Payflow Gateway Services Agreement


>> View all legal agreements

Payflow Gateway Services Agreement

Last Update: May 19, 2018



This Payflow Gateway Services Agreement ("Agreement") is a contract between you (the "Merchant") and PayPal, Inc., and its affiliates(“PayPal”) and applies to your use of the Payflow gateway Services (the "Payflow Services"). In this Agreement, "you" and "your" refer to Merchant and your designated agents, including your administrative contact, and "we,” "us" and "our" refer to PayPal. You must read, agree with, and accept all of the terms and conditions contained in this Agreement. This Agreement applies to you if you signed up for the Payflow Services, or upgraded your Payflow Services, on or after October 27, 2010. By using the Payflow Services, you acknowledge that you have agreed to this Agreement. We may amend this Agreement at any time by posting a revised version on our website. The revised version will be effective at the time we post it. In addition, if the revised version includes a Substantial Change, we will provide you with 30 Days' prior notice of Substantial Change by posting notice on the "Policy Updates" page of our website. You agree to review periodically our website to be aware of any revisions. By continuing to use the Payflow Services after any revision to this Agreement or any change in Payflow Services, you agree to abide by and be bound by any such revisions or changes.



The Payflow Services include Payflow Link or Payflow Pro and the “Add On Payflow Services” defined as Recurring Billing Service, Fraud Protection Services, and the ACH Payment Service. With Payflow Link, your customers enter their payment information in a PayPal-hosted order form on a PayPal server. With Payflow Pro, you have the option to use our Payflow APIs and have customers checkout on your own site, which you host and secure with SSL certificate or Payflow APIs in conjunction with Payflow Link hosted order forms to collect card data on pages PayPal hosts and secures. In order to use the Payflow Services you must complete the online registration process (“Registration”) and set up an internet merchant account with a Financial Institution to process payments. Use of the ACH Payment Service and other Add On Payflow Services may require additional documentation. You agree that you shall (i) use the Payflow Services in accordance with the applicable user guides and other documentation; and (ii) not use or permit others to use information obtained with the Payflow Services for any purpose other than in conjunction with the Payflow Services and in a manner described in this Agreement and in the documentation for the Payflow Services.



"ACH" means Automated Clearing House.

"API" means application programming interface

"Financial Institution" means banks or financial institutions having business relationships with one or more Financial Processors that have agreed to evaluate and provide merchant accounts and payment authorization services to merchants.

"Financial Processor" means an entity with which PayPal has established a relationship that performs the back-end authorization and processing of Transactions between your Financial Institution and the cardholder's bank.

"Manager Web Site" means the online account management tools for merchants for the Payflow Services.

“Payflow Services” means the payment gateways under the brand names Payflow Link or Payflow Pro that include, without limitation, real-time, secure data transmission and processing for multiple business-to-customer payment methods including, credit cards, debit cards, purchase cards, PayPal payments, Bill Me Later® payments, delayed shipment billing, electronic checks, and the Add On Services.

Payflow Software” means the object code version of the client Software Development Kit ("SDK"), HTML code, APIs, related documentation, and other client software or code, including updates, to enable PayPal to provide the Payflow Services to you. Unless otherwise specified, Payflow Software shall not include any source code.

"Substantial Change" means a change to the terms of this Agreement that reduces your rights or increases your responsibilities.

"Transaction" means information related to the purchase of goods and services from you by a third party. Specifically a Transaction is an authorization, delayed capture, sale, void, voice authorization, inquiry, verification, reference transaction, non-reference credit, or credit data transmission between PayPal and its back end processors.



3.1 General Service Requirements. You shall:

  1. Maintain commercially reasonable business practices in conjunction with use of the Payflow Services including (i) maintaining your web site (the "Merchant Web Site") and connection to the Internet and fulfilling all orders for products and services sold by you; (ii) reviewing Transactions on a regular basis and notifying PayPal promptly of any suspected unauthorized activity; (iii) establishing and maintaining a commercial banking relationship with one or more Financial Institutions; and (iv) keeping your login name and password confidential and agreeing that the administrative contact you provide to us during Registration is your agent with full authority to act on your behalf with respect to such Payflow Services.
  2. Collect, store and transmit certain Transaction and user information (collectively, the "Data"), in a secure manner, protect the privacy of the Data, and comply with requests from PayPal to take reasonable action to maintain the security and integrity of the Payflow Services; and
  3. Update to the most current Payflow Software version and security updates and patches necessary to properly operate the Payflow Services and keep all your enrollment and payment information current and updated on the PayPal Manager Web Site.



