The information contained on this webpage is Marqeta Confidential Information and subject to the confidentiality
agreements between Customer and Marqeta. If you do not have a confidentiality agreement in place with Marqeta,
you are not authorized to access this webpage or view its contents.
These Marqeta Payment Services Terms and Conditions (these “Terms”) are entered into between Marqeta, Inc. or
such Affiliate of Marqeta, Inc. as defined in the Order Form (“Marqeta”) and Customer (as defined in the Order
Form). Each of Marqeta and Customer is a “Party” and together referred to as the “Parties.” The Terms are part of
the agreement between the Parties (the “Agreement”), which consists of the Terms, together with the terms and
conditions set forth in the document titled “Order Form” executed by the Parties (the “Order Form”). The Order
Form shall set out the applicable Initial Term for the Agreement and any Renewal Term (together the “Term” of
the Agreement).
These Terms do not constitute a binding contract between the Parties unless and until the Parties execute an Order
Form. On executing an Order Form that incorporates these Terms, each Party accepts and agrees that it has read
and agrees to be bound by these Terms.
Sections A (General Terms and Conditions), B (Data Privacy and Security), E (Service Levels) and F (Definitions)
apply to all customers who have executed an Order Form that references the Terms.
Section C (Powered by Marqeta) applies where the Order Form references Powered by Marqeta Services. Section
D (Managed by Marqeta) applies where the Order Form references Managed by Marqeta Services. KYC Services
applies where the Order Form references KYC Services (as defined below). Section G (Additional Regulatory
Terms) applies where the relevant requirements set out in Section G are applicable.
SECTION A
GENERAL TERMS AND CONDITIONS
1. Marqeta’s Obligations.
(a) Services. Marqeta will deliver to Customer or Customer’s Affiliate(s) those services (the “Services”) and the Marqeta system (the “System”) indicated on the order form(s) issued pursuant to this Agreement (“Order Form”) and related onboarding services. Marqeta may enhance, revise, upgrade, improve, correct, or issue a new release of all or part of the Services or System (collectively, “Enhancement(s)”) at any time, provided an Enhancement does not materially degrade the Services. Marqeta and Customer will meet in good faith to agree on any fees and costs for which Customer will be responsible related to the implementation of any Enhancements; provided that, in the event that an Enhancement arises from or relates to a change in Applicable Law or Card Brand Rules, Marqeta may charge Customer reasonable fees and expenses related to increased costs or expenses associated with such an Enhancement or for any enhanced functionality that results from such an Enhancement. If Customer is required to update or otherwise alter its systems to make use of an Enhancement, then Customer will be responsible for its own costs and expenses. Where a Customer Affiliate will receive the Services, the Parties acknowledge and agree all references to “Customer” in the Agreement will also apply to such Customer Affiliate. Customer will be responsible for the actions or omissions of its Affiliates and its Affiliates’ Personnel. Customer’s indemnification obligations under the Agreement will apply to the actions or omissions of the Customer’s Affiliates.
(b) Documentation. Marqeta has or will provide Customer with Documentation.
(c) Marqeta Service Provider. Marqeta may use any entity controlling, controlled by, or under common control with a Marqeta Affiliate or a third party when performing under the Agreement (each, a “Marqeta Service Provider”). Marqeta will be solely responsible for (i) the acts or omissions of any such Marqeta Service Provider, as if they were Marqeta’s acts and omissions under this Agreement; and (ii) ensuring such Marqeta Service Provider’s compliance with the terms of this Agreement.
(d) Card Fulfillment Services. If Customer elects to receive Marqeta’s Card fulfillment services, Customer may order physical Cards by accessing Marqeta’s API. Physical Cards ordered through Marqeta’s card fulfillment services must comply with the Card specification requirements. Customer will be responsible for ensuring that the art, design, and content of physical Cards, Card carriers, and other packaging materials comply with the card specifications and do not infringe proprietary rights of any third party. Customer will be responsible for the cost of Card fulfillment and any additional requested services for any physical Card ordered regardless of whether such Card is used.
2. Customer’s Obligations.
(a) Use of Services. Customer agrees to use the Services in accordance with the Documentation, (ii) the applicable Order Form(s), including the Configuration Schedule in the applicable Order Form(s), and any geographic restrictions relating to use of the Cards, Services or location of Cardholders or Authorised Users, and (iii) as set forth in the applicable schedule(s) to this Agreement. Customer will bear all risk and cost of compliance with Applicable Law, Card Brand Rules, credit losses, negative balances, load failures due to Customer’s acts or omissions, chargebacks, international decline charges, identity theft, fraud (including transaction fraud, cloning, phishing, over/under limit processing , and related Issuer actions or recovery) or any other losses on the Cards serviced by Marqeta pursuant to the Agreement (collectively, “Card Losses”), except to the extent that Marqeta’s intentional breach caused the Card Losses. Marqeta will have no responsibility or liability for any such Card Loss, or any disputes related thereto.
(b) Instructions and Reports. Customer will provide Marqeta and/or Marqeta Service Providers all materials, information, data, and instructions reasonably required or requested by Marqeta to perform the Services (“Customer Instructions”). Customer Instructions will be accurate and complete and Marqeta will not be liable for any inaccurate or incomplete Customer Instructions. Marqeta may rely on Customer Instructions without additional inquiry, Customer will regularly review Customer Instructions for accuracy and completeness and will promptly notify Marqeta of any changes or errors in such Customer Instructions.
(c) Customer Service Providers. Customer may use the services of a Customer Service Provider in exercising its rights or performing its obligations in connection with the Agreement . If Customer or any Customer Service Provider performs any functions related to the Services or the Agreement, or accesses the Services, the System, Cards, Documentation or any other technical information about or incorporated in the Services, Customer will be solely responsible for (i) obtaining all authorizations, licenses, and consents, and for paying all amounts, necessary for the System to interface with Customer’s systems or those of its Customer Service Provider; (ii) the acts or omissions of any such Customer Service Provider, as if they were the Customer’s acts and omissions under this Agreement; and (iii) ensuring such Customer Service Provider’s compliance with the terms of this Agreement.
