PayPal Payflow Gateway Services for Resold Merchants


>> View all legal agreements

PayPal Payflow Gateway Services for Resold Merchants

Last Update: May 19, 2018



This Payflow Gateway Services Agreement ("Agreement") applies to your (the "Merchant’s") use of the Payflow Gateway Services (the "Payflow Services"). In this Agreement, "you" and "your" refer to Merchant and your designated agents, including your administrative contact, and "we,” "us" and "our" refer to PayPal. You must read, agree with, and accept all of the terms and conditions contained in this Agreement. By using the Payflow Services, you acknowledge that you have agreed to this Agreement. We may amend this Agreement at any time by posting a revised version on our website. The revised version will be effective at the time we post it. In addition, if the revised version includes a Substantial Change, we will provide you with 30 Days' prior notice of Substantial Change by posting notice on the "Policy Updates" page of our website. You agree to review periodically our website to be aware of any revisions. By continuing to use the Payflow Services after any revision to this Agreement or any change in Payflow Services, you agree to abide by and be bound by any such revisions or changes.


The Payflow Services include Payflow Link or Payflow Pro and the “Add On Services” defined as Recurring Billing Service, the Fraud Protection Services, and the ACH Payment Service. In order to use the Payflow Services you or your PayPal authorized reseller must complete the online registration process (“Registration”) and set up an Internet merchant account with a Financial Institution to process payments. When you register for the Payflow Services, you may have PayPal payments automatically enabled. The e-mail address you designate when registering for the Payflow Services will be initially used to create your PayPal account, however, to access any PayPal payments you must finish completing your PayPal account and agree to the online PayPal user agreement, found on the applicable PayPal website. Use of the Add On Services may require additional documentation. You agree that you shall (i) use the Payflow Services in accordance with the applicable user guides and other documentation; and (ii) not use or permit others to use information obtained with the Payflow Services for any purpose other than in conjunction with the Payflow Services and in a manner described in this Agreement and in the documentation for the Payflow Services.


"ACH" shall mean Automated Clearing House.

"API" shall mean application programming interface.

"Financial Institution" shall mean banks or financial institutions having business relationships with one or more Financial Processors that have agreed to evaluate and provide merchant accounts and payment authorization services to merchants.

"Financial Processor" shall mean an entity with which PayPal has established a relationship that performs the back-end authorization and processing of Transactions between your Financial Institution and the cardholder's bank.

"Manager Web Site" means the online account management tools for merchants for the Payflow Services.

"Payflow Services" mean the payment gateways under the brand names Payflow Link or Payflow Pro that include, without limitation, real-time, secure data transmission and processing for multiple business-to-customer payment methods including, credit cards, and purchase cards and access to electronic checks allow Referred Merchants to process credit and debit cards, PayPal payments, Bill Me Later® payments, delayed shipment billing, electronic checks, and the Add On Services.

"Payflow Software" shall mean the object code version of the client Software Development Kit ("SDK"), HTML code, APIs, related documentation, and other client software or code, including updates, to enable PayPal to provide the Payflow Services to you. Unless otherwise specified, Payflow Software shall not include any source code.

"Substantial Change" means a change to the terms of this Agreement that reduces your rights or increases your responsibilities.

"Transaction" shall mean information related to the purchase of goods and services from you by a third party. Specifically a Transaction is an authorization, delayed capture, sale, void, voice authorization, inquiry, verification, reference transaction, non-reference credit, or credit data transmission between PayPal and its back end processors.


You shall:

  1. Maintain commercially reasonable business practices in conjunction with use of the Payflow Services including (i) maintaining your web site (the "Merchant Web Site") and connection to the Internet and fulfilling all orders for products and services sold by you; (ii) reviewing Transactions on a regular basis and notifying PayPal promptly of any suspected unauthorized activity; (iii) establishing and maintaining a commercial banking relationship with one or more Financial Institutions; and (iv) keeping your login name and password confidential and agreeing that the administrative contact you provide to us during Registration is your agent with full authority to act on your behalf with respect to such Payflow Services.
  2. Collect, store and transmit certain Transaction and user information (collectively, the "Data"), in a secure manner, protect the privacy of the Data, and comply with requests from PayPal to take reasonable action to maintain the security and integrity of the Payflow Services; and
  3. Update to the most current Payflow Software version and security updates and patches necessary to properly operate the Payflow Services and keep all your enrollment and payment information current and updated on the PayPal Manager Web Site;


4.1 Services. Subject to the terms in this Agreement, PayPal agrees to provide (i) the Payflow Services for which you have enrolled and the PayPal authorized reseller has paid the applicable fees on your behalf, and (ii) access to standardized reports regarding your Transactions processed using the Payflow Services and certain reporting tools to assist you in accounting activities.