4.1 Payflow Services. Subject to the terms in this Agreement, PayPal agrees to provide (i) the Payflow Services for which you have enrolled and paid the applicable fees, and (ii) access to standardized reports regarding your Transactions processed using the Payflow Services and certain reporting tools to assist you.

4.2 Information Conduit. You acknowledge that PayPal is not a financial or credit reporting institution. PayPal is responsible only for providing Data transmission to effect or direct certain payment authorizations for you and is not responsible for the results of any credit inquiry, the operation of web sites of internet service providers (“ISP”), Financial Institutions, Financial Processors, the availability or performance of the Internet, or for any damages or costs you suffer or incur as a result of any instructions given, actions taken or omissions made by you, your Financial Processor(s), your Financial Institution, or any ISP. The Payflow Services present data and information collected from the you and data sources other than PayPal and PayPal makes no representations or warranties regarding the availability, accuracy, timeliness or completeness of such data and information or any output or results of the Payflow Services based in whole or in part on such data and information. You are solely responsible for the accuracy and completeness of all Data you supply.

4.3 Security and Stability. You acknowledge that it is in the best interests of both parties that PayPal maintains a secure and stable environment; to that end, PayPal may change the method of access to the Payflow Services at any time. You also agree that, in the event of degradation or instability of the Payflow Services or an emergency, PayPal may temporarily suspend your access to the Payflow Services, any API, and/or any PayPal content under this Agreement in order to minimize threats to and protect the operational stability and security of the Payflow Services. Each party represents, warrants and covenants that it shall at all times comply with applicable Payment Card Industry Data Security Standards, (“PCI DSS”) as such may be amended from time to time, with respect to all card Data received by it in connection with this Agreement. PayPal does not guarantee the security of the Payflow Services or Transaction data, and PayPal will not be responsible in the event of any infiltration of its security systems, if PayPal has used commercially reasonable efforts to prevent any such infiltration. Your customers’ card data is handled by PayPal if: (a) you use Payflow Link, or (b) you use Payflow Pro and you choose to activate the “transparent redirect” feature and integrate the feature pursuant to PayPal’s instructions. PayPal adheres to Payment Card Industry Data Security Standards (“PCI DSS”).

4.4Technical Support for Payflow Services. PayPal shall provide technical support services as set out at the following URL:



5.1 Registration. When you register for the Payflow Services, you may have PayPal payments automatically enabled. The e-mail address you designate when registering for the Payflow Services will be initially used to create your PayPal account, however, to access any PayPal payments you must finish completing your PayPal account and agree to the online PayPal user agreement, found on the applicable PayPal website.

5.2 PayPal Services. Merchants using Payflow Link agree to offer PayPal Express Checkout and Bill Me Later®, a PayPal service, on their hosted checkout pages. Fees for accepting payments via these services are set out as Purchase Payment Fees in the PayPal user agreement on Merchants who do not want to offer Express Checkout and Bill Me Later® can upgrade to the Payflow Pro level of service to disable these payment methods (additional fees may apply for Payflow Pro).



6.1 Fees. You agree to pay PayPal the applicable fees for the Payflow Services as set out in Schedule 1, at the end of this Agreement, as amended from time to time. All fees are due immediately and are non-refundable, except as otherwise expressly noted herein. The Payflow Services are supplied on a month-to-month or annual basis depending on the payment terms you agree to during Registration. All sums due that remain unpaid after any applicable cure period will accrue interest of 1.5% per month or the maximum amount allowed by law, whichever is less; this interest to begin to accruing on the day after the payment due date until paid in full.

6.2 Taxes. The fees are exclusive of tax. You are responsible for all taxes, duties, levies or tariffs or charges of any kind imposed by any federal, state or local governmental entity on the fees for the Payflow Services, excluding taxes based on PayPal’s net income.

6.3 Payment Method. You agree to pay for the Payflow Services via credit card or ACH. You authorize PayPal to charge your credit card or debit your bank account via ACH for the fees. You shall provide proper authorization to allow PayPal to debit its bank account to collect fees due under this Agreement. All fees owed by you to third parties (for example, Financial Institutions, Financial Processors, and merchant account providers), are your sole responsibility, and are not covered by this Agreement. You are solely responsible for the credit card or ACH account information you provide to PayPal and must promptly inform PayPal of any changes thereto.