(d) Due Diligence and Information Requests. Customer acknowledges that Marqeta’s obligation to make the Services available to Customer, is conditional upon Customer’s ongoing compliance with and satisfaction of Marqeta’s due diligence and information requirements including providing financial statements on a periodic basis upon request and Marqeta may terminate this Agreement in the event that Customer no longer complies with or satisfies such requirements. Customer agrees to provide all due diligence information or other information requested under this Agreement in a form reasonably requested by Marqeta or Issuer. Customer will notify Marqeta as soon as reasonably possible if there is a material change to its financial state or ownership
3. Mutual Obligations.
(a) Representations and Warranties. Each Party represents and warrants that at all times (i) it has the requisite corporate power and authority to enter into the Agreement and perform under it, (ii) it is not a party to any other agreement that would hinder its ability to perform its obligations under the Agreement, and (iii) it is duly qualified and licensed to do business and to carry out its obligations as required by Applicable Law, and (iv) no natural or legal person that is subject to any Sanctions has any material ownership interest in such Party, and that no such person controls such Party. Except as otherwise expressly provided in the Agreement, and to the extent permitted by Applicable Law neither Party, nor, when applicable, the Marqeta Service Provider, makes any representations or warranties of any kind, nature, or description to the other Party, whether statutory, express, or implied, including any warranty of non-infringement, error-free operation, merchantability, or fitness for a particular purpose (and all such representations or warranties of any kind, nature, or description are excluded to the maximum extent permitted by Applicable Law). Each Party will notify the other if any of the foregoing representations and warranties are no longer true.
(b) PCI DSS. Each Party will comply with the Payment Card Industry Data Security Standards (“PCI DSS”) 4.0 or newer. Each Party acknowledges that it has read and understands the PCI Responsibility Matrix for PCI DSS 4.0 as described on the Marqeta website at https://www.marqeta.com/pci-responsibility-matrix, which may be updated by Marqeta from time to time. Upon Marqeta’s request (no more than once every twelve (12) months), Customer will verify its compliance with PCI DSS, to the extent applicable, and provide the results of the verification to Marqeta in writing.
4. Intellectual Property.
(a) Parties’ Marks. Each Party owns all right, title, and interest in and to any materials provided by or on its behalf in connection with the Agreement, including but not limited to its names, trademarks, service marks, or logos (“Marks”). Except for the licenses granted under these Terms, neither Party will have any right, title, interest, or license to the other Party’s Marks. During the Term, each Party grants to the other a royalty-free, non- exclusive, non-transferable, non-sublicensable, limited right and license to use, reproduce, and distribute the other Party’s Marks exclusively in connection with or in order to provide the Services. The Parties agree that usage of a Party’s Marks in a manner that merely refers to the Party without suggestion of endorsement or sponsorship is not restricted by this Agreement. Customer may use Marqeta’s Marks solely for the purposes of non-public materials that disclose the Services provided by Marqeta under this Agreement. Marqeta may list Customer in its marketing materials using Customer’s Marks and generally describe the Services provided by Marqeta under this Agreement. The Parties will obtain one another’s prior approval before any other public distribution of marketing or promotional materials that use the other Party’s Marks.
(b) Ownership and License. Marqeta may provide Customer with project deliverables, plans, Documentation, reports, analyses, and other tangible materials in connection with the Agreement (collectively, the “Deliverables”). Marqeta owns all right, title, and interest, including all intellectual property rights, in and to the Deliverables, the Services, and the System and all derivatives thereof. Marqeta grants to Customer a royalty-free, non-exclusive, non-transferable, non-sublicensable, limited right and license to use the Deliverables, the Services, and the System exclusively in connection with Customer’s receipt of the Services. Customer will not, directly or indirectly, reproduce, retransmit, republish, reverse engineer, decompile, disassemble, or otherwise attempt to derive source code, trade secrets, Confidential Information, or other Intellectual Property from any of the Deliverables, the Services, or the System.
(c) Enhancements. Marqeta will be the sole and exclusive owner of all intellectual property rights in any Enhancement to the System or Services, including any suggestions, enhancement requests, recommendations or other feedback, and the Parties agree that any such Enhancement will not be a “work made for hire” or a “joint work of authorship” or in any way constitute the intellectual property or other rights of the Customer or its third parties.
5. Confidentiality and Non-Disclosure.
(a) General. Each Party may receive (“Receiving Party”) or otherwise become familiar with Confidential Information about the other Party (“Disclosing Party”).
(b) The Receiving Party agrees to take all reasonable measures to maintain the confidentiality and secrecyof the Confidential Information of the Disclosing Party and to avoid its disclosure, including all precautions the Receiving Party employs with respect to its confidential materials of a similar nature. Receiving Party may not disclose the Disclosing Party’s Confidential Information to any third party, except: where Marqeta is the Receiving Party (i) to its Affiliates, (ii) to Marqeta Service Providers, and (iii) to Issuer, in each case, for the purpose of providing the Services. In the event the Disclosing Party’s Confidential Information is disclosed to any third party pursuant to one of the exceptions noted in the preceding sentence, the Receiving Party must ensure that the third- party recipients do not use or disclose the Confidential Information other than in accordance with the terms of the Agreement. The Receiving Party may also disclose Disclosing Party’s Confidential Information to the extent required by Applicable Law or court order, provided that the Receiving Party uses reasonable efforts to limit such disclosure and has, to the extent reasonably possible and not prohibited under Applicable Law, provided commercially reasonable notice to the Disclosing Party of the legal disclosure requirement prior to the disclosure of Disclosing Party’s Confidential Information. Subject to Section B, if either Party receives confirmation of a material issue resulting in unauthorized access to the other Party’s Confidential Information, which could have a material impact on the other Party, such Party will promptly notify the other Party in writing and describe the circumstances surrounding such unauthorized access. In addition, each Party will promptly take reasonable steps to minimize such unauthorized access and reasonably cooperate with the other Party to minimize any damage resulting therefrom.
6. Fees and Payment.
(a) Fees. Customer will pay Marqeta or Marqeta will pay Customer the fees detailed in the applicable Order Form.
