Certain identified information in this document has been excluded because it is both (i) not material and (ii) is the type of information that the Company customarily and actually treats as private or confidential. This document has been marked with “[***]” to indicate where omissions have been made.
AMENDMENT 3 TO THE A&R CUSTOMER INSTALLMENT PROGRAM AGREEMENT
This Amendment 3 (“Amendment”) to the Amended and Restated Customer Installment Program Agreement dated March 19, 2024 (“Agreement”), is entered into between Shopify, Inc. a Canadian corporation (“Shopify”) and Affirm, Inc., a Delaware corporation (“Affirm”), as of the date of last signature below. Shopify and Affirm may be referred to collectively as the “Parties” or individually as a “Party.”
RECITALS
WHEREAS, the Parties entered into the Agreement to establish a program to make the Financial Product available to Customers and Eligible Merchants;
WHEREAS, Affirm leverages multiple financial institutions for purposes of facilitating Payouts to Eligible Merchant Bank Accounts;
WHEREAS, the Parties desire to establish a process to streamline Payouts made to Eligible Merchants under the Program through a Payout Provider engaged by Shopify, such that Payouts to Eligible Merchants are consolidated through the Payout Provider as a single source of payment (“Payout Consolidation Feature”);
WHEREAS, other than as expressly amended through this Amendment, the Parties wish the Agreement to remain in full force and effect.
NOW, THEREFORE, in consideration of the mutual covenants contained in this Agreement, Shopify and Affirm hereby agree as follows:
AGREEMENT
1.Defined Terms. Except as otherwise specifically indicated in this Amendment, capitalized terms used in this Amendment have the meanings ascribed to them in the Agreement.
2.Terms and Conditions. The Agreement shall be amended as set forth in the attached changed sections/items of the “Terms and Conditions” as set forth on Exhibit A.
3.Exhibit D - SLA. The Agreement shall be amended as set forth in the attached revised provisions of the “Exhibit D (Service Level Agreement (SLA) Standards)” as set forth on Exhibit B to this Amendment.
4.Exhibit E- Data Protection Agreement. Exhibit E to the Agreement is hereby deleted in its entirety.
5.Exhibit G - Payout Consolidation Feature. The Agreement shall be amended as set forth in the new Exhibit G (Payment Consolidation Feature) to be added to the Agreement immediately after Exhibit F as attached hereto as Exhibit C.
6.Miscellaneous. This Amendment may be executed by the Parties in separate counterparts, each of which when so executed and delivered shall be an original, but all of such counterparts shall together constitute one and the same instrument.
[Signature page follows]
IN WITNESS WHEREOF, the Parties have caused this Agreement to be duly executed by their authorized representatives below.
| | | | | |
| Shopify Inc. | Affirm, Inc. |
Signature: /s/ Ritu Khanna | Signature: /s/ Pat Suh |
Name: Ritu Khanna | Name: Pat Suh |
Title: VP, Global Partnerships | Title: SVP Revenue |
Date: 12/18/2024 | Date: 12/18/2024 |
Notices. Notices required under this Agreement shall be delivered pursuant to Section 23 (Notice) of the Agreement, and addressed as set forth below: |
|
If to Shopify: | If to Affirm: |
|
|
Shopify
150 Elgin Street, 8th Floor
Ottawa, ON
K2P 1L4
Canada
[***] | Affirm, Inc.
650 California Street, 12th Floor
San Francisco, CA 94108
Attention: Chief Legal Officer
[***] |
EXHIBIT A
AMENDED TERMS AND CONDITIONS
The following terms and conditions are intended to be added to the Terms and Conditions of the Agreement, and, where such terms conflict with an existing section in the Agreement, entirely replace such sections of the Agreement.
The amended sections below shall entirely replace those same sections in the Agreement. All other sections that are not amended or replaced herein shall remain unmodified as expressly stated in the Agreement.