7.1 Term; Renewal. This Agreement will commence on the date you accept the terms of this Agreement (the "Effective Date"). If you agreed to monthly billing, this Agreement automatically renews for successive one month periods, unless terminated or suspended according to the provisions of this Agreement. If you agreed to annual billing, you must notify us if you wish to renew this Agreement on an annual basis. Renewal is subject to our then-current terms and conditions, including, successful completion of any applicable authentication procedure, and payment of all outstanding fees.

7.2 Termination. Either Party may terminate the Agreement for convenience at any time upon notice to the other party. PayPal may terminate this Agreement, effective immediately, (i) in the event of insolvency, receivership or voluntary or involuntary bankruptcy, or an assignment for the benefit of your creditors, or in the event that a substantial part of your property is or becomes subject to any levy, seizure, assignment or sale for or by any creditor or governmental agency without being released or satisfied within thirty days thereafter; (ii) if you fail to comply with applicable laws or regulations; (iii) for any of the reasons listed in Section 7.3 below; or (iv) if you fail to materially comply with this Agreement. If you purchase separate Payflow Services that are sold together as a "bundled" package, as opposed to your purchasing such Payflow Services separately, termination of any part of the Payflow Services may result in termination of all Payflow Services.

7.3 Suspension. PayPal may suspend your access to the Payflow Services immediately, without prior notice if: (i) certain third party licenses or access to third party components of the Payflow Services are terminated; (ii) you cause or fail to fix a security breach relating to the Payflow Services; (iii) PayPal reasonably believes your breach compromises the security of the Payflow Services; (iv) PayPal reasonably believes fraudulent Transactions are being submitted on your account knowingly or negligently; (v) your Financial Processor or Financial Institution requires such suspension; (vi) you fail to pay any fees when due; (vii) you fail to upgrade to the most current software version, security updates and/or patches; or (g) you fail to materially comply with this Agreement.

7.4 Effect of Termination. PayPal will cease providing the Payflow Services and cease charging you for any fees as of the expiration of the billing cycle in which the termination is effective. If termination of this Agreement is due to your default hereunder, you shall bear all costs of such termination, including any reasonable costs PayPal incurs in closing your account. You agree to pay all costs incurred by PayPal in enforcing your compliance with this Section. Upon termination, your rights to use the Payflow Services, and any other rights granted hereunder, shall immediately cease, and you shall destroy any copy of the PayPal Documentation or other materials licensed to you hereunder and referenced herein. Termination of this Agreement will not relieve either Party from any liability arising prior to the termination of this Agreement. To the extent permitted by applicable law, you agree that upon termination, we may delete all information relating to your use of the Service.

7.5 Reinstatement of Payflow Services. If Payflow Services are suspended or terminated by PayPal reinstatement of Payflow Services shall be subject to you paying PayPal (i) new set-up fees, at PayPal's then-current rates; and (ii) all past due fees.



8.1 Privacy Policies. Both Parties privacy policies shall be adequately displayed within their respective websites and meet current legal and industry standards within each Party’s reasonable determination. Our privacy policy is located on our Web site at and is incorporated herein by reference. You agree that in the course of providing the Payflow Services, PayPal will capture certain Data. You agree to provide to PayPal only the Data that is required by the Payflow Software and is necessary for PayPal to provide the Payflow Services. Subject to applicable law, PayPal may use the Data as necessary to (i) perform the Payflow Services contemplated in this Agreement (including distributing the Data to third parties providing services you requested); (ii) collect and process the Data for record keeping, reporting, and analytics; (iii) provide fraud detection, risk modeling, and support services (iv) compile and disclose Data in the aggregate where your individual or user Data is not identifiable, including calculating your averages by region or industry; and (v) provide the Data as required by the card associations, law or court order, for purposes of incident investigation, or to defend PayPal’s rights in a legal dispute. You represent and warrant that you have provided notice to, and obtained consent from, any third party individuals whose personal data you supply to us. We are not responsible for any consequences resulting from your failure to provide notice or receive consent from such individuals or for your providing outdated, incomplete, or inaccurate information. You are responsible for capturing and securing any Data you need prior to submission to us for processing. We will use the Data for processing the Transactions. After processing we will provide only truncated Data to you through our standard reporting tools.