(b) Invoice and Payment. Save as set out in an Order Form, Marqeta will invoice Customer monthly in arrears, and all payments will be due within thirty (30) days of the invoice date. Any undisputed amounts not paid by their due date will incur interest until paid, at the monthly rate of one and one-half percent (1.5%), prorated for any partial month (or if lower, the maximum interest rate permitted by Applicable Law). Customer will bear all reasonable costs incurred by Marqeta associated with collecting fees due or other unpaid amounts.
(c) Taxes. All charges and fees are exclusive of any applicable withholding, sales, use, excise, value- added, or other taxes (collectively “Taxes”). Any such taxes which Marqeta is legally responsible to collect from Customer will be billed by Marqeta and paid by Customer at the rate and in the manner for the time being prescribed by Applicable Law. If Customer is required by Applicable Law to make a deduction or withholding from such a payment, the relevant sum payable will be increased by an additional amount to the extent necessary to ensure that, after the making of such deduction or withholding, Marqeta receives and retains (free from any liability in respect of any such deduction or withholding) a net sum equal to that which it would have received and so retained had no such deduction or withholding been made or required to be made.
(d) Set-off. Any amounts owed by Customer will be set off with any amounts owed to Customer in
determining the net amount payable from one Party to the other on a monthly basis. If applicable, Marqeta reserves
the right to withhold any revenue share payments which will be applied against any undisputed balances due from
Customer.
(e) Early Termination.
(i) If, other than as a result of Marqeta’s uncured material breach of this Agreement, any Order Form is terminated by either Party prior to expiration of the Initial Term or Renewal Term set forth in such Order Form, Customer will pay Marqeta an amount equal to the greater of (A) the average monthly revenue received by Marqeta related to the terminated Card Program(s) or Order Form(s) for the six (6) months prior to the termination or (B) the highest possible Monthly Access Fee or Monthly License Fee, as applicable or similar recurring monthly fee, described in the Order Form multiplied by the number of months (including a pro-rata portion for any partial month) remaining in the Initial Term or the Renewal Term, as applicable (“Early Termination Fee”).
(ii) Customer will pay the Early Termination Fee within one (1) month of the effective date of any such termination. The Early Termination Fee is not a penalty and constitutes liquidated damages as a genuine and reasonable estimate of the damages that Marqeta will incur for the lost revenue resulting. The payment of the Early Termination Fee by Customer does not preclude liability to Marqeta for other damages incurred under this Agreement.
7. Termination.
(a) Termination for Cause.
(i) A Party may terminate the Agreement, upon written notice to the other Party, in the event that the other Party commits a material breach of the Agreement and fails to cure such material breach within thirty (30) days after receipt of notice, provided, that, if such material breach is a non-monetary breach and is not reasonably curable within thirty (30) days, the cure period will be extended so long as the other Party commences such cure within such thirty (30) day period and diligently pursues such cure to completion within ninety (90) days after notice is first provided.
(ii) A Party may terminate the Agreement, upon written notice to the other Party, in the event that the other Party becomes subject to any voluntary or involuntary bankruptcy, insolvency, reorganization, or liquidation proceeding, has a receiver appointed for it, makes an assignment for the benefit of its creditors, or admits its inability to pay its debts as they become due, or any analogous procedure or step is taken in any jurisdiction.
(iii) Marqeta may (a) terminate the Agreement or (b) suspend the provision of services pursuant to an Order Form in the event Customer fails to pay undisputed charges when such payments are due and payable (as set forth in the Order Form) and fails to cure such material breach within five (5) days after receipt of notice. Marqeta’s right to terminate pursuant to this Section (iii) does not prejudice or waive its right to payment.
(iv) Marqeta may terminate or suspend performing in whole or in part under the Agreement upon notice (a) if Customer fails to perform a regulatory or compliance obligation or directive or comply with Issuer Program Requirements (if applicable), (b) if Customer violates Applicable Law or Card Brand Rules , or (c) at the direction of Issuer Marqeta may suspend performing under this Agreement during its reasonable investigation into (y) whether ( a) or (b) has occurred or (z) whether there has been any (1) material fraud, (2) misuse of the Services, or (3) use of the Services in a manner that compromises the security, integrity, or performance of the Services. Marqeta may also decline to authorize particular transactions if Marqeta reasonably believes that such transactions violate Applicable Law or Card Brand Rules or would compromise the security, integrity or performance of the Services or have a material adverse impact on the Issuer.
(b) Termination Not for Cause.
(i) A Party may (a) terminate the Agreement on ninety (90) days’ prior written notice and/ or (b) suspend providing in whole or in part Services under the Agreement, if there is a change in Applicable Law or Card Brand Rules that would have a material adverse impact upon a Party’s ability to perform its obligations under the Agreement. The Party terminating or suspending the Agreement pursuant to this Section will provide ninety (90) days’ notice of such termination unless a shorter is required in order to comply with Applicable Law or Card Brand Rules.
(ii) Marqeta may (a) terminate the Agreement and/or (b) suspend providing in whole or in part Services under the Agreement, if directed to do so by an Issuer, Card Brand or Regulator. Marqeta will provide one hundred eighty (180) days’ notice of such termination unless it is required by a Card Brand, Issuer or a Regulator to provide less notice.
(iii) Marqeta may terminate this Agreement, on thirty (30) days' prior written notice, if the Card Program does not have material transactions or issuing activity for more than three hundred and sixty five (365) days after the Go-Live Date (as defined in the applicable Order Form).
(c) Transition. Any notice of termination by either Party will include a proposed date for initiation of transition, if any. Except for termination of the Agreement by Marqeta for cause or at the direction of, if applicable, Issuer, a Card Brand, or a Regulator, Marqeta will provide transition assistance reasonably necessary to transition the accounts for which Marqeta provides the Services to the Customer or a successor service provider as agreed by the Parties in writing (the “Transition Services”). The Agreement will continue on the same commercial terms and conditions until the completion of the transition and Customer will be responsible for all costs and expenses in connection with the Transition Services, including any fees earned by Marqeta but not yet paid by Customer and any fees for the Services during the transition. If Customer elects not to receive the Transition Services, the Parties will work in good faith to implement an orderly wind-down of the Services after termination of the Agreement. The wind-down period will not exceed six (6) months.
