Service Agreement

1. Definitions
As used in this PCI-Proxy Service Agreement (the “Agreement”), the following terms shall have the meanings set forth below:

  • Datatrans: Datatrans AG, Kreuzbühlstrasse 26, 8008 Zürich; Service provider of the PCI-Proxy Service.
  • Counterparty: Direct contract partner of Datatrans, who uses the Services of Datatrans.
  • Receiver: A Receiver may not be a customer of Datatrans but may be client of the Counterparty. The Receiver is the party that receives data directly from Datatrans.
  • Services: The Services provided by Datatrans are described on Datatrans’ PCI Proxy website and include the Services as described for the service package chosen by the Counterparty.
  • Services Package: The services package including the prices as chosen by the Counterparty on Datatrans’ PCI Proxy Dashboard in Section “Subscriptions”.
  • PCI DSS: Payment Card Industry (PCI) Data Security Standard requirements in its effective and applicable version.

2. Subject of the Agreement
The subject of the Agreement is the usage of Datatrans’ PCI Proxy services as chosen by the Counterparty on the Datatrans’ PCI Proxy Dashboard in Section “Subscriptions” [LINK].

3. Components of the Agreement
The following components form integral part of the Agreement: (i) the ”General Contract Terms“ of Datatrans, (ii) the and (iii) the Services.

4. Prices
The prices applicable on the effective date of this Agreement and any specific conditions for the services chosen by the Counterparty, are listed on Datatrans’ PCI Proxy Dashboard in Section “Subscriptions”.

5. Data Security / PCI DSS Compliance
The Counterparty warrants that it treats access data and any further information provided under this Agreement as confidential information that shall be protected against loss and unauthorized access by third parties, and that shall be used only on behalf of its customers, if needed.

Datatrans provides only tools to simplify the Counterparty’s compliance with PCI DSS but the Counterparty must ensure that its business is PCI DSS compliant. It warrants and guarantees to observe and at all times to fully comply with the PCI DSS, and the Counterparty procures that its Receivers shall at all times observe and fully comply with the PCI DSS.

6. Confirmation, Covenant and Warranty
By entering into this Agreement the Counterparty confirms that it has read and understood the pricing and services included in the chosen service package, the ”General Contract Terms“ and hereby acknowledges these as binding.

The Counterparty further covenants and warrants that it integrates the services of Datatrans according to the valid specifications of Datatrans.

7. Show API
Datatrans’ Show API can display individual credit card numbers as required. The Counterparty ensures that the Show API is implemented according to Datatrans documentation and the use of this function takes place in compliance with the PCI DSS. The Counterparty ensures that the user administration of the Show API is fully compliant with all requirements of the PCI DSS at any time, including but not limited to requirement 8 of the PCI DSS. The Counterparty guarantees that the user administration of the Show API and the access to the script is treated strictly confidential at any time, is permanently protected against unauthorized access through state of the art technical and organizational measures and that these measures are assessed and amended periodically. Datatrans may at its own discretion deactivate the Show API functionality if suspicious activities have been identified, the security and/or the compliance with the PCI DSS is endangered or pre-defined block limits of the system have been reached. Datatrans informs the Counterparty immediately about such deactivations. The Counterparty is liable for any abuse of the Show API and its user administration. Datatrans liability arising from the use of the Show API is fully excluded to the maximum extent possible according to the applicable law.

8. Customer Reference
Datatrans may refer to the Counterparty as a customer in sales presentations, on its websites, marketing vehicles and any other activities. Subject to satisfactory delivery of the services, this will include a quote from an executive of the Counterparty and its logo that may be included in such activities. The Counterparty hereby grants its permission for such activities of Datatrans and the inclusion of the logo and the quote of the Counterparty.

Appendix 1: General Contract Terms (GCT)

1. Subject
Subject of these General Contract Terms are the Services in accordance with the terms of this Agreement, unless otherwise agreed.

2. Prevailing Agreement
In the event of conflicts between the main body of the Agreement and this Appendix 1 (General Contract Terms), the terms of the main body of the Agreement shall prevail. Any general business terms and conditions of the Counterparty do not form part of the Agreement and therefore are not applicable.