4.2 Information Conduit.  You acknowledge that PayPal is not a financial or credit reporting institution. PayPal is responsible only for providing Data transmission to effect or direct certain payment authorizations for you and is not responsible for the results of any credit inquiry, the operation of web sites of Internet service providers (“ISP”), Financial Institutions, Financial Processors, the availability or performance of the Internet, or for any damages or costs you suffer or incur as a result of any instructions given, actions taken or omissions made by you, your Financial Processor(s), your Financial Institution, or any ISP. The Payflow Services present data and information collected from the you and data sources other than PayPal and PayPal makes no representations or warranties regarding the availability, accuracy, timeliness or completeness of such data and information or any output or results of the Payflow Services based in whole or in part on such data and information. You are solely responsible for the accuracy and completeness of all Data you supply.

4.3 Security and Stability. You acknowledge that it is in the best interests of both parties that PayPal maintains a secure and stable environment; to that end, PayPal may change the method of access to the Payflow Services at any time. You also agree that, in the event of degradation or instability of the Payflow Services or an emergency, PayPal may temporarily suspend your access to the Payflow Services, any API, and/or any PayPal content under this Agreement in order to minimize threats to and protect the operational stability and security of the Payflow Services. Each party represents, warrants and covenants that it shall at all times comply with applicable Payment Card Industry Data Security Standards, (“PCI DSS”) as such may be amended from time to time, with respect to all card data received by it in connection with this Agreement. PayPal does not guarantee the security of the Payflow Services or Transaction data, and PayPal will not be responsible in the event of any infiltration of its security systems, if PayPal has used commercially reasonable efforts to prevent any such infiltration. Your customers’ card data is handled by PayPal if: (a) you use Payflow Link, or (b) you use Payflow Pro and you choose to activate the “transparent redirect” feature and integrate the feature pursuant to PayPal’s instructions. PayPal adheres to Payment Card Industry Data Security Standards (“PCI DSS”).

4.4 Technical Support for Payflow Services. You shall obtain your primary customer support from your PayPal authorized reseller and may contact PayPal for secondary technical support.


5.1 Fees. You agree to pay the PayPal authorized reseller the applicable fees for the Payflow Services. All fees are due immediately and are non-refundable, except as otherwise expressly noted herein.

5.2 Taxes. The fees are exclusive of tax. You are responsible for all taxes, duties, levies or tariffs or charges of any kind imposed by any federal, state, or local governmental entity on the fees for the Payflow Services, excluding taxes based on PayPal’s net income.


6.1 Term; Renewal. This Agreement will commence on the date you accept the terms of this Agreement (the "Effective Date") and continues until terminated as set out herein.

6.2 Termination. You may terminate the Payflow Services through your PayPal authorized reseller at any time by providing 30 days prior written notice to your PayPal authorized reseller. PayPal may terminate this Agreement, effective immediately, (i) in the event of insolvency, receivership or voluntary or involuntary bankruptcy, or an assignment for the benefit of your creditors, or in the event that a substantial part of your property is or becomes subject to any levy, seizure, assignment or sale for or by any creditor or governmental agency without being released or satisfied within thirty days thereafter; (ii) if you fail to comply with applicable laws or regulations; (iii) for any of the reasons listed in Section 6.3 below; or (iv) you fail to materially comply with this Agreement.