(d) In case of termination of the Agreement for any reason other than Marqeta’s breach, unless
otherwise expressly provided herein, Customer is obligated to pay all applicable fees and other charges (e.g. the
Monthly Access Fee) for the remainder of the Initial Term or Renewal Term (each as defined in the Order Form),
as applicable.
8. Indemnification.
(a) Marqeta Indemnification. Marqeta will indemnify, defend, and hold harmless Customer and its officers, directors, and employees from and against all costs, penalties, fees, assessments, and other losses, including reasonable attorneys’ fees (“Damages”) as a result of any third-party claim or cause of action (“Claim”) arising out of, relating to, or alleging: (i) Marqeta’s material breach of the Agreement, (ii) Marqeta’s willful misconduct, or fraud in connection with the Agreement, (iii) the willful misconduct, or fraud of any Marqeta Service Provider in connection with the Agreement, or (iv) Marqeta’s infringement of the intellectual property rights of any third party in connection with the Agreement. Marqeta’s indemnification obligations will not apply to any Damages that arise from or relate to (1) the combination of the Services with any products, services, or materials not supplied by Marqeta or a Marqeta Service Provider, (2) any modification to the Services not made by or on behalf of Marqeta, (3) any failure by Customer to implement any Enhancements to the Services, (4) any use of the Services other than as expressly permitted under the Agreement, or (5) Marqeta’s compliance with any Customer Instructions or reliance on any data or information received from Customer or any authorized third party on Customer’s behalf.
(b) Customer Indemnification. Customer will indemnify, defend, and hold harmless Marqeta, Issuer, and, each of their respective officers, directors, employees from and against all Damages as a result of any Claim arising out of, relating to, or alleging: (i) Customer or Customer Service Providers’ breach of the Agreement, (ii) the willful misconduct, or fraud of Customer’s and/or Customer Service Providers, in connection with the Agreement, (iii) the violation of any Applicable Law or Card Brand Rules infringement of the intellectual property rights of any third party in connection with the Agreement, (iv) any fines, fees, penalties, assessments, or other amounts imposed by, or on, Issuer, or imposed by any Card Brand in connection with the Agreement, (v) the business or services of Customer relating to the Agreement, or, when applicable, Customer’s Service Providers relating to the Agreement.
(c) Procedure. The party seeking indemnification (“Indemnified Party”) will promptly notify the indemnifying party (“Indemnifying Party”) in writing of any Claim along with a copy of any papers received. Failure to provide prompt notice of any Claim will not relieve the Indemnifying Party of its indemnification obligations, except to the extent such failure materially prejudices the Indemnifying Party in defending the third-party Claim. The Indemnified Party will tender control of the defense and settlement of any such third-party Claim to the Indemnifying Party at the Indemnifying Party’s expense and with the Indemnifying Party’s choice of counsel. The Indemnified Party will also cooperate with the Indemnifying Party, at the Indemnifying Party’s expense, in defending or settling such third-party Claim and the Indemnified Party may join in the defense with counsel of its choice at its own expense.
9. Insurance. During the term of the Agreement and any transition period, each Party will maintain in full force and effect, at its own cost and expense: (i) insurance coverage sufficient to cover its potential indemnity or reimbursement obligations, and (ii) an appropriate insurance policy or policies providing coverage in the event of its loss of confidential data, including Cardholder Data and Transaction Data, the limit of which (i) for general liability insurance will be no less than five million dollars ($5,000,000) per occurrence or five million dollars ($5,000,000) aggregate, and (ii) for cyber insurance, will be no less than five million dollars ($5,000,000) per occurrence or five million dollars ($5,000,000) aggregate. Each insurance policy will be carried in the name of the Party. A copy of each policy, and any certificates of insurance evidencing the existence of such policy, will be provided to the other Party promptly following such Party’s written or e-mail request. Each insurance policy must be written by insurance carriers that have an A.M. Best rating of “A” or better and will name the other Party and, if Customer is receiving Managed by Marqeta Services, Issuer as an additional insured. Each Party will promptly provide notice to the other Party in the event of any notice of nonrenewal or cancellation, lapse, or termination of any insurance coverage required under the Agreement. Notwithstanding the foregoing, Customer acknowledges and agrees that the Issuer may require Customer to carry insurance in addition to the amounts set forth above.
10. Transfer Regulations.
(a) The Parties consider that the commencement, operation, termination, or expiration of the Agreement will not give rise to a transfer of an undertaking or part of any undertaking for the purposes of the TUPE Regulations. Accordingly, each Party (in this Section, an “Indemnifying Party”) will indemnify and keep indemnified the other (in this Section, an “Indemnified Party”) on demand from and against all Damages payable by the Indemnified Party as a result of any Claim brought against the Indemnified Party by an employee or other personnel employed or engaged by the Indemnifying Party who alleges that he or she has, or should have, transferred to the employment of the Indemnified Party as a result of this Agreement, its operation, termination or expiration in accordance with the TUPE Regulations, provided that:
(i) the Indemnified Party will promptly notify the Indemnifying Party in writing of any alleged transfer under the TUPE Regulations of which it has notice;
(ii) the Indemnified Party will make no admissions without the Indemnifying Party's prior written consent;
(iii) the Indemnified Party, at the Indemnifying Party's request and expense, will allow the Indemnifying Party to conduct any negotiations or litigation and/or settle any such claim;
(iv) the Indemnified Party will give the Indemnifying Party all reasonable assistance requested at the Indemnifying Party's expense; and
(v) the costs incurred or recovered in such negotiations or settled claim will be for the Indemnifying Party's account.
(b) Prior to the commencement of the Services or the Agreement, no employee of, or other personnel employed or engaged by, the Customer, its Affiliates or any existing or alternative service provider has been engaged in performing services similar to or the same as the Services to Customer or any of its Affiliates. As a consequence, on the commencement of this Agreement, the Parties do not consider that the TUPE Regulations will apply. In the event that any employee of, or other personnel employed or engaged by, the Customer or its Affiliates or any service provider is found or is claimed to have transferred by operation of the TUPE Regulations to the employment of Marqeta or its Affiliates, Marqeta will be entitled to dismiss the employee or other personnel with immediate effect and the indemnity set out in (a) above will apply.
