Data usage and security
1. Data Usage Overview
The following terms used in this section relate to data provided to Fat Zebra by you or your Customers, or received or accessed by you through your use of the Services:
“Personal Data” means information that identifies a specific living person (not a company, legal entity, or machine) and is transmitted to or accessible through the Services.
“User Data” means information that describes your business and its operations, your products or services, and orders placed by Customers.
“Payment Data” means payment account details, information communicated to or by Financial Services Providers, financial information specifically regulated by Laws and Network Rules, and any other information used with the Payment Services to complete a Transaction.
“Fat Zebra Data” means details of the API transactions over Fat Zebra infrastructure, information used in fraud detection and analysis, aggregated or anonymised information generated from Data, and any other information created by or originating from Fat Zebra or the Services.
The term “Data” used without a modifier means all Personal Data, User Data, Payment Data, and Fat Zebra Data.
Fat Zebra processes, analyses, and manages Data to: (a) provide Services to you, other Fat Zebra users, and Customers; (b) mitigate fraud, financial loss, or other harm to users, Customers and Fat Zebra; and (c) analyse, develop and improve our products, systems, and tools. Fat Zebra provides Data to third-party service providers, including Financial Services Providers and their affiliates, as well as Fat Zebra’s global affiliates, to allow us to provide Services to you and other users. We do not provide Personal Data to unaffiliated parties for marketing their products to you. You understand and consent to Fat Zebra’s use of Data for the purposes and in a manner consistent with this Section D.
2. Data Protection and Privacy
- Confidentiality: Fat Zebra will only use User Data as permitted by this Agreement, by other agreements between you and us, or as otherwise directed by you. You will protect all Data you receive through the Services, and you may not disclose or distribute any such Data, and you will only use such Data in conjunction with the Services and as permitted by this Agreement or by other agreements between you and us. Neither party may use any Personal Data to market to Customers unless it has received the express consent from a specific Customer to do so. You may not disclose Payment Data to others except in connection with processing Transactions requested by Customers and consistent with applicable Laws and Network Rules.
- PCI Compliance: If you use Payment Services to accept payment card Transactions, you must comply with the Payment Card Industry Data Security Standards (PCI-DSS) and, if applicable to your business, the Payment Application Data Security Standards (PA-DSS) (collectively, the “PCI Standards”). Fat Zebra provides tools to simplify your compliance with the PCI Standards, but you must ensure that your business is compliant. The specific steps you will need to take to comply with the PCI Standards will depend on your implementation of the Payment Services. You can find more information about implementing Fat Zebra in a manner compliant with the PCI Standards in our Documentation. You will promptly provide us with documentation demonstrating your compliance with the PCI Standards upon our request. If you elect to store, hold and maintain “Account Data”, as defined by the PCI Standards (including Customer card account number or expiration date), you further agree that you will either maintain a PCI-compliant system or use a compliant service provider to store or transmit such Account Data; further, you agree to never store any “Sensitive Authentication Data”, as defined by the PCI Standards (including CVC or CVV2), data at any time. You can find information about the PCI Standards on the PCI Council’s website.
3. Security and Fraud Controls
- Fat Zebra’s Security: Fat Zebra is responsible for protecting the security of Data in our possession. We will maintain commercially reasonable administrative, technical, and physical procedures to protect User Data and Personal Data stored in our servers from unauthorised access, accidental loss, modification, or breach, and we will comply with applicable Laws and Network Rules when we handle User and Personal Data. However, no security system is impenetrable and we cannot guarantee that unauthorised parties will never be able to defeat our security measures or misuse any Data in our possession. You provide User Data and Personal Data to Fat Zebra with the understanding that any security measures we provide may not be appropriate or adequate for your business, and you agree to implement the Security Controls and any additional controls that meet your specific requirements. In our sole discretion, we may take any action, including suspension of your Fat Zebra Account, to maintain the integrity and security of the Services or Data, or to prevent harm to you, us, Customers, or others. You waive any right to make a claim against us for losses you incur that may result from our actions.
- Your Security: You are solely responsible for the security of any Data on your website, your servers, in your possession, or that you are otherwise authorised to access or handle. You will comply with applicable Laws and Network Rules when handling or maintaining User Data and Personal Data, and will provide evidence of your compliance to us upon our request. If you do not provide evidence of such compliance to our satisfaction, we may suspend transactions on your account or terminate this Agreement.
- Security and Fraud Controls: We may provide or suggest Security Controls to you, but we cannot guarantee that you or Customers will never become victims of fraud. Any Security Controls we provide or suggest may include processes or applications developed by Fat Zebra, its affiliates, or other companies. You agree to review all the Security Controls we suggest and choose those that are appropriate for your business to protect against unauthorised Transactions and, if appropriate for your business, independently implement other security procedures and controls not provided by us. If you disable or fail to properly use Security Controls, you will increase the likelihood of unauthorised Transactions, Disputes, fraud, losses, and other similar occurrences. Keep in mind that you are solely responsible for losses you incur from the use of lost or stolen payment credentials or accounts by fraudsters who engage in fraudulent Transactions with you, and your failure to implement Security Controls will only increase the risk of fraud. We may assist you with recovering lost funds, but you are solely responsible for losses due to lost or stolen credentials or accounts, compromise of your username or password, changes to your Payout Account, and any other unauthorised use or modification of your Fat Zebra Account. Fat Zebra is not liable or responsible to you and you waive any right to bring a claim against us for any losses that result from the use of lost or stolen credentials or accounts to engage in fraudulent Transactions, unless such losses result from Fat Zebra’s wilful or intentional actions. Further, you will fully reimburse us for any losses we incur that result from the use of lost or stolen credentials or accounts.
We may also provide you with subjective Data regarding the possibility or likelihood that a Transaction may be fraudulent that require action or review by you. We may incorporate action or inaction by you into any such subjective scoring when identifying future potential fraud. You understand that we provide this Data to you for your consideration, but that you are ultimately responsible for any actions you choose to take or not take in relation to such Data, and for providing inaccurate or incorrect information to us. You are solely responsible for any action or inaction you take based on such Data.
4. Transfer of Payment Data upon Termination
For 30 days after termination of your Fat Zebra Account, you may request in writing that we transfer Payment Data regarding transactions between you and Customers that you are entitled to receive (“Exportable Data”) to an alternative payment services provider consistent with applicable Laws. For payment card transactions, Fat Zebra will only transfer Exportable Data to another PCI-DSS Level 1-certified payment services provider. For other payment methods, Fat Zebra may require you to provide us with evidence that the alternative payment services provider you select has appropriate systems and security controls before we migrate any Exportable Data. We will use commercially reasonable efforts to transfer Exportable Data within 10 business days after we receive your written request. We may delay or refuse any transfer request if we believe the payment services provider you have identified does not have systems or security controls in place that are sufficient to protect Exportable Data, that the integrity of Exportable Data may be compromised, or if Laws or Network Rules prohibit us from transferring it.