6.3 Suspension. PayPal may suspend your access to the Payflow Services effective immediately if: (i) certain third party licenses or access to third party components of the Payflow Services are terminated; (ii) if you cause or fail to fix a security breach relating to the Payflow Services; (iii) PayPal reasonably believes your breach compromises the security of the Payflow Services; (iv) PayPal reasonably believes fraudulent Transactions are being submitted on your account knowingly or negligently; (v) your Financial Processor or Financial Institution requires such suspension; (vi) you fail to pay any fees when due; or (vii) you fail to upgrade to the most current Payflow Software version, security updates and/or patches;

6.4 Effect of Termination. PayPal will cease providing the Payflow Services as of the expiration of the billing cycle in which the termination is effective. Upon termination, your rights to use the Payflow Services, and any other rights granted hereunder, shall immediately cease, and you shall destroy any copy of the PayPal Documentation or other materials licensed to you hereunder and referenced herein. Termination of this Agreement will not relieve either Party from any liability arising prior to the termination of this Agreement. If your PayPal authorized reseller ceases to be an authorized reseller, you may continue to access the Payflow Services as mutually agreed between Merchant and PayPal. To the extent permitted by applicable law, you agree that upon termination, we may delete all information relating to your use of the Service.


7.1 Privacy Policies. Both Parties privacy policies shall be adequately displayed within their respective websites and meet current legal and industry standards within each Party’s reasonable determination. Our privacy policy is located on our Web site at  and is incorporated herein by reference. You agree that in the course of providing the Payflow Services, PayPal will capture certain Data. You agree to provide to PayPal only the Data that is required by the Payflow Software and is necessary for PayPal to provide the Payflow Services. Subject to applicable law, PayPal may use the Data as necessary to (i) perform the Payflow Services contemplated in this Agreement (including distributing the Data to third parties providing services you requested); (ii) collect and process the Data for record keeping, reporting, , and analytics; (iii) provide fraud detection, risk modeling, and support services; (iv) compile and disclose Data in the aggregate where your individual or user Data is not identifiable, including calculating your averages by region or industry; and (v) provide the Data as required by the card associations, law or court order, for purposes of incident investigation, or to defend PayPal’s rights in a legal dispute. You represent and warrant that you have provided notice to, and obtained consent from, any third party individuals whose personal data you supply to us. We are not responsible for any consequences resulting from your failure to provide notice or receive consent from such individuals or for your providing outdated, incomplete, or inaccurate information. You are responsible for capturing and securing any Data you need prior to submission to us for processing. After processing, we will provide only truncated Data to you through our standard reporting tools.

7.2 Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule shall prevail over any conflicting terms in this Agreement relating to data protection and privacy.


8.1 Confidential Information Defined. A party’s “Confidential Information” is defined as any information of the disclosing party, which (i) if disclosed in a tangible form is marked using a legend such as “Confidential” or “Proprietary” or if not so marked, should be reasonably understood by the receiving party from the context of disclosure or from the information itself, to be confidential, or (ii) if disclosed orally or visually is declared to be confidential or, if not so declared, should be reasonably understood by the receiving party from the context of disclosure or from the information itself to be confidential. Confidential Information shall include, the terms of this Agreement; the integration requirements; information accessed via the Payflow APIs; information relating to the PayPal’s systems, technology, processes, and financial information; your user ID; information relating to your business, security and technology; and all user data and customer information (including user IDs and passwords) regardless of whether marked “Confidential.”

8.2 Mutual Obligations. Each party shall hold the other party’s Confidential Information in confidence and shall not disclose such Confidential Information to third parties nor use the other party’s Confidential Information for any purpose other than as required to perform its obligations under this Agreement. Such restrictions shall not apply to Confidential Information that (i) is already known by the recipient, (ii) becomes publicly known through no act or fault of the recipient, (iii) is received by recipient from a third party without a restriction on disclosure or use, or (iv) is independently developed by recipient without reference to the Confidential Information or (v) where Confidential Information is required to be disclosed by a court, government agency, law enforcement agency, regulatory requirement, or similar disclosure requirement. The parties’ respective obligations to maintain the confidentiality of information disclosed hereunder shall survive the expiration or early termination of this Agreement or until such time as such information becomes public information through no fault of the receiving party. Upon termination or expiration of this Agreement, the receiving party shall immediately return to the disclosing party all manifestations of the Confidential Information or shall destroy all such Confidential Information as the disclosing party may designate; provided that such action may be delayed for so long as, and to the extent that, such Confidential Information relates to outstanding payment obligations or is subject to audit, reporting, or retention requirements under this Agreement or applicable law.