(c) No employee or other personnel of Marqeta or its Affiliates will be mainly assigned and/or dedicated to the performance of the Services. As a consequence, on the termination or expiry of this Agreement for whatever reason, the Parties do not consider that the TUPE Regulations will apply. In the event that any employee of, or other personnel employed or engaged by, Marqeta or its Affiliates is found to have transferred by operation of the TUPE Regulations to the employment of the Customer or its Affiliates, Customer will be entitled to dismiss the employee or other personnel with immediate effect and the indemnity set out in (a) will apply.
(d) In this Section 10, “TUPE Regulations” means the Transfer of Undertakings (Protection of Employment) Regulations 2006 (as amended or any successor legislation), and/or such equivalent law(s) to transfer employees, their contracts, rights or liabilities by law, as may apply in any other jurisdiction including without limitation, in respect of the EU and EEA, those laws implementing the Acquired Rights Directive (Council Directive 2001/23), or any successor legislation.
11. Third Party Providers. Customer acknowledges that the provision of certain elements of the Services may require the use of one or more third party providers. In such cases, the provision of those elements of the Services will be subject to the applicable terms and conditions of the relevant third-party provide, as entered into by Customer, or otherwise notified to it. Marqeta will not be liable for the acts or omissions of such third-party providers, and Customer's only remedy in respect of any elements of the Services provided by a third-party provider will be against such third-party provider in accordance with the applicable terms and conditions governing such third-party provider's relationship with Customer. A third party provider means any third party (excluding Marqeta, any Marqeta Affiliate or any Marqeta Service Provider) who provides goods or services to the Customer at the request of the Customer (including as may be identified in an Order Form or Statement of Work agreed by the Parties, or as otherwise notified in writing from time to time).
12. Governing Law and Jurisdiction. The Agreement and the rights of the Parties hereunder and any non- contractual obligations arising out of or in connection with it will be governed by and construed in accordance with the laws of England and Wales, exclusive of conflict or choice of law rules. The exclusive jurisdiction for any dispute shall be in accordance with Section 13.
13. Dispute Resolution Process.
(a) Any dispute between the Parties arising out of or relating to the Agreement and any non-contractual obligations arising out of or in connection with it, shall be resolved as provided in this Section 13.
(b) Upon the written request of either Party setting out the basis of the dispute in reasonable detail, each Party will appoint a designated representative having authority to resolve and settle such dispute. The designated representatives shall meet as often as the Parties reasonably deem appropriate to discuss the dispute and attempt to resolve the dispute without the need for court proceedings. If a Party requests that the informal dispute resolution be initiated, then formal proceedings may not be commenced until the earlier of: (a) the time when the Parties conclude in good faith that amicable resolution of the dispute does not appear likely; or (b) the expiration of sixty (60) days following the initial request by a Party to jointly resolve the dispute.
(c) If a dispute is not resolved pursuant to Section 13(b), the dispute may be submitted by either Party to the courts of England and Wales.
(d) This Section 13 shall not be construed to prevent a Party from commencing, and a Party is authorized to commence, formal court proceedings, earlier: (i) to avoid the expiration of any applicable limitation period; (ii) to seek injunctive or other equitable relief; or (iii) to preserve a superior position with respect to other creditors.
14. General.
(a) Assignment. Neither Party may assign any rights or obligations under this Agreement without the other Party’s prior written consent; provided, however, that Marqeta may assign this Agreement or an Order Form subject to the Agreement to an Affiliate upon written notice. The Agreement will bind and inure to the benefit of the Parties and their respective successors and permitted assigns.
(b) Force Majeure. Except for delays in payment, if the performance of the Agreement or any obligation hereunder is prevented, restricted, or interfered with by any act or condition whatsoever beyond the reasonable control of the affected Party, the Party so affected, upon giving prompt notice to the other Party, will be excused from such performance, except for the making of payments hereunder, to the extent of such prevention, restriction, or interference Marqeta shall not be responsible for any failure outside of its reasonable control related to the services or payment networks of Card Brands or Issuers or their third-party processors or providers.
(c) Modifications. No amendment or modification the Agreement will be valid unless in writing and signed by an authorized representative of each Party.
(d) Severability. If any provision of the Agreement conflicts with a law under which the Agreement is to be construed or is held invalid by a court of competent jurisdiction, that provision will be deemed to be restated to reflect, as nearly as possible, the original intentions of the Parties and the remainder of the Agreement will remain in full force and effect.
(e) Rights of Third Parties. The Agreement is between, and may be enforced only by, Customer and Marqeta and will not afford any rights to third parties (under the Contracts (Rights of Third Parties) Act 1999 or otherwise) other than, if applicable, the Issuer.
(f) Cumulative Remedies. Except as otherwise expressly provided in the Agreement, all remedies provided for in the Agreement will be cumulative and in addition to, and not in lieu of, any other remedies available to either Party at law, in equity, or otherwise.
(g) Notices. All notices under the Agreement shall be in writing, including via email. Each Party shall send notices to the other Party at the address or email address set forth in the Order Form.
(h) Counterparts. The Order Form may be executed in counterparts, and may be executed in electronic form.
(i) Relationship of the Parties. Nothing in the Agreement is intended to, or will, create a partnership, or joint venture, or agency relationship between the Parties.
(j) Survival. The provisions of the Agreement that by their nature or terms are intended to survive the expiration or termination of the Agreement shall survive its expiration or termination.
(k) Entire Agreement. The Agreement, which is comprised of these Terms and the Order Form, including any schedules incorporated via an applicable Order Form, represents the Parties’ entire agreement and supersedes any and all prior written or oral communications, agreements, or understandings. Each Party acknowledges and agrees that it has not entered into the Agreement in reliance on any statement, arrangement, warranty or representation of any nature whatsoever of any person (whether a Party to this Agreement or not and whether or not in writing) other than as expressly incorporated in the Agreement. Nothing in this clause shall have the effect of limiting any liability arising from fraud.
