
- MISCELLANEOUS. This Addendum shall be amended only by a written agreement between the Parties that specifically references this Addendum by name. If for any reason Merchant can no longer comply with the terms of this Addendum, Merchant will promptly notify Semy.