3. Registration of a Datatrans user account
To conclude a contract with Datatrans the counterparty must register a user account on Datatrans’ PCI Proxy Dashboard (LINK). Only legal entities may register and use Datatrans’ Services.

To register a Datatrans user account, the Counterparty must provide Datatrans with its business name according to the relevant commercial register, address, name and email of the representative, telephone, business identification number, the URL of its website, the nature of the business or its activities and other information that Datatrans requires. In order to verify the information provided, Datatrans may collect personal data as well. Before Datatrans has reviewed and approved all required information the Counterparty’s user account is provided on a preliminary basis. Datatrans may deactivate the user account at any time and for any reason.

The Counterparty and its representative registering the user account confirm that such representative is duly authorized to register a Datatrans user account on behalf of the Counterparty and to bind the Counterparty to this Contractual Agreement. Datatrans may require additional information to verify the authorization, including but not limited to a consent of the board or any other document deemed appropriate by Datatrans. Datatrans may demand additional information during the term of this Contractual Agreement in order to assess the risk associated with your business at its sole discretion. The failure to provide such information may result in suspension or termination of the Counterparty’s user account.

The Counterparty warrants to keep the information in its Datatrans user account current and correct at all times. Any changes affecting the Counterparty, its business activity or any other relevant information, must be promptly updated in the user account. The failure to do so may result in suspension or termination of the Counterparty’s user account.

4. Conclusion of the Agreement
With the registration of a Datatrans user account, the Counterparty signs-up for Datatrans free test account for a limited period according to Datatrans’ PCI Proxy website. The use of the test environment does not result in the conclusion of the Agreement.

A binding order is only triggered once the Counterparty or its representative has entered all of the data required in its user account, has chosen a service package offered by Datatrans, has acknowledged the Agreement and has clicked on the button “Go Live”. Until the Counterparty clicks this button, it may change the chosen package non-bindingly. When clicking the button “Go Live”, this is treated as the Counterparty’s offer to Datatrans to conclude a contract.

Once the Counterparty’s offer to conclude a contract has been received, the Counterparty will be sent an automatically generated confirmation of receipt by email. This contains the service package chosen and the documents of the Agreement. A contract is not yet agreed based on this confirmation of receipt; the confirmation of receipt merely documents that Datatrans has received your order.

The Agreement is concluded once Datatrans confirms that it accepts it. Datatrans confirms the acceptance of the contract by sending the Counterparty an invoice, by confirming that the user account has been enabled for the Services (confirmation for the use of Services), or by enabling the Counterparty’s user account for the Services without confirmation.

5. Services
Datatrans provides the Services as chosen by the Counterparty on the website. Datatrans is entitled to adapt the Services, including but not limited to software and connections, to any general technological changes and the requirements of the PCI DSS at any time and its own discretion.

By using the Services provided by Datatrans, the Counterparty confirms that it obtained comprehensive information about Datatrans’ various services before entering into the Agreement and based on that chose the Services it wishes to receive from Datatrans.

6. Datatrans’ rights and obligations
Datatrans is responsible for the installation and operation of the Datatrans’ PCI Proxy Platform in accordance with the PCI DSS.

Datatrans is responsible for the uninterrupted maintenance of PCI certification for the Datatrans’ PCI Proxy Platform. The Counterparty may request proof of Datatrans’ PCI certification at any time.

Datatrans ensures that the Services are rendered in a technically correct manner in accordance with the respective applicable product documentation. Datatrans Services solely concern technical processing of data. Datatrans does not assume any collection role and does not take receipt of customer funds.

In case of a suspicion of a compromise or if a data breach, a breach of PCI DSS by one of the Counterparty’s Receiver, a loss of PCI DSS compliance by one of its Receivers or a breach of other obligations of the Counterparty occurs, Datatrans may, at its own discretion, interrupt respectively cease from providing its Services to such Receiver. Datatrans may inform the Counterparty on the reason for such interruption of its Service at its own discretion.