9.1 Intellectual Property. You acknowledge that PayPal and its licensors retain all intellectual property rights (including all patent, trademark, copyright, trade dress, trade secrets, database rights and all other intellectual property rights) and title in and to all of their Confidential Information; other proprietary information, products and services; and the ideas, concepts, techniques, inventions, processes, software or works of authorship developed, embodied in, or practiced in connection with the Payflow Services and provided by PayPal hereunder, including without limitation all modifications, enhancements, derivative works, configurations, translations, upgrades, and interfaces thereto (all of the foregoing “PayPal Intellectual Property”). PayPal Intellectual Property does not include your preexisting hardware, software, data, or networks. Except as otherwise expressly provided herein, nothing in this Agreement shall create any right of ownership or license in, and to the other Party’s intellectual property rights and each Party shall continue to independently own and maintain its intellectual property rights. There are no implied licenses under this Agreement and any rights not expressly granted to you under this Agreement are reserved by PayPal or its suppliers. You shall not reverse engineer, decompile, modify in any manner, or create derivative works from the Payflow Services, API License, (defined below) or any PayPal Intellectual Property.

9.2 License. PayPal hereby grants you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to use PayPal’s Intellectual Property solely as required and necessary to use the Payflow Services in accordance with the terms and conditions of this Agreement and any user guides provided by PayPal to you (the “IP License” and with respect to the APIs, the “API License”).

9.3 Payflow APIs. PayPal shall make available to you its API integration and user guides and SDKs (collectively “PayPal Documentation”). You shall comply with the PayPal Documentation in connection with the integration and use of APIs. You shall keep all user ID, passwords and other access codes pertaining to the Payflow Services and API License confidential and secure from all unauthorized persons. You will immediately terminate the access rights of any user who ceases to act in an authorized capacity on your behalf for any reason, including because of a change in employment status or in the event of theft, loss or authorized disclosure or misuse of that user ID. You agree to notify PayPal immediately upon learning of any unauthorized use of your user name or password. You shall be solely responsible for (i) updating your passwords for access to the Payflow Services periodically, and (ii) creating passwords that are reasonably “strong” under the circumstances. The user ID is the property of PayPal and may be immediately revoked or terminated by PayPal if you share the same with any third party, or otherwise breach this API License. In connection with your use of Payflow’s API’s, you are prohibited from doing any of the following: (i) selling, transferring, sublicensing, or disclosing your user ID to any third party (other than third party service providers); (ii) selling, transferring, sublicensing, and/or assigning any interest in PayPal’s Confidential Information accessed by the APIs; (iii) collecting any customer’s personally identifiable information that is accessed through the APIs without that customer’s express permission; (iv) providing timeshare, service bureau, application service provider or similar services to any other third party; and (v) interfacing or connecting the Payflow Services, or the API License with any other computer software or system without the prior written approval of PayPal. PayPal shall have no responsibility or liability for the performance of the Payflow Services and Payflow Software, in the event that the Payflow Services or Payflow Software are not used in accordance with this Agreement or any instructions for use provided by PayPal.


10.1 Authority. Each party represents and warrants that (a) it has full power and authority to enter into and perform this Agreement; and (b) its execution and performance of this Agreement does not violate, conflict with, or result in a material default under any other contract or agreement to which it is a party, or by which it is bound.

10.2 Compliance with Laws. You represent and warrant that you shall comply with all applicable privacy, consumer and other laws and regulations with respect to (i) provision, use and disclosure of the Data; (ii) dealings with the users providing the Data; and (iii) use of the Payflow Services.