1.Section 2.11 is hereby deleted in its entirety and replaced with the following: 2.11 “Customer Information” means all Personal Information (as defined under Applicable Law) provided by a Customer that is submitted and/or obtained by or on behalf of Affirm or Shopify about a Customer or an Application (whether or not completed) for products or services offered pursuant to the Program, including demographic data, and transaction data and only in connection with the Services provided by Affirm under the Program. “Customer Information” as contemplated in Sections 14.6
(Data Correction, Blocking, Export and Deletion), 14.7 (Compelled Disclosure) and 15.7 (Subprocessors), will not include (i) information about a Customer provided by a non-Customer third party only to Affirm or Shopify, including but not limited to consumer reports about Customers provided by credit bureaus; and (ii) any customer information that is not part of and was not provided in connection with the Program ((i) and (ii) collectively “Excluded Customer Information”).
2.Section 2.25 is hereby deleted in its entirety and replaced with the following: 2.25 “Merchant Information” means any information or data obtained during the Term and in connection with the Program about Merchants specifically including, but not limited to, the following: the fact that someone is a Merchant; all lists of Merchants; and all information relating to and identified with such Merchants or its owners. “Merchant Information” does not include (i) information about a Merchant provided by a non-Merchant third party to only Affirm or Shopify; or (ii) any information about merchants not related to or not provided or processed in connection with the Program (collectively “Excluded Merchant Information”). For the avoidance of doubt, Merchant Information shall be considered Confidential Information and not Personal Information under this Agreement.
3.Section 2.32 is hereby deleted in its entirety and replaced with the following:
2.32 “Program Information” means any information and data related to the Program or any information or data provided by or on behalf of a Party to the other Party in connection with the Program that is not considered to be Merchant Information or Customer Information; provided that “Program Information” shall not include (i) each Party’s Confidential Information, (ii) each Party’s Materials, (iii) each Party’s Pre-Existing IP, (iv) Intellectual Property Rights that a Party or its respective Affiliates solely create, author, develop or otherwise acquire (as further described in Section 8.4), (v) Intellectual Property Rights that the Parties jointly create, author or develop (as further described in Section 8.4), or (vi) information or data related to the Program that is not unique to the Program or that was created, authored or developed by a Party for use outside of the Program (e.g., existing Affirm products that are similar to the Financial Product) ((i) through (vi) collectively “Excluded Program Information.”). For the avoidance of doubt, Program Information shall be considered Confidential Information and not Personal Information under this Agreement.
4.Section 10.3.5 (Taxes) is hereby deleted in its entirety and replaced with the following:
10.3.5. [***]
5.Section 14 (Customer Information, Merchant Information and Program Information) is hereby deleted in its entirety and replaced with the following:
14.1 General. The purpose of this Section 14 is to ensure that this Agreement conforms to Applicable Law, and otherwise sets forth the Parties’ agreement with respect to the use, ownership rights, and disclosure of Customer Information, Merchant Information, and Program Information. All use and disclosure of Customer Information, Merchant Information, and Program Information under this Agreement shall be subject to the provisions of this Section 14.
14.2 Ownership and Use of Customer Information. As between the Parties, the Customer Information shall be [***]. Each Party may only use the Customer Information in accordance with Applicable Law, its agreements with the Customer or Merchant (as the case may be), and its privacy policy.
14.3 Ownership and Use of [***]. As between the Parties, all [***] and all [***] shall be owned exclusively by [***] unless otherwise expressly stated herein in this Section 14. [***] and [***] shall be owned by [***]. Subject to Section 14.4 (Exceptions and Additional Obligations), [***] agrees that, during Term, it shall not use, nor permit any [***], any [***] or [***] other than as necessary [***]. [***] shall have all rights and interest with respect to the sharing, use and disclosure of [***] or [***] during the Term and following the expiration or termination of this Agreement in its entirety. Upon the termination or expiration of this Agreement and any applicable transition or wind-down period, or at any time upon the reasonable request of [***], [***] shall return (or destroy if so directed by [***]) all [***] and [***] in its/their possession subject only to any limitations on the return or destruction of [***] or [***] as provided under this Agreement or Applicable Law. Any [***] or [***] separately maintained in an electronic format shall be returned to [***] in an industry standard and secure format or, at the option of [***], as is possible, deleted and removed from all computers, electronic databases and other media. Compliance by [***] with this Section shall be certified in writing by an appropriate officer of [***] within [***] of the end of the Term or the wind-down period, whichever is later, which certification shall include a statement that no [***] or [***] has been retained except as described in this Section 14.