Datatrans may at its own discretion inform all involved parties of any compromise of its own and/or of the Counterparty’s environment.

Datatrans reserves the right not to activate or to deactivate the Counterparty’s Receivers for the Services, if they do not comply with the PCI DSS or do not disclose the corresponding documents that prove their compliance with the PCI DSS, if Datatrans filed a request for such documents or these General Contract Terms oblige the Counterparty to disclose such documents.

7. Support
Datatrans will provide support to the Counterparty during customary, local office hours. The Datatrans’ PCI Proxy Platform is monitored 24×7. Help services provided as a result of actions by the Counterparty in breach of its obligations, will be charged separately according to the usual rates of Datatrans.

8. The Counterparty’s rights and obligations
The Counterparty is obliged to ensure that any and all Receivers are compliant with the PCI DSS at all times.

The Counterparty procures that its Receivers disclose to Datatrans annually latest ten (10) days after the respective audit took place and anytime upon request by Datatrans their PCI certification.

If such PCI Certification documentation has not been provided to Datatrans as stipulated in the above paragraph, Datatrans reserves the right to cease its Services until such documentation has been provided to Datatrans. The Counterparty procures that the correct type of certification is secured and disclosed to Datatrans by each and any of its Receivers according to the PCI DSS requirements. Datatrans may at its own discretion notify the respective Receiver directly if the number of transactions which is relevant for PCI DSS purposes has been reached according to Datatrans’ own detection.

The Counterparty informs Datatrans immediately if one of its own Receivers has lost its PCI DSS compliance or if there is evidence or other indications that may question the PCI DSS compliance of such Receivers.

The Counterparty is responsible:

  • (i) for the correct implementation of the Services in accordance with Datatrans’ specifications (see documentation
  • (ii) the transmission of data in accordance with specifications of Datatrans;
  • (iii) for installing and operating its own systems and connections; and
  • (iv) for the processing and the general use of the data received in accordance with the PCI DSS, any other applicable data protection laws and regulations and ensuring that its Receivers process data accordingly.

The Counterparty ensures that tokens of the Services are stored and protected against unauthorized access according to state of the art technical and organizational measures. In addition, the Counterparty uses the tokens of the Services only within its own environment. Passing on tokens outside of the Counterparty’s environment is only allowed if Datatrans’ prior written consent was obtained.

The Counterparty is required to use all verification methods available to verify its submitted data is correctly processed by Datatrans.

The Counterparty acknowledges that the Services offered by Datatrans are technical measures to increase security and reduce the risk of abuse, but do not offer complete protection. When using the Services the Counterparty has to comply with the PCI DSS and any other applicable financial service provider’s security regulation.

The Counterparty warrants that the email address provided in its user account is accessible and appropriately monitored at all times without delay. Receipt of messages to this email address is deemed to have been confirmed upon dispatch by Datatrans.

The Counterparty is obligated to treat as strictly confidential all identifying characteristics that are used for the identification/authentication of the Counterparty in connection with its use of the Services provided by Datatrans. All actions and transactions executed with the identifying characteristics of the Counterparty are deemed to be approved by the Counterparty.

Towards its Receivers the Counterparty is solely responsible for the first level support.

9. Liability of Counterparty / Indemnification

  • (i) The Counterparty shall be liable to Datatrans for all damages resulting from the non-fulfillment or improper fulfillment of contractual duties and obligations by the Counterparty. In particular, Datatrans shall be entitled to charge the Counterparty any claims for damages of third parties as well as all other damages or other expenses caused by the improper compliance by the Counterparty with the present provisions. If the Counterparty calls in any third-party companies, it is liable for any damage caused by them, as if it had caused them itself.
  • (ii) Counterparty holds Datatrans harmless against all third party claims and demands which are attributable to circumstances under the Counterparty’s control or to its business activities, especially for claims arising out of or in connection with the Show API or the cease of Services based on non-compliance with the PCI DSS or other suspicious activity.