Merchant will defend, indemnify and hold harmless PayPal, its affiliates, and its officers, directors, employees, and agents from any loss, damage, liability, claim, demand or cost (including reasonable attorneys’ fees) (“Claim”) made or incurred by any third party due to or arising out of (i) your breach of this Agreement; (ii) (ii) the sale or use of any product or services sold by you; (iii) your use of the Payflow Services; or (iv) your negligence or misconduct




14.1 Force Majeure. Neither Party shall be responsible for any failure to perform its obligations under this Agreement if such failure is caused by acts of God, war, strikes, revolutions, lack or failure of transportation facilities, laws or governmental regulations or other causes that are beyond the reasonable control of such Party. Obligations hereunder, however, shall in not be excused but shall be suspended only until the cessation of any cause of such failure.

14.2 Entire Agreement and Modification. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any prior oral, written, or online agreements. The PayPal authorized reseller is not authorized to alter or amend the terms of this Agreement. Except as otherwise provided for herein, any waiver, modification, or amendment of any provision of this Agreement will be effective only if in writing and signed by the parties herein.

14.3 Severability. If any provision of this Agreement shall be held illegal or unenforceable, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.

14.4 Assignment; No Waiver. This Agreement binds and is for the benefit of the successors and permitted assigns of each Party. You may not assign this Agreement or any rights under it, in whole or in part, without PayPal’s prior written consent. Any attempt to assign this Agreement other than as permitted above will be null and void. Failure by either Party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.

14.5 Governing Law and Jury Trial Waiver. This Agreement shall be governed by and construed in accordance with the laws of the State of California, U.S.A., except for its conflicts of laws principles. The Parties consent to the exclusive jurisdiction of, and venue in, the state and federal courts in Santa Clara County, California. PAYPAL AND MERCHANT IRREVOCABLY WAIVE ANY AND ALL RIGHTS THEY MAY HAVE TO A TRIAL BY JURY IN ANY JUDICIAL PROCEEDING INVOLVING ANY CLAIM RELATING TO OR ARISING UNDER THIS AGREEMENT.

14.6 Survival. Sections, which by their nature survive, shall survive any termination or expiration of this Agreement in accordance with their terms.

14.7 Export Restrictions. You agree that you shall not import, export, or re-export directly or indirectly, any commodity, including your products incorporating or using any PayPal products in violation of the laws and regulations of any applicable jurisdiction.

14.8 Notices. Except as otherwise expressly stated in this Agreement, all notices to PayPal shall be in writing and delivered, via courier or certified or registered mail, to General Counsel, 2211 North First Street, San Jose, CA 95131 or any other address provided by PayPal. All notices to you shall be delivered to your e-mail address as provided by you in your account information. Unless you choose to opt-out of receiving marketing notices, you authorize PayPal to notify you as our customer, via commercial e-mails, telephone calls and other means of communication, of information that we deem is of potential interest to you, including without limitation communications describing upgrades, new products and services or other information pertaining to the Payflow Services or other PayPal offerings relating to Internet security. Notwithstanding the above, you shall not have the right to opt-out of service or support notices relating to the Payflow Services, including without limitation, notices of service modifications, security, performance issues, or technical difficulties.

14.9 Headings. The section headings appearing in the Agreement are inserted only as a matter of convenience and in no way define, limit, construe or describe the scope or extent of such section or in any way affect such section.

14.10 Relationship of the Parties. The Parties are independent contractors and will have no power or authority to assume or create any obligation or responsibility on behalf of each other. This Agreement will not be construed to create or imply any partnership, agency, or joint venture.

14.11 Non-Disparagement; Publicity. During the term of the Agreement, neither party will disparage the other party or the other party's trademarks, web sites, products or services, or display any such items in a derogatory or negative manner on any web site or in any public forum or press release. All media releases, public announcements or public disclosures (including, but not limited to, promotional or marketing material) by either Party relating to this Agreement are prohibited without the prior written consent of both Parties.

14.12 Expenses. Except as otherwise specified herein or as otherwise mutually agreed upon by the Parties, each Party will bear its own costs of performing under this Agreement.

14.13 Government Use. If you are a branch or agency of the United States Government, the following provision applies. The software and any related documentation are comprised of "commercial computer software" and "commercial computer software documentation" as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and are provided to the Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227.7202-1 (JUN 1995) and 227.7202-3 (JUN 1995).


If at any time you process directly with American Express, you acknowledge and agree to comply with the terms of this Section as applicable.