8.2 Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 2 below, which forms part of this Agreement. The terms of the Data Protection Schedule shall prevail over any conflicting terms in this Agreement relating to data protection and privacy.



9.1 Confidential Information Defined. A party’s "Confidential Information" is defined as any information of the disclosing party, which (i) if disclosed in a tangible form is marked using a legend such as "Confidential" or "Proprietary" or if not so marked, should be reasonably understood by the receiving party from the context of disclosure or from the information itself, to be confidential, or (ii) if disclosed orally or visually is declared to be confidential or, if not so declared, should be reasonably understood by the receiving party from the context of disclosure or from the information itself to be confidential. Confidential Information shall include, the terms of this Agreement; the integration requirements; information accessed via the Payflow APIs; information relating to the PayPal’s systems, technology, processes, and financial information; your user ID; information relating to your business, security and technology; and all user data and customer information (including user IDs and passwords) regardless of whether marked "Confidential."

9.2 Mutual Obligations. Each party shall hold the other party’s Confidential Information in confidence and shall not disclose such Confidential Information to third parties nor use the other party’s Confidential Information for any purpose other than as required to perform its obligations under this Agreement. Such restrictions shall not apply to Confidential Information that (i) is already known by the recipient, (ii) becomes publicly known through no act or fault of the recipient, (iii) is received by recipient from a third party without a restriction on disclosure or use, or (iv) is independently developed by recipient without reference to the Confidential Information or (v) where Confidential Information is required to be disclosed by a court, government agency, law enforcement agency, regulatory requirement, or similar disclosure requirement. The parties’ respective obligations to maintain the confidentiality of information disclosed hereunder shall survive the expiration or early termination of this Agreement or until such time as such information becomes public information through no fault of the receiving party. Upon termination or expiration of this Agreement, the receiving party shall immediately return to the disclosing party all manifestations of the Confidential Information or shall destroy all such Confidential Information as the disclosing party may designate; provided that such action may be delayed for so long as, and to the extent that, such Confidential Information relates to outstanding payment obligations or is subject to audit, reporting, or retention requirements under this Agreement or applicable law.



10.1 Intellectual Property. You acknowledge that PayPal and its licensors retain all intellectual property rights (including all patent, trademark, copyright, trade dress, trade secrets, database rights and all other intellectual property rights) and title in and to all of their Confidential Information; other proprietary information, products and services; and the ideas, concepts, techniques, inventions, processes, software or works of authorship developed, embodied in, or practiced in connection with the Payflow Services and provided by PayPal hereunder, including without limitation all modifications, enhancements, derivative works, configurations, translations, upgrades, and interfaces thereto (all of the foregoing “PayPal Intellectual Property”). PayPal Intellectual Property does not include your preexisting hardware, software, data, or networks. Except as otherwise expressly provided herein, nothing in this Agreement shall create any right of ownership or license in, and to the other Party’s intellectual property rights and each Party shall continue to independently own and maintain its intellectual property rights. There are no implied licenses under this Agreement and any rights not expressly granted to you under this Agreement are reserved by PayPal or its suppliers. You shall not reverse engineer, decompile, modify in any manner or create derivative works from the Payflow Services, API License, (defined below) or any PayPal Intellectual Property.

10.2 License. PayPal hereby grants you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to use PayPal’s Intellectual Property solely as required and necessary to use the Payflow Services in accordance with the terms and conditions of this Agreement and any user guides provided by PayPal to you (the “IP License” and with respect to the APIs, the “API License”).

10.3 Payflow APIs. PayPal shall make available to you its API integration and user guides and SDKs (collectively “PayPal Documentation”). You shall comply with the PayPal Documentation in connection with the integration and use of APIs. You shall keep all user ID, passwords and other access codes pertaining to the Payflow Services and API License confidential and secure from all unauthorized persons. You will immediately terminate the access rights of any user who ceases to act in an authorized capacity on your behalf for any reason, including because of a change in employment status or in the event of theft, loss or authorized disclosure or misuse of that user ID. You agree to notify PayPal immediately upon learning of any unauthorized use of your user name or password. You shall be solely responsible for (i) updating your passwords for access to the Payflow Services periodically, and (ii) creating passwords that are reasonably “strong” under the circumstances. The user ID is the property of PayPal and may be immediately revoked or terminated by PayPal if you share the same with any third party, or otherwise breach this API License. In connection with your use of Payflow’s API’s, you are prohibited from doing any of the following: (i) selling, transferring, sublicensing, or disclosing your user ID to any third party (other than third party service providers); (ii) selling, transferring, sublicensing, and/or assigning any interest in PayPal’s Confidential Information accessed by the APIs; (iii) collecting any customer’s personally identifiable information that is accessed through the APIs without that customer’s express permission; (iv) providing timeshare, service bureau, application service provider or similar services to any other third party; and (v) interfacing or connecting the Payflow Services, or the API License with any other computer software or system without the prior written approval of PayPal. PayPal shall have no responsibility or liability for the performance of the Payflow Services and Payflow Software, in the event that the Payflow Services or Payflow Software are not used in accordance with this Agreement or any instructions for use provided by PayPal.