(l) Order of Precedence. If an Order Form sets out addition specific terms to override these Terms in respect of Services provided in a specific jurisdiction (“Country Specific Terms”), such Country Specific Terms shall take precedence in relation to the relevant jurisdiction. To the extent any provisions in Section G (Additional Regulatory Terms) applies (as stated therein), such provisions shall override these Terms.
SECTION B
DATA SECURITY AND PRIVACY
1. Security Standards. Each Party will implement security measures and procedures designed to: (1) ensure the security and confidentiality of Cardholder Data and Transaction Data (as defined in Section (2) below), (2) protect against anticipated threats or hazards to the security and integrity of Cardholder Data and Transaction Data, (3) protect against unauthorized access to or use of Cardholder Data and Transaction Data, (4) prevent unauthorized access to or use of the other Party’s system through its systems, (5) prevent unauthorized access to or use of its own systems and (6) comply with Applicable Law.
2. Transaction Level Fraud Data.
(a) Transaction Level Fraud Data. Customer will report to Marqeta data related to fraudulent transactions at a transaction level (“Transaction Level Fraud Data”). Specifically, as a part of the Transaction Level Fraud Data, Customer will report:
(i) Authorized transactions that are later determined to be fraudulent (the “Fraudulent Transaction False Negatives”); and
(ii) Declined transactions that are later determined to be genuine (the “Fraudulent Transaction False Positives”).
(b) Except for Fraudulent Transactions False Negative and Fraudulent Transactions False Positives, Marqeta will treat all authorized transactions as fraudulent transaction true negatives and all other declined transactions as fraudulent transaction true positives. Customer will report its Transaction Level Fraud Data to Marqeta through the Fraud Feedback API, and Marqeta will share Customer’s Transaction Level Fraud Data to the Card Brands in accordance with the Card Brand Rules.
SCHEDULE B1
GLOBAL DATA PROCESSING ADDENDUM("DPA")
1. Background. This DPA details the parties' personal data processing, privacy, and information security obligations. The Agreement and this DPA shall be construed to be consistent with each other to the greatest extent possible; however, in the event of a conflict between the provisions of this DPA and the Agreement, the provisions of this DPA will control with respect to the subject matter contained herein. This DPA will apply to all Services rendered by Marqeta under the Agreement. Capitalized terms not defined herein shall have the definitions set forth in the Agreement.
2. Definitions and Interpretation. For purposes of this DPA, the following words shall have the following meanings:
a. Controller, Processor, Sub-Processor, and Service Provider. These terms shall have the same meaning as defined under applicable Data Protection Laws.
b. CCPA. “CCPA” means the California Consumer Privacy Act of 2018 as amended, including by the California Privacy Rights Act of 2020, and all implementing regulations.
c. Data Incident. “Data Incident” means any loss or unauthorized or unlawful destruction, damage, alteration, processing, disclosure of, or access to Personal Data, or as otherwise defined in the Data Protection Laws. Data Incident includes any event defined as a “data breach”, “personal data breach” or “security breach” in applicable laws and regulations.
d. Data Protection Laws. “Data Protection Laws” mean any statutes, laws, rules, regulations, and ordinances in any jurisdiction relating to privacy, data protection or security of Personal Data and applicable to the Services provided by Marqeta pursuant to the Agreement.
e. DP Regulator. ”DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with Data Protection Laws.
f. Data Subject. ”Data Subject” means any identified or identifiable natural person whose Personal Data will be Processed by Marqeta in connection with its provision of the Services.
g. Personal Data. ”Personal Data” means any information relating to an identified or identifiable natural person (i.e. a Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or as otherwise defined in applicable Data Protection Law. For the sake of clarity, Personal Data is (i) inclusive of Cardholder Data and Transaction Data (as such terms are defined in the Agreement), and (ii) limited to those data elements provided or collected by a Party in performance of its obligations in connection with the Card Program and the Agreement.
h. Personnel. “Personnel” means any employee, contractor, work-for-hire or other person working under the authority of the relevant Party.
i. Process or Processing. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, or as otherwise defined in applicable Data Protection Law.
3. Term. This DPA shall continue in force for the Term of the Agreement.
4. Relationship of the Parties.
a. Managed by Marqeta Services. When Marqeta provides Managed by Marqeta Services, each of Marqeta and the Customer act as a Processor or Service Provider to the Issuer when Processing Personal Data in connection with the Agreement.
b. Powered by Marqeta Services. When Marqeta provides Powered by Marqeta Services, Marqeta acts as a Processor or Service Provider to the Customer when Processing Personal Data in connection with the Agreement.
5. Data Protection Compliance Obligations.
(a). Marqeta.
1. Managed by Marqeta Services. In carrying out the Managed by Marqeta Services, Marqeta shall comply with its obligations under the Data Protection Laws.
2. Powered by Marqeta Services. In carrying out the Powered by Marqeta Services, Marqeta shall:
(i) Comply with its obligations under the Data Protection Laws;
(ii) Process Personal Data only for the purposes permitted in this DPA and the Agreement, or as otherwise expressly authorized by a Cardholder or the Issuer;
(iii) Not disclose any Personal Data to a third party, other than as described in this DPA or the Agreement;
(iv) Maintain records of all Processing operations as required by the Data Protection Laws, and make relevant information available to any DP Regulator upon request;
(v) Ensure that any of its Personnel and any Sub-Processors who have access to Personal Data are under appropriate obligations of confidentiality and understand their obligations under this DPA;
(vi) Reasonably assist Customer with its compliance obligations under the Data Protection Laws, including, without limitation, providing information (to the extent such information is not also maintained by or cannot be directly accessed by the Customer) and commercially reasonable assistance to Customer relating to obligations to enable Data Subjects to exercise their rights, to maintain required records of Personal Data Processing, and to undertake a data protection impact assessment with respect to the Services; and
(vii) Where the Personal Data is subject to the CCPA, Marqeta acts as a Service Provider and shall not (a) “sell” or “share” (as defined in the CCPA) Personal Data; (b) retain, use, or disclose Personal Data outside the direct business relationship between Customer and Marqeta or for any purpose other than for the business purposes specified in the Agreement or this DPA or as otherwise permitted by the CCPA; or (c) combine any Personal Data with Personal Data that Marqeta receives from or on behalf of any other third party or collects from its own interactions with Data Subjects, provided that Marqeta may combine Personal Data for the business purposes specified in the Agreement or this DPA or as otherwise permitted under the CCPA. Marqeta will notify Customer to the extent Marqeta believes it is unable to comply with its obligations under the CCPA.
b. Customer.