  1. Access via Ecommerce Application. You understand and agree that if you install a third party e-commerce application or your own custom integration on your Web Site through which you access American Express directly, it is your responsibility to comply with or select an e-commerce application that complies with the most current American Express standards and operational requirements. In addition, it is your responsibility to keep your systems in good working order and to repair and correct any deficiencies, errors, or defect promptly during the term of this Agreement if notified by PayPal or American Express that such repair is necessary for the Direct Processing services to operate properly and in accordance with American Express requirements. PayPal will promptly notify you of American Express required changes to your system. You understand and agree that your failure to perform these functions may result in your inability to process such Transactions through PayPal or in PayPal or American Express suspending or terminating your right to access the Direct Processing services.
  2. Inability to Access Service. You acknowledge and agree to notify PayPal immediately of online processing problems, including but not limited to providing PayPal’s customer service department with notice within forty-eight (48) hours of your use of voice authorizations for Transactions that would otherwise have been sent using the Payflow Services described herein.

In no event shall PayPal be liable for Transaction processing and other services performed by American Express.




If at any time you purchase the Recurring Billing Services, you agree to comply with the following terms and conditions.

  1. Compliance. The Recurring Billing Service allows you to automatically debit a customer’s debit or credit card (“Card”). This allows you to sign customers up for a payment that is recurring on a regular or irregular basis and for a fixed or variable amount. You agree that you will comply with all the requirements of Regulation E (12 CFR 205.10) (“Reg E”) and Regulation Z (12 CFR 226.13), including the requirement to receive an authorization prior to setting up a recurring payment, the requirement to provide the customer with 10-day’s notice if the amount of the payment will vary from the amount of the authorization or the previous transfer, and the requirement to have the ability to stop the payment by providing you with 3 days notice. In the instance of stopping the payment, you are entitled to ask the customer for an alternative payment method, and if necessary pursue collection efforts if the customer does not provide one.
  2. Recurring Transactions. You agree, and hereby represent and warrant, that prior to processing any recurring Transactions using Recurring Billing Service, you will have entered into written agreements with its customers (1) confirming the customer’s Card number and current expiration date; (2) providing an overview of how the recurring billing service will operate; (3) stating the term of the contract, in particular the period the Card will be billed and the frequency that the Card will be charged.
  3. Merchant Obligations. You shall: (i) obtain all necessary approvals required from each customer authorizing you to bill such customer's Card account; (ii) comply with all applicable bank and Card rules with respect to recurring billing of customer’s Cards; (iii) provide accurate information regarding the Cards to be billed, the amounts, the billing cycles, billing period and any other information requested by PayPal that is necessary to properly process such Transactions; (iv) review Transactions periodically to determine if they have been properly submitted and notify PayPal promptly if you notice any discrepancy between the information provided and the Transactions submitted; and (v) indemnify PayPal and its representatives, officers, directors and employees from and against any claims by Cardholders that their Cards were charged by you without authorization.