10. Confidentiality
The Parties mutually agree to maintain strict confidentiality of all confidential information of the other Party. Datatrans is entitled to employ subcontractors and agents to assist it in providing services, but it must impose the same confidentiality on subcontractors as it is imposed on Datatrans.

Datatrans agrees to treat all data transmitted by the Counterparty as confidential in relation to third parties. In addition, Datatrans ensures that it complies with the currently applicable provisions of data protection laws and regulations.

11. Relationship between the parties and to third parties
The Counterparty is neither an agent nor a representative of Datatrans and is not authorized to act on behalf of Datatrans or to enter into obligations in favor of third parties for Datatrans. Datatrans reserves the right to be consulted in respect of any reference to the Datatrans’ PCI Proxy Platform by the Counterparty.

12. Payment
The fees and submission of invoices are governed by the terms as outlined on Datatrans’ PCI Proxy Dashboard in Section “Subscriptions”. Invoices from Datatrans are due for payment thirty (30) days after they have been issued. The Counterparty may not offset invoices from Datatrans against amounts owed to it.

The Counterparty agrees to pay the fees assessed by Datatrans to Counterparty for providing the Services (the “Fees”). These Fees will be calculated pursuant to the pricing as outlined on Datatrans’ PCI Proxy Dashboard in Section “Subscriptions” which is incorporated into the Agreement by reference, or pursuant to any other agreement between Counterparty and Datatrans, if any, which is intended to supersede the published pricing.

Datatrans may charge Counterparty’s credit card or other payment mechanism that Counterparty has selected and which has been confirmed by Datatrans with any Fee amounts due and payable.

Datatrans may change prices at any time, including changing free service to a paid service and charge services previously offered free of charge, provided, however, that Datatrans notifies Counterparty in advance and gives Counterparty the option to terminate its account in the event that Datatrans changes the price of a service Counterparty has subscribed to. Furthermore, Datatrans will only charge Counterparty for a service that has been previously offered free of charge if Counterparty has been notified of such charges and has agreed to pay such fees.

Counterparty agrees that if Datatrans is unable to collect the Fees owed by Counterparty for the Services through Counterparty’s account, Datatrans may take all necessary steps to collect those Fees from Counterparty and Counterparty is liable for all costs and expenses related to the collection, including collection fees, court and legal fees. In addition, Counterparty agrees that Datatrans may charge interest at a rate of 1% per month on any unpaid amounts due.

Counterparty may cancel its subscription as the end of the month, subject to thirty (30) days’ advance notice thereof. Upon termination, Counterparty will not be charged any additional terms of use and the Services will continue to be delivered until the end of the current subscription period. Upon termination, Counterparty will receive no compensation for already paid Services.

13. Data Privacy
The Counterparty confirms that it has read the privacy policy of Datatrans and is aware which data will be processed and how Datatrans handles personal data.

Furthermore, the Counterparty warrants that it complies with all applicable data protection laws and regulations and concludes data processing agreements with its Receivers or any other third parties to ensure the legal transfer of personal data. If applicable, the content of the data processing agreement has to comply with the requirements of the European Data Protection Regulation.

In addition, the Counterparty guarantees that it has obtained all necessary rights and consents under applicable data protection laws and regulations to disclose to Datatrans or allow Datatrans to collect, use, retain, and disclose any personal data that the Counterparty provides to Datatrans or authorize Datatrans to collect, including personal data that Datatrans may collect directly from customers using cookies or other similar technologies. As may be required by law and in connection with this Contractual Agreement, the Counterparty is solely responsible for disclosing its Receivers or any other third party that Datatrans processes personal data for the Counterparty and may receive such data.

Please refer to the PCI Proxy Privacy Policy for more information.

14. Limitation of Liability
Datatrans’ liability to the Counterparty is, to the maximum extent legally permissible, limited to damages caused by Datatrans’ willful conduct or gross negligence. Datatrans is not liable for any damage arising out of the interruption or the cease of the Services in case of a suspicion of a compromise, if a data breach, a breach of PCI DSS by one of the Counterparty’s Receivers, a loss of PCI DSS compliance by one of the Counterparty’s Receivers, a breach of other obligations of the Counterparty or its Receivers, security and/or the compliance with the PCI DSS of Datatrans is endangered or pre-defined block limits of the system have been reached.