1. Managed by Marqeta Services. In receiving the Managed by Marqeta Services, Customer shall:
(i) Comply with its obligations under the Data Protection Laws;
(ii) Process Personal Data only for the purposes permitted in this DPA and the Agreement, or as otherwise expressly authorized by a Cardholder or the Issuer;
(iii) Not disclose any Personal Data to a third party, other than as described in this DPA or the Agreement;
(iv) Maintain records of all Processing operations as required by the Data Protection Laws, and make relevant information available to Marqeta or any DP Regulator upon request;
(v) Ensure that any of its Personnel and any Sub-Processors who have access to Personal Data are under appropriate obligations of confidentiality and understand their obligations under this DPA;
(vi) Reasonably assist Marqeta and the Issuer with their compliance obligations under the Data Protection Laws, including, without limitation, providing information (to the extent such information is not also maintained by or cannot be directly accessed by Marqeta) and commercially reasonable assistance to Marqeta and the Issuer relating to obligations to enable Data Subjects to exercise their rights, to maintain required records of Personal Data Processing, and to undertake a data protection impact assessment with respect to the Services; and
(vii) Where the Personal Data is subject to the California Consumer Privacy Act (“CCPA”) as part of the Services, Customer acts as a Service Provider and shall not (a) “sell”’ or “share” (as defined in the CCPA) Personal Data; (b) retain, use, or disclose Personal Data outside the direct business relationship between Customer and Marqeta or for any purpose other than for the business purposes specified in the Agreement or this DPA or as otherwise permitted by the CCPA; or (c) combine any Personal Data with Personal Data that Customer receives from or on behalf of any other third party or collects from its own interactions with Data Subjects, provided that Customer may combine Personal Data for the business purposes specified in the Agreement or this DPA or as otherwise permitted under the CCPA. Customer will notify Marqeta to the extent Customer believes it is unable to comply with its obligations under the CCPA.
2. Powered by Marqeta Services. In receiving the Powered by Marqeta Services, Customer shall comply with its obligations under the Data Protection Laws. Customer will obtain all consents or provide any notices necessary to ensure that Marqeta may Process and disclose Personal Data to provide the Services and perform the terms of this Agreement in compliance with Applicable Law.
6. Security and Data Incident Response.
(a). Marqeta.
(i) Taking into account the state of the art, the nature, scope, context and purposes of the Personal Data Processing, and the risk of varying likelihood and severity of potential harm to the rights and freedoms of Data Subjects, Marqeta will implement and maintain a comprehensive written information security program designed to protect Personal Data from any Data Incident (including protection against any anticipated threats or hazards), including physical, technical, and organizational measures appropriate to the risk.
(ii) Marqeta will maintain compliance with AICPA Trust Services Criteria (SOC reports) or ISO27001 and PCI- DSS.
(iii) Marqeta will provide those Personnel who have access to Personal Data with appropriate education and training on their data protection and confidentiality responsibilities.
(iv) Marqeta agrees to promptly, and without undue delay, but in no case later than the prescribed period under applicable Data Protection Laws, notify Customer of any Data Incident impacting Customer. Marqeta shall ensure that such notice includes relevant details relating to such Data Incident including, to the extent then known:
1. the nature and facts of such Data Incident including the categories and number of Personal Data records and the Data Subjects impacted;
2. the contact details of the Data Protection Officer or other representative from whom Customer can obtain further information relating to the Data Incident; and
3. the measures taken or proposed to be taken by Marqeta to address the Data Incident and to avoid or mitigate any possible adverse effects.
(v) Marqeta will take appropriate steps to investigate, mitigate, and remedy the harm to the Customer and any individuals impacted by a Data Incident and will reasonably cooperate with the Customer in the investigation and remediation efforts.
b. Customer.
(i) Taking into account the state of the art, the nature, scope, context and purposes of the Personal Data Processing, and the risk of varying likelihood and severity of potential harm to the rights and freedoms of Data Subjects, Customer will implement and maintain a comprehensive written information security program designed to protect Personal Data from any Data Incident (including protection against any anticipated threats or hazards), including physical, technical, and organizational measures appropriate to the risk.
(ii) Customer’s information security program shall be aligned to at least one or more of the following industry security standards: NIST Cybersecurity Framework, ISO 27001, Payment Card Industry Data Security Standard (“PCI-DSS”) or SANS/CIS Critical Security Controls.
(iii) Customer will provide those Personnel who have access to Personal Data with appropriate education and training on their data protection and confidentiality responsibilities.
(iv) Customer agrees to promptly, and without undue delay, but in no case later than the prescribed period under applicable Data Protection Laws, notify Marqeta of any Data Incident impacting Marqeta or the Card Program. Customer shall ensure that such notice includes relevant details relating to such Data Incident including, to the extent then known:
1. the nature and facts of such Data Incident including the categories and number of Personal Data records and the Data Subjects impacted;
2. the contact details of the Data Protection Officer or other representative from whom Marqeta can obtain further information relating to the Data Incident; and
3. the measures taken or proposed to be taken by Customer to address the Data Incident and to avoid or mitigate any possible adverse effects.
(v) Customer will take appropriate steps to investigate, mitigate, and remedy the harm to Marqeta and any individuals impacted by a Data Incident and will reasonably cooperate with Marqeta in the investigation and remediation efforts.
(vi) Customer shall ensure that access to the Marqeta System and Cardholder Data and Transaction Data is provided only to Customer or Customer Sub-processor Personnel who have been properly authorized by Customer.
7. Return or Destruction of Personal Data.
(a) Upon termination or expiry of this DPA or the Agreement, or, where a longer retention period is required by the Issuer or Applicable Law upon completion of any additional required retention period, Marqeta shall take reasonable steps to either return (as applicable and where Customer does not have access to the information itself) or delete or destroy all Personal Data.