  1. Introduction. The Fraud Protection Services include (i) Basic Fraud Protection (ii) Advanced Fraud Protection (iii) Account Monitoring, and (iv) Buyer Authentication.
  2. Use of Fraud Protection Services. You shall (i) use the Fraud Protection Services in accordance with the applicable user guides and other documentation; and (ii) not use or permit others to use information obtained through the use of the Fraud Protection Services for any purpose other than in conjunction with the Payflow Services and in a manner described in the documentation for the Fraud Protection Services.
  3. Setting Preferences. You shall be responsible for setting preferences for the Fraud Protection Services to determine which Transactions it will accept or reject based on the authentication information provided by PayPal. You shall not reject a Transaction unless, based on various combinations of authentication information, you reasonably determine that the individual requesting the Transaction is likely not the consumer he is representing himself to be.
  4. Account Monitoring. You acknowledge that PayPal does not represent or warrant that the Account Monitoring Service is error free or that it will identify all fraudulent activity. In addition, PayPal shall not be liable to you if PayPal incorrectly identifies a Transaction as fraudulent. You shall be responsible for taking all final actions on Transactions that have been identified by PayPal as potentially fraudulent. PayPal shall use commercially reasonable efforts to monitor and internally investigate and report on potentially fraudulent activity.
  5. Dispute Resolution. You acknowledge PayPal shall have the right to provide Data to Financial Institutions and card associations for the purposes of dispute resolution.
  6. Best Practices. The Risk and Security "best practices" suggestions features of the Fraud Protection Services are for illustrative purposes only to show best industry practices, and you shall be solely responsible for choosing the appropriate settings and parameters for the Fraud Protection Services.
  7. IP Address Verification Components. Except as permitted in the applicable documentation for the Fraud Protection Services, you shall not: (i) modify, recast or create derivative works of any information obtained using the IP Address Verification components of this service; (ii) publicly display, upload or post any information obtained using the IP Address Verification components or transmit, broadcast or otherwise transfer such information to any other party; (iii) license, sell, transfer or provide access to information obtained using the IP Address Verification components of the Payflow Services; and (iv) use, or authorize any third party to use, the information obtained using the IP Address Verification components to provide geo-location services to third parties.
  8. High Risk Filters. PayPal's licensors of third party products or services used by you as part of the high risk filters components of the Fraud Protection Services shall be considered third party beneficiaries of the Agreement and shall have the right to enforce your compliance with the Agreement.
  9. Buyer Authentication. If the card associations modify their buyer authentication programs, PayPal will use commercially reasonable efforts to update the Fraud Protection Services at the next major release of the Fraud Protection Services that PayPal makes generally available.
  10. Third Party Components. PayPal shall have the right to modify, substitute, or remove third party components of the Fraud Protection Services on 30 days prior notice. You may terminate the Fraud Protection Services or this Agreement in its entirety with notice as set out in this Agreement, if such removal materially diminishes the functionality of the Fraud Protection Services.
  11. Deactivation. Upon termination of the Fraud Protection Services, PayPal may immediately cancel your access to the Fraud Protection Services. It is your responsibility to clear all settings and download all reports prior to the effective date of any such termination.




This Data Proection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.


1.1 The following terms have the following meanings when used in this Schedule:

"Card Information" is defined in Section 2.15 of this Schedule.

"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.

"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.

"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.

"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.

"Data Recipient" is defined in Section 2.15 of this Schedule.

"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.

"personal data" has the meaning given to it in the Data Protection Laws.

"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.

1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).



2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.

2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;

2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:

2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and

2.3.2  responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.

2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).

2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.

2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.

2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.

2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.

2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.

2.10 Sub-processors.  Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.

2.11 Audits and Certifications. Where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, PayPal shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of PayPal or any members of PayPal or the PayPal Group) information regarding PayPal’s compliance with the obligations set forth in this Schedule in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact PayPal in accordance with the Agreement to request an on-site audit of the procedures relevant to the protection of personal data. Merchant shall reimburse PayPal for any time expended for any such on-site audit at PayPal’s then-current professional PayPal services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and PayPal shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PayPal. Merchant shall promptly notify PayPal with information regarding any non-compliance discovered during the course of an audit.

2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d)  deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data  processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).


Technical and Organizational Measures

The following technical and organizational measures will be implemented:

  1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
  2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
  3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
  4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
  5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
  6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
  7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
  8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
  9. Measures taken to safeguard data by creating backup copies.

Data Processing of Customer Data

Categories of data subjects

Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.

Subject-matter of the processing

The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.

Nature and purpose of the processing

PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.

Type of personal data

Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:


  Payflow Link Payflow Pro
Full name  X   X 
Date of birth  X  X 
Shipping address  X  X 
Billing address  X  X 
Email address  X  X 
Telephone number  X  X 
Fax number  X  X 
Government ID number  X  X 
Bank account number and bank routing number  X  X 
Financial account number  X   X 
Card or payment instrument type  X   X 
Card Primary Account Number (PAN) or Device-specific Primary Account  X   X 
Number (DPAN)  X   X 
Card Verification Value (CVV)  X   X 
Card expiration date  X   X 
Business tax ID  X   X 
Username  X   X 
Password  X   X 
IP address  X   X 
Device Data  X   X 
Browser data  X   X 


Special categories of data (if relevant)

The transfer of special categories of data is not anticipated.

Duration of Processing

The term of the Agreement.