11.1 Authority. Each party represents and warrants that (a) it has full power and authority to enter into and perform this Agreement; and (b) its execution and performance of this Agreement does not violate, conflict with, or result in a material default under any other contract or agreement to which it is a party, or by which it is bound.

11.2 Compliance with Laws. You represent and warrant that you shall comply with all applicable privacy, consumer and other laws and regulations with respect to (i) provision, use and disclosure of the Data; (ii) dealings with the users providing the Data; and (iii) use of the Payflow Services.






You will defend, indemnify and hold harmless PayPal, its affiliates, and its officers, directors, employees, and agents from any loss, damage, liability, claim, demand or cost (including reasonable attorneys’ fees) (“Claim”) made or incurred by any third party due to or arising out of (i) your breach of this Agreement; (ii) the sale or use of any product or services sold by you; (iii) your use of the Payflow Services; or (iv) your negligence or misconduct






15.1 Force Majeure. Neither Party shall be responsible for any failure to perform its obligations under this Agreement if such failure is caused by acts of God, war, strikes, revolutions, lack or failure of transportation facilities, laws or governmental regulations or other causes that are beyond the reasonable control of such Party. Obligations hereunder, however, shall in not be excused but shall be suspended only until the cessation of any cause of such failure.

15.2 Entire Agreement and Modification. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any prior oral, written, or online agreements. Except as otherwise provided for herein, any waiver, modification, or amendment of any provision of this Agreement will be effective only if in writing and signed by the Parties. This Agreement does not govern your use of the PayPal payment processing services such as Express Checkout or PayPal Payments Advanced, or PayPal Payments Pro, or your PayPal account. Your PayPal account and/or your use of any PayPal payment processing services shall be governed by the online PayPal User Agreement and any other agreement you agree to in connection with such account and/or your use of such PayPal Services.

15.3 Severability. If any provision of this Agreement shall be held illegal or unenforceable, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.

15.4 Assignment; No Waiver. This Agreement binds and is for the benefit of the successors and permitted assigns of each Party. You may not assign this Agreement or any rights under it, in whole or in part, without PayPal’s prior written consent. Any attempt to assign this Agreement other than as permitted above will be null and void. Failure by either Party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.

15.5 Governing Law and Jury Trial Waiver. This Agreement shall be governed by and construed in accordance with the laws of the State of California, U.S.A., except for its conflicts of laws principles. The Parties consent to the exclusive jurisdiction of, and venue in, the state and federal courts in Santa Clara County, California. PAYPAL AND MERCHANT IRREVOCABLY WAIVE ANY AND ALL RIGHTS THEY MAY HAVE TO A TRIAL BY JURY IN ANY JUDICIAL PROCEEDING INVOLVING ANY CLAIM RELATING TO OR ARISING UNDER THIS AGREEMENT.

15.6 Survival. Sections, which by their nature survive, shall survive any termination or expiration of this Agreement in accordance with their terms.

15.7Export Restrictions. You agree that you shall not import, export, or re-export directly or indirectly, any commodity, including your products incorporating or using any PayPal products in violation of the laws and regulations of any applicable jurisdiction.

15.8 Notices. Except as otherwise expressly stated in this Agreement, all notices to PayPal shall be in writing and delivered, via courier or certified or registered mail, to General Counsel, 2211 North First Street, San Jose, CA 95131 or any other address provided by PayPal. All notices to you shall be delivered to your e-mail address as provided by you in your account information. Unless you choose to opt-out of receiving marketing notices, you authorize PayPal to notify you as our customer, via commercial e-mails, telephone calls and other means of communication, of information that we deem is of potential interest to you, including without limitation communications describing upgrades, new products and services or other information pertaining to the Payflow Services or other PayPal offerings relating to Internet security. Notwithstanding the above, you shall not have the right to opt-out of service or support notices relating to the Payflow Services, including without limitation, notices of service modifications, security, performance issues or technical difficulties.

