As described in this Agreement, you are solely responsible for all aspects of Your Products and Services, including, without limitation, the fulfillment, delivery, customer service, payment processing and collection of orders submitted through your Site.

HAQM’s sole obligations in connection with the Program are set forth in Section 1 of the Merchant Agreement and the license grant to the Program Materials as further described below.

Upon our request, you must review and verify, for each of your participating Merchant Locations, your (or your business’s) legal name, address, phone number, and e-mail address. You will timely provide us with any information that we reasonably request to verify your compliance with the Agreement.

Subject to your compliance with the Agreement, we grant you a limited, revocable, non-transferable, non- sublicensable, non-exclusive, royalty-free license during the Term to access, use, and reproduce the Program Materials that we may make available to you solely as necessary for your participation in the Program. Any license granted to you in connection with the Agreement will immediately and automatically terminate (i) upon termination of the Agreement or (ii) if you do not comply with any term or condition of the Agreement.

You will not, and will not authorize any other party to, do any of the following with the Program Materials, or any technology, system, or network used to operate or make available the Program: (a) reverse engineer, decompile, or disassemble them except to the extent applicable law expressly permits it despite this limitation; (b) modify or create derivative works based upon them in whole or in part; (c) distribute, sublicense, or otherwise provide any portion of them to, or allow access by, any third party; (d) remove any proprietary notices or labels; (e) use them with any software that is licensed under terms that would require that they be disclosed, licensed, distributed, or otherwise made available to any third party; (f) resell, lease, rent, transfer, sublicense, or otherwise transfer rights to any third party; (g) access or use them in a way intended to avoid incurring any applicable fees, exceeding usage limits or quota, or developing a product or service; or (h) take any action that would result in the introduction of viruses, Trojan horses, worms, or any other malicious, harmful, or deleterious programs.

You will take appropriate technical and organizational measures to protect against unauthorized or unlawful use of the Program Materials and against accidental loss or destruction of, or damage to them. You will provide us with notice immediately if you believe any unauthorized third party may be accessing or using the Program Materials. You are solely responsible for the access, development, content, operation, security, and maintenance of all Your Materials, and for properly configuring Your Materials and using the Program Materials (if applicable) and taking your own steps to maintain appropriate security, protection, and backup of Your Materials, including using encryption technology to protect them from unauthorized access and routinely archiving them. We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss, or failure to store any of Your Materials (including as a result of your or any third party’s errors, acts, or omissions).

Except for the rights explicitly granted to you in the Agreement, all right, title, and interest (including all intellectual property and proprietary rights) in and to the Program Materials, and any other intellectual property and technology that we provide, make available, or use in connection with the Program are reserved and retained by us and our licensors. We may modify or discontinue (including by ceasing our distribution of or support for) any or all of the Program Materials at any time without notice. This paragraph will survive termination of the Agreement.

The Program Materials may include or be distributed with software or other materials that are provided under a separate license agreement (such as an open source license), and that separate license will govern the use of such software or other materials in event of a conflict with the Agreement. Any such separate license agreement may be indicated in the license, notice, or readme files distributed with the applicable software or other materials or in related documentation.

In addition to the obligations described in the Agreement, to the extent not prohibited by applicable laws, You will and will cause your Personnel to: (a) comply with policies that we may designate and, upon request, provide us with reports (in a form designated by us) certifying to your compliance with these requirements; (b) use Confidential Information made available to you solely for the purpose of communicating with Purchasers of Your Products and Services; (c) not in any way represent to Purchasers that you or Your Personnel are HAQM or that you or Your Personnel are acting on behalf of HAQM; and (d) comply with all other requirements designated by HAQM.

The Data Protection Policy (“DPP”) governs the treatment (e.g., receipt, storage, usage, transfer, and disposition) of HAQM Information. “HAQM Information” is any information provided to you in connection with the Program, including through APIs.

General Security Requirements
Consistent with industry-leading security standards and other requirements specified by HAQM based on the classification and sensitivity of HAQM Information, you will maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of HAQM Information accessed, collected, used, stored, or transmitted by you, and (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, you will comply with the following requirements:

Network Protection. You will install and maintain a working network firewall to protect data accessible via the Internet and will keep all HAQM Information protected by the firewall at all times.

Updates. You will keep your systems and software up-to-date with the latest upgrades, updates, bug fixes, new versions and other modifications necessary to ensure security of the HAQM Information.

Anti-malware. You will at all times use anti-malware software and will keep the anti-malware software up to date. You will mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably have been detected.

Encryption. You will encrypt data at rest and data sent across open networks in accordance with industry best practices.

Testing. You will regularly test your security systems and processes to ensure they meet the requirements of this Data Protection Policy.

Access Management. You will assign a unique ID to each person with computer access to HAQM Information. You will restrict access to HAQM Information to only those people with a “need-to-know” for purposes of your participation in the Program. You will review the list of people and services with access to HAQM Information on a regular basis (at least quarterly) and remove accounts that no longer require access. You will not create or use generic, shared, or default login credentials or user accounts. You will mandate and ensure the use of system enforced “strong passwords” in accordance with industry-standard best practices on all systems that have control of or access to HAQM Information. You will maintain and enforce “account lockout” by disabling accounts with access to HAQM Information when an account exceeds more than ten consecutive incorrect password attempts. Except where expressly authorized by HAQM in writing, you will isolate HAQM Information at all times (including in storage, processing or transmission), from your and any third-party information.

Security Incidents. You will inform HAQM within 24 hours of detecting any Security Incident. “Security Incident” is any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption or loss of HAQM Information, or breach of any environment (i) containing HAQM Information or (ii) managed by you with controls substantially similar to those protecting HAQM Information. You will remedy each Security Incident in a timely manner and provide HAQM written details regarding your internal investigation regarding each Security Incident. You will cooperate and work together with HAQM to formulate and execute a plan to rectify all confirmed Security Incidents. You will inform HAQM within 24 hours when its data is being sought in response to legal process or by applicable law (e.g., 18 U.S.C. §2705(b)).

Request for Deletion or Return. You must promptly (but within no more than 72 hours after HAQM's request), permanently and securely delete (in accordance with industry-standard sanitization processes, e.g., NIST 800-88) or return HAQM Information upon and in accordance with HAQM's notice requiring deletion or return. You must also permanently and securely delete all live (online or network accessible) instances of HAQM Information within 90 days after HAQM's notice. If requested by HAQM, you will certify in writing that all HAQM Information has been securely destroyed.

Security Policy. You will maintain and enforce an information and network security policy for employees, subcontractors, agents, and suppliers that meets the standards set out in this policy, including methods to detect and log policy violations.

Logging and Monitoring. You will maintain and regularly review detailed access logs for purposes of detecting malicious behavior or unauthorized access. You will provide access to these logs to upon HAQM’s request following any Security Incident.

Security Review. Upon HAQM’s written request, you will certify in writing to HAQM that you are in compliance with this policy. HAQM reserves the right to periodically review the security of systems that you use to process HAQM Information. You will cooperate and provide HAQM with all required information within a reasonable timeframe, but no more than 20 calendar days from the date of HAQM’s request. If any security review identifies any deficiencies, you will, at your sole cost and expense, take all actions necessary to remediate those deficiencies within an agreed upon timeframe.