14.4 Exceptions and Additional Obligations. Without waiving any of its rights under Sections 11, 13, 14.2 and 14.3, [***] may retain and use: (a) [***]. For the avoidance of doubt, [***] is not required to change its hard-coded underwriting, other models, automated backups, [***] Systems or records that may contain [***] or [***] added/embedded into them, but it has no right to use any such information independently, separate from such models or for any other purposes than [***]. Notwithstanding the limitations and rights set forth in this Section 14, and only as expressly stated herein and as expressly agreed to by the Parties, the Parties commit to support, and will work in good faith to (a) enable growth initiatives designed to enhance the consumer brand and consumer experience of each of Shopify and Affirm, respectively; (b) optimize the Customer’s onboarding and user experience for the Financial Product and, upon the Customer Engagement Effective Date, permit Customers to access the Customer Engagement Functionality in accordance with Section 4.11; and (c) optimize the Customer’s onboarding and user experience
for any other installments products the Parties mutually agree to launch consistent with Section 36.
14.5 Confidentiality. Notwithstanding anything to the contrary in the Agreement, if required by Applicable Law, each Party shall have the right to provide a copy of the Agreement to a requesting governmental authority.
14.6 Compelled Disclosure. If Affirm is required by Applicable Law to disclose [***] or [***] to any third party, Affirm shall immediately, but in any event within [***] of receiving notice of the obligation to disclose, notify Shopify in writing to the extent permitted by Applicable Law. Affirm will consult and cooperate with Shopify (to the extent legally permitted) to obtain a protective order from the appropriate governmental authority, or other reliable assurance that confidential treatment will be accorded such information and will otherwise only disclose that portion of the information that is required to be disclosed by Applicable Law.
6.Section 15 (Affirm Data Security) is hereby deleted in its entirety and replaced with the following:
15.1 Security Plan. Affirm shall establish and maintain appropriate administrative, technical and physical safeguards designed to (i) protect the security, confidentiality and integrity of the Protected Information in the possession or control of Affirm or its Personnel; (ii) ensure against any anticipated threats or hazards to its security and integrity; (iii) protect against unauthorized access to or use of such Protected Information or associated records which could result in substantial harm or inconvenience to any Customer or applicant; and (iv) ensure the proper disposal of Protected Information (collectively, the “Security Program”). At all times during the Term, and during any wind-down or transition period, (x) Affirm shall use the same degree of care in protecting the Protected Information against unauthorized disclosure as it accords to its other confidential customer or consumer information, but in no event less than a reasonable standard of care, and (y) the Security Program shall be in compliance with all information and data security requirements promulgated by the Applicable Law. Upon request, Affirm shall provide Shopify a copy of its Security Program. Any material change to the Security Program by Affirm, which change would cause Affirm to not be in compliance with this Section 15.1, shall be approved in advance by Shopify.
15.2 Security Measures. Shopify and Affirm may amend the Security Program and Sections 14, 15 and 16 from time to time upon written amendment, provided such updates may be no more onerous than those required by the then prevailing good industry practices and changes in Applicable Law. Affirm shall review any such amendments and updates and will use reasonable commercial efforts to adjust its security practices to comply with any such amendment and updates within [***] if feasible or as soon as practicable in the event [***] is not feasible following Affirm’s receipt of such amendments and updates from Shopify. Notwithstanding the foregoing, if Affirm fails to adjust its security practices to comply with any such amendment or updates within [***] or the time period mutually agreed upon by the Parties in writing if [***] is not feasible, then Shopify may terminate this Agreement.
15.3 Access. Affirm shall ensure its Personnel, when working with or accessing Shopify’s Systems, comply at all times with all applicable instructions, policies and procedures provided by Shopify to Affirm or Affirm’s Personnel from time to time, including safety and security policies and procedures and information security policies and procedures. Affirm will execute, and ensure each of its Personnel execute, all applicable documents generally required by Shopify for access
to Shopify’s Systems. Affirm will not: (i) alter or disable any hardware or software security programs residing on Shopify’s hardware, networks, computing environments or systems; (ii) allow unauthorized traffic to pass into Shopify’s networks, computing environments or systems; or (iii) resell or assign Shopify’s Confidential Information or access to Shopify’s Systems to another entity or person. If Affirm or Affirm’s Personnel allow unauthorized access to, or traffic to (as applicable) Shopify’s systems, Shopify may immediately terminate Affirm’s access to Shopify’s Systems.