15.9 Headings. The section headings appearing in the Agreement are inserted only as a matter of convenience and in no way define, limit, construe or describe the scope or extent of such section or in any way affect such section.

15.10 Relationship of the Parties. The Parties are independent contractors and will have no power or authority to assume or create any obligation or responsibility on behalf of each other. This Agreement will not be construed to create or imply any partnership, agency, or joint venture.

15.11 Non-Disparagement; Publicity. During the term of the Agreement, neither party will disparage the other party or the other party's trademarks, web sites, products or services, or display any such items in a derogatory or negative manner on any web site or in any public forum or press release. All media releases, public announcements or public disclosures (including, but not limited to, promotional or marketing material) by either Party relating to this Agreement are prohibited without the prior written consent of both Parties.

15.12 Expenses. Except as otherwise specified herein or as otherwise mutually agreed upon by the Parties, each Party will bear its own costs of performing under this Agreement.

15.13 Government Use. If you are a branch or agency of the United States Government, the following provision applies. The software and any related documentation are comprised of "commercial computer software" and "commercial computer software documentation" as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and are provided to the Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227.7202-1 (JUN 1995) and 227.7202-3 (JUN 1995).


If at any time you process directly with American Express, you acknowledge and agree to comply with the terms of this Section as applicable.

  1. Access via Ecommerce Application. You understand and agree that if you install a third party e-commerce application or your own custom integration on your Web Site through which you access American Express directly, it is your responsibility to comply with or select an e-commerce application that complies with the most current American Express standards and operational requirements. In addition, it is your responsibility to keep your systems in good working order and to repair and correct any deficiencies, errors, or defect promptly during the term of this Agreement if notified by PayPal or American Express that such repair is necessary for the Direct Processing services to operate properly and in accordance with American Express requirements. PayPal will promptly notify you of American Express required changes to your system. You understand and agree that your failure to perform these functions may result in your inability to process such Transactions through PayPal or in PayPal or American Express suspending or terminating your right to access the Direct Processing services.
  2. Inability to Access Service. You acknowledge and agree to notify PayPal immediately of online processing problems, including but not limited to providing PayPal’s customer service department with notice within forty-eight (48) hours of your use of voice authorizations for Transactions that would otherwise have been sent using the Payflow Services described herein.

In no event shall PayPal be liable for Transaction processing and other services performed by American Express.




  1. If at any time you purchase Enhanced Technical Support, you agree to comply with the following terms and conditions.
  2. Enhanced Technical Support provides (i) unlimited e-mail and web support; (ii) toll free telephone support from 5:00 am to 6:00 pm PT seven days a week, except for holidays; (iii) e-mail alerts for issues that may affect Transaction processing; and (iv) two hours of integration support.
  3. The fees for Enhanced Technical Support are set out in the Registration and will be added to your monthly bill.


  1. If at any time you purchase Premium Technical Support, you agree to comply with the following terms and conditions.
  2. Premium Technical Support provides (i) unlimited e-mail and web support; (ii) 24/7 toll free telephone support; (iii) e-mail alerts for issues that may affect Transaction processing; and (iv) four hours of integration support.
  3. The fees for Premium Technical Support are set out in the Registration and will be added to your monthly bill.


If at any time you purchase the Recurring Billing Services, you agree to comply with the following terms and conditions.