Datatrans shall not be liable for the actions or omissions of any third parties under any circumstances.

Datatrans does not represent and warrant that the Services are free of defect and/or mistake. Services are provided on an “as is” basis with all faults. Datatrans disclaims all representations and warranties, express or implied, with view to:

  • (i) the Services, confidential information and any associated written materials or documentation;
  • (ii) its usability, condition or operation:
  • (iii) its merchantability;
  • (iv) its fitness for any particular purpose; or
  • (v) non-infringement of third-party intellectual property rights.

15. Amendments
Datatrans reserves the right to amend and to supplement these General Contract Terms at any time. The Counterparty will be notified in writing, whereby email is considered as sufficient, at least thirty (30) days before entering into force of the amendments and/or supplements to these General Contract Terms. If the Counterparty does not agree with the notified amendment or supplement, it has the right to terminate the Contractual Agreement or parts of it affected by the amendment and/or supplement at the time before the amendment and/or supplement enters into force. If such termination was not made until the time the amendment and/or supplement enters into force it is deemed to be accepted by the Counterparty and becomes integral part of the Agreement between the Parties.

16. Term and termination
The Agreement becomes effective upon the date Datatrans once confirms the acceptance of the offer of the Counterparty according to Section 4. It is valid for an unspecified period of time, but at least for a term of one (1) month. It continues as long as the Counterparty uses the Services or until terminated by Datatrans.

The Counterparty may terminate the Agreement as per the end of a calendar month, subject to thirty (30) days’ advance notice thereof by closing its account directly in its user account by following the directions on Datatrans’ PCI Proxy Dashboard. Datatrans may terminate this Agreement and close the account of the Counterparty at any time for any reason effective upon providing the Counterparty 15 days’ notice.

Where this contract expressly provides for it, as well as in the case of important grounds, Datatrans is entitled to terminate this Agreement without notice and with immediate effect. Such important grounds exist in particular:

  • (i) in the event of a breach of contract (including payment default) by the Counterparty that has been notified but not cured within thirty (30) days after notification;
  • (ii) if Datatrans determines in its sole discretion that the Counterparty is ineligible for the Services because of the risk associated with the Counterparty’s account, including but not limited to significant fraud risk or any other reason.
  • (iii) in event that tokens are passed on outside of the Counterparty’s environment without written permission of Datatrans;
  • (iv) if one of the Counterparty’s Receivers do not comply with the PCI DSS or if Datatrans has justified suspicion and notified the Counterparty and the respective Receiver thereof and the compliance with the PCI DSS by one of the Counterparty’s Receivers has not been cured within the indicated period in such notification;
  • (v) if the Counterparty submits for or is declared bankrupt, becomes unable to pay its due and payable debt, requests or is granted a moratorium of payment, resolves to be or is dissolved or liquidated.

17. Effect of Termination
Termination does not immediately relieve the Counterparty of obligations incurred under this Contractual Agreement. Upon termination the Counterparty agrees:

  • (i) to stop accepting new data through the Service;
  • (ii) to cease the use of the Service;
  • (iii) to discontinue the use of and remove all Datatrans logos or other references from its website(s);
  • (iv) that Datatrans reserves the right to delete all information or account data stored on its servers; and
  • (v) that the Counterparty remains liable for any fees or any other financial obligation incurred prior to termination.

The termination also applies automatically for the use of the Services by the Counterparty’s Receivers
Upon termination of the Contractual Agreement, any fees already paid by the Counterparty to Datatrans to a total of less than CHF 100 will not be refunded.

18. Governing Law and Jurisdiction
The Agreement is governed by Swiss Law under the exclusion of the rules of conflicts of laws. The competent, ordinary courts in Zurich/Switzerland have exclusive jurisdiction over any dispute arising out of or in connection with the Agreement or any other agreement between the Parties.

TWI/BSC, 30.12.2019