(b) To the extent that Marqeta is required by the Issuer or Applicable Law to retain all or part of the Personal Data (“Retained Data”) beyond termination or expiry of this DPA or the Agreement, Marqeta shall: (i) cease all Processing of the Retained Data other than as required by the Issuer or Applicable Law; and (ii) continue to comply with the provisions of this DPA in respect of such Retained Data.
8. Sub-processors & Customer Service Providers
(a) Marqeta. In carrying out the Services, Marqeta may appoint Sub-processors as part of the Agreement. In doing so as part of this obligation, Marqeta shall:
(i) ensure that its Sub-processors are required by contract to: (i) Process the Personal Data only for the purposes permitted in the Agreement and this DPA; and (ii) comply with data protection obligations substantially similar to those imposed on Marqeta under this DPA;
(ii) remain responsible for any Processing by a Marqeta Sub-processor in breach of this DPA; and
(iii) attach a list of current Sub-processors as Exhibit A-1. Marqeta may periodically update its Sub-Processor list, which can be viewed by visiting the link found in Exhibit A-1.
b. Customer.
(i) Managed by Marqeta Services. When receiving Managed by Marqeta Services, Customer may appoint Sub- processors as part of the Agreement. In doing so, Customer shall:
1. ensure that its Sub-processors are required by contract to: (i) Process the Personal Data only for the purposes permitted in the Agreement and this DPA; and (ii) comply with data protection obligations substantially similar to those imposed on Customer under this DPA;
2. remain responsible for any Processing by its Sub-processor in breach of this DPA; and
3. attach to the Order Form a list of current Sub-processors. Customer shall provide notice to Marqeta in a writing to privacy@marqeta.com in the event of any change to this list of Sub-processors.
(ii) Powered by Marqeta Services. When receiving Powered by Marqeta Services, Customer shall ensure that Customer Service Providers who engage directly with Marqeta and access Personal Data via Marqeta’s tools and the Marqeta System will comply with Data Protection Laws and the terms of this DPA, inclusive of but not limited to maintaining at least the same level of data protection controls. Customer shall remain responsible for any Processing of data by Customer Service Providers, including any removal of data from the Marqeta System by a Customer Service Provider.
9. Cross-border Transfers. As part of the Services, Marqeta may transfer Personal Data to locations around the world provided that such transfers comply with applicable Data Protection Laws. Customer acknowledges that such transfers may be to the United States as well as other jurisdictions where Marqeta and any third party service providers provide the Services.
10. Processing within the European Economic Area, the United Kingdom, and Switzerland. Exhibit A-2 provides additional governance for the processing of Personal Data in the EEA, UK and Switzerland, including transfers of Personal Data to Marqeta by Customers from within the EEA, the UK, and Switzerland.
EXHIBIT A-1 TO SCHEDULE B-1
MARQETA’S SUB-PROCESSORS
A list of current Sub-processors is available at: https://www.marqeta.com/sub-processors.
EXHIBIT A-2 TO SCHEDULE B-1
EEA, THE UK, AND SWITZERLAND ADDENDUM
1. Background. This Exhibit is only applicable to the Processing of Personal Data of Data Subjects from the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland as part of the Services rendered by Marqeta to the Customer under the Agreement. This Exhibit and the DPA should be constructed to be consistent with each other to the greatest extent possible; however, in the event of a conflict between the provisions of this Exhibit and the DPA or where distinct obligations are set out in this Exhibit, the provisions of this Exhibit will control with respect to the subject matter contained herein.
2. Definitions and Interpretation. For purposes of this Exhibit, the following words shall have the following meanings
(a) Data Privacy Frameworks or DPFs. “Data Privacy Frameworks” or “DPFs” means collectively the EU- U.S. Data Privacy Framework, the United Kingdom’s Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S Data Privacy Framework.
(b) EU GDPR. “EU GDPR” means the European Union’s General Data Protection Regulation (Regulation 2016/679).
(c) GDPR. “GDPR” means both the EU and UK GDPR.
(d) Standard Contractual Clauses or SCCs. “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses implemented by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the EU GDPR, as updated or replaced from time to time.
(e) UK Addendum. “UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office in accordance with the UK GDPR, as amended or replaced.
(f) UK GDPR. “UK GDPR” means the EU GDPR as incorporated into UK law per the European Union (Withdrawal) Act 2018 and any applicable legislation made under that Act as well as the Data Protection Act 2018.
3. Description of Processing. A description of the processing can be found in the Agreement (including the DPA) as well as Annex I of this Exhibit.
4. Processing Obligations.
(a) To the extent Marqeta Processes the Personal Data of Data Subjects from the EEA, the UK or Switzerland as part of the Services, Marqeta acts as a Processor.
(b) As a Processor, for the purposes of this Exhibit, Marqeta agrees to comply with the requirements set out under Article 28 of the GDPR, including the obligations set out in Article 28(3).
(c) See Schedule G, Section 4(b) for additional terms regarding Marqeta’s use of Sub-processors.
5. Transfers from within the EEA, UK and Switzerland. Where there is a transfer of Personal Data by the Customer to Marqeta outside the EEA, the UK and Switzerland and such transfer is not governed by an “adequacy decision”, the transfer shall be governed as follows:
(a) Data Privacy Frameworks: Marqeta participates in and certifies its compliance with the Data Privacy Frameworks. As required by the DPFs, Marqeta will provide the same level of protection to Personal Data as required by the Data Privacy Framework Principles. Marqeta will notify the Customer to the extent it can no longer meet this obligation. Marqeta agrees to take all reasonable and appropriate steps to remediate any unauthorized processing of Personal Data upon becoming aware of such activity .
(b) To the extent any envisioned in-scope transfer is not covered by the DPFs or the DPFs are later invalidated, the Parties agree as follows:
(i) For the EEA and Switzerland: The Parties agree that the SCCs shall be incorporated by reference into the DPA as set out below.
Section | Details |
|---|
Applicable modules | Module 2 applies where Customer is the controller of Personal Data and Marqeta is processing Personal Data as a