  1. Compliance. The Recurring Billing Service allows you to automatically debit a customer’s debit or credit card (“Card”). This allows you to sign customers up for a payment that is recurring on a regular or irregular basis and for a fixed or variable amount. You agree that you will comply with all the requirements of Regulation E (12 CFR 205.10) (“Reg E”) and Regulation Z (12 CFR 226.13), including the requirement to receive an authorization prior to setting up a recurring payment, the requirement to provide the customer with 10 day’s notice if the amount of the payment will vary from the amount of the authorization or the previous transfer, and the requirement to have the ability to stop the payment by providing you with 3 days notice. In the instance of stopping the payment, you are entitled to ask the customer for an alternative payment method, and if necessary pursue collection efforts if the customer does not provide one.
  2. Recurring Transactions. You agree, and hereby represent and warrant, that prior to processing any recurring Transactions using Recurring Billing Service, you will have entered into written agreements with its customers (1) confirming the customer’s Card number and current expiration date; (2) providing an overview of how the recurring billing service will operate; (3) stating the term of the contract, in particular the period the Card will be billed and the frequency that the Card will be charged.
  3. Merchant Obligations. You shall: (i) obtain all necessary approvals required from each customer authorizing you to bill such customer's Card account; (ii) comply with all applicable bank and Card rules with respect to recurring billing of customer’s Cards; (iii) provide accurate information regarding the Cards to be billed, the amounts, the billing cycles, billing period and any other information requested by PayPal that is necessary to properly process such Transactions; (iv) review Transactions periodically to determine if they have been properly submitted and notify PayPal promptly if you notice any discrepancy between the information provided and the Transactions submitted; and (v) indemnify PayPal and its representatives, officers, directors and employees from and against any claims by Cardholders that their Cards were charged by you without authorization.


  1. Introduction. The Fraud Protection Services include (i) Basic Fraud Protection (ii) Advanced Fraud Protection (iii) Account Monitoring, and (iv) Buyer Authentication.
  2. Use of Fraud Protection Services. You shall (i) use the Fraud Protection Services in accordance with the applicable user guides and other documentation; and (ii) not use or permit others to use information obtained through the use of the Fraud Protection Services for any purpose other than in conjunction with the Services and in a manner described in the documentation for the Fraud Protection Services.
  3. Setting Preferences. You shall be responsible for setting preferences for the Fraud Protection Services to determine which Transactions it will accept or reject based on the authentication information provided by PayPal. You shall not reject a Transaction unless, based on various combinations of authentication information, you reasonably determine that the individual requesting the Transaction is likely not the consumer he is representing himself to be.
  4. Account Monitoring. You acknowledge that PayPal does not represent or warrant that the Account Monitoring Service is error free or that it will identify all fraudulent activity. In addition, PayPal shall not be liable to you if PayPal incorrectly identifies a Transaction as fraudulent. You shall be responsible for taking all final actions on Transactions that have been identified by PayPal as potentially fraudulent. PayPal shall use commercially reasonable efforts to monitor and internally investigate and report on potentially fraudulent activity.
  5. Dispute Resolution. You acknowledge PayPal shall have the right to provide Data to Financial Institutions and card associations for the purposes of dispute resolution.
  6. Best Practices. The Risk and Security "best practices" suggestions features of the Fraud Protection Services are for illustrative purposes only to show best industry practices, and you shall be solely responsible for choosing the appropriate settings and parameters for the Fraud Protection Services.
  7. IP Address Verification Components. Except as permitted in the applicable documentation for the Fraud Protection Services, you shall not: (i) modify, recast or create derivative works of any information obtained using the IP Address Verification components of this service; (ii) publicly display, upload or post any information obtained using the IP Address Verification components or transmit, broadcast or otherwise transfer such information to any other party; (iii) license, sell, transfer or provide access to information obtained using the IP Address Verification components of the Payflow Services; and (iv) use, or authorize any third party to use, the information obtained using the IP Address Verification components to provide geo-location services to third parties.
  8. High Risk Filters. PayPal's licensors of third party products or services used by you as part of the high risk filters components of the Fraud Protection Services shall be considered third party beneficiaries of the Agreement and shall have the right to enforce your compliance with the Agreement.
  9. Buyer Authentication. If the card associations modify their buyer authentication programs, PayPal will use commercially reasonable efforts to update the Fraud Protection Services at the next major release of the Fraud Protection Services that PayPal makes generally available.
  10. Third Party Components. PayPal shall have the right to modify, substitute, or remove third party components of the Fraud Protection Services on 30 days prior notice. You may terminate the Fraud Protection Services or this Agreement in its entirety with notice as set out in this Agreement, if such removal materially diminishes the functionality of the Fraud Protection Services.
  11. Deactivation. Upon termination of the Fraud Protection Services, PayPal may immediately cancel your access to the Fraud Protection Services. It is your responsibility to clear all settings and download all reports prior to the effective date of any such termination.

Payflow Services Fees Effective as of September 25, 2012**
Service Set Up Fee per Payment Service Account Monthly Fee per Payment Service Account*

Per Transaction Fee

Payflow Link




Payflow Pro




Basic Fraud Protection




Advanced Fraud Protection




Buyer Authentication




Recurring Billing Service





The pricing table above applies to domestic payments in US dollars. Payflow Services must be used with an internet merchant account. The prices above do not include internet merchant account processing fees.