15.4 Network Connections. If a network connection is established between Shopify Systems and the computing environment(s) used by Affirm or Affirm Personnel in connection with this Agreement or the Program, Affirm agrees, for itself and all Affirm Personnel, to maintain an alert status regarding the security of such computing environments, including all vulnerabilities and security patches or corrective actions, by subscribing to an industry recognized service. Affirm understands that, should a Shopify review reveal any non-compliance with the Security Measures, Shopify may, in addition to other remedies it may have, remove access by Affirm Personnel to Shopify Systems until Affirm Personnel satisfactorily comply with the Security Measures.
15.5 Data Security Compliance. Affirm will permit Shopify to review Affirm’s documents and records confirming its compliance with this Section 15 (Affirm Data Security) and provide Shopify with the relevant portions of audits and system test results acquired by Affirm in relation to the data security policies and procedures designed to meet the requirements of this Section 15 (Affirm Data Security). Upon request, Affirm shall submit to [***] assessments of Affirm’s security policies, standards and practices by Shopify, make reasonable efforts to resolve deficiencies noted as a result of these assessments in a manner commensurate to the risk those deficiencies represent and promptly notify Shopify of any material changes to Affirm’s security policies, standards and practices.
15.6 Security Breach
15.6.1 If Affirm maintains, processes or otherwise is permitted access to Protected Information, Affirm will maintain and, upon request, produce copies of incident response policies and procedures and evidence of incident response testing conducted within the last year. Notwithstanding the foregoing, initial evidence of incident response testing will be provided as soon as possible after the execution of this Agreement.
15.6.2 In the event Affirm suffers or learns of any actual Security Breach (including any unauthorized acquisition, accessing, use, alteration, disclosure, compromise or loss of any Protected Information or Merchant Information), then, as soon as practicable but within no more than [***] (except that notice to Shopify may be delayed if required by law enforcement or other Regulatory Authority), Affirm will notify its primary Shopify contact and provide an estimate of the Security Breach’s effect on Shopify. Affirm will diligently investigate the cause of the Security Breach and promptly create and enact a corrective action plan to prevent future breaches.
15.6.3 In the case of a Security Breach involving Protected Information, Affirm will cooperate fully with Shopify to correct any Security Breach and notify each Customer as to the facts and circumstances of the breach of the Customer’s particular information.
Affirm agrees not to notify any Regulatory Authority, nor any Customer, on behalf of Shopify unless Shopify specifically requests Affirm to provide such notification (such notification to be in a form approved by Shopify in writing). If Affirm reasonably determines that Regulatory Authority or Customer notification is required by it under Applicable Law, then Affirm must provide Shopify prior notice, and if Shopify disagrees, Shopify and Affirm will then negotiate in good faith to make a final determination regarding what action, if any, is to be taken. To the extent requested by Shopify, Affirm will cooperate fully with all Regulatory Authorities investigating a Security Breach and any known or suspected criminal activity. Affirm shall be responsible for all Security Breach Costs associated with its Security Breach.
15.6.4 In the event of a Security Complaint directed at Affirm, then, as soon as practicable but within no more than [***], Affirm will notify its primary Shopify contact and the Parties shall promptly work in good faith to determine the appropriate actions to be taken in connection with such Security Complaint.
15.7 Subprocessing. Affirm may only permit Subprocessors to Process Personal Information for the limited and specific purposes of providing Shopify with the Services or as required to comply with Applicable Law. Affirm shall be responsible and liable for the acts, omissions or defaults of Subprocessors in the performance of Affirm’s obligations under the Agreement, as if they were Affirm’s own acts, omissions or defaults. Affirm will notify Shopify in writing promptly upon becoming aware of any breach by a Subprocessor of the terms of this Agreement.
7. Shopify Data Security. Section 16 (Shopify Data Security), is hereby deleted in its entirety and replaced with the following:
Section 15 (Affirm Data Security) will apply equally to Shopify, mutatis mutandis.