*The total monthly fees due to PayPal each month will be based on the maximum number of activated Payment Service Accounts at any point in a calendar month. “Payment Service Account” means an activated Merchant account that may process Transactions.

**Fees applicable to new U.S. customers effective as of September 25, 2012.  Existing U.S. customers wishing to use this pricing should contact PayPal’s customer service department and must be using the most current version of Payflow Link.

Payflow Services Fees for existing U.S. and Canadian customers prior to September 25, 2012 and new Canadian customers as of September 25, 2012

Service* One Time Setup Fee Monthly Service Fee

Included Monthly Transactions

Monthly Excess Transaction Fee**

Payflow Link

$179.00 USD

$19.95 USD

500 Transactions per month included

$0.10 USD per Excess Transaction

Payflow Pro

$249.00 USD

$59.95 USD

1000 Transactions per month included

$0.10 USD per Excess Transaction

PayPal Recurring Billing Service (Treated as a Transaction and included in monthly Transaction Totals)

Payflow Link Service

$14.95 USD $9.95 USD

Included as part of your monthly Payflow Link Transactions

Included as part of any monthly Excess Transactions

Payflow Pro Service

$39.95 USD

$29.95 USD

Included as part of your monthly Payflow Pro Transactions

Included as part of any monthly Excess Transactions

PayPal Fraud Protection Services

Basic Package




$0.05 USD

Advanced Package




$0.10 USD

Buyer Authentication+




$0.10 USD


*The pricing table above applies to domestic payments in US dollars. Payflow Services must be used with an internet merchant account. The prices above do not include internet merchant account processing fees. **If you exceed the number of Transactions included in the monthly service fee for the applicable Payflow Services ("Excess Transaction"), you shall pay a monthly Transaction fee per Excess Transaction ("Monthly Excess Transaction Fee").

+The service must be purchased in conjunction with the PayPal Fraud Protection Service Basic Package or Advanced Package.

Customers with Enhanced and Premium Support services will continue to receive these services at their current pricing. These services are not available to new customers.




This Data Proection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.


1.1 The following terms have the following meanings when used in this Schedule:

"Card Information" is defined in Section 2.15 of this Schedule.

"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.

"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.

"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.

"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.

"Data Recipient" is defined in Section 2.15 of this Schedule.

"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.

"personal data" has the meaning given to it in the Data Protection Laws.

"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.

1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).



2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.

2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;

2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:

2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and

2.3.2  responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.

2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).

2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.

2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.

2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.

2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.

2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.

2.10 Sub-processors.  Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.

2.11 Audits and Certifications. Where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, PayPal shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of PayPal or any members of PayPal or the PayPal Group) information regarding PayPal’s compliance with the obligations set forth in this Schedule in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact PayPal in accordance with the Agreement to request an on-site audit of the procedures relevant to the protection of personal data. Merchant shall reimburse PayPal for any time expended for any such on-site audit at PayPal’s then-current professional PayPal services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and PayPal shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PayPal. Merchant shall promptly notify PayPal with information regarding any non-compliance discovered during the course of an audit.

2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d)  deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data  processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).


Technical and Organizational Measures

The following technical and organizational measures will be implemented:

  1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
  2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
  3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
  4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
  5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
  6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
  7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
  8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
  9. Measures taken to safeguard data by creating backup copies.

Data Processing of Customer Data

Categories of data subjects

Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.

Subject-matter of the processing

The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.

Nature and purpose of the processing

PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.

Type of personal data

Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:


  Payflow Link Payflow Pro
Full name  X   X 
Date of birth  X  X 
Shipping address  X  X 
Billing address  X  X 
Email address  X  X 
Telephone number  X  X 
Fax number  X  X 
Government ID number  X  X 
Bank account number and bank routing number  X  X 
Financial account number  X   X 
Card or payment instrument type  X   X 
Card Primary Account Number (PAN) or Device-specific Primary Account  X   X 
Number (DPAN)  X   X 
Card Verification Value (CVV)  X   X 
Card expiration date  X   X 
Business tax ID  X   X 
Username  X   X 
Password  X   X 
IP address  X   X 
Device Data  X   X 
Browser data  X   X 


Special categories of data (if relevant)

The transfer of special categories of data is not anticipated.

Duration of Processing

The term of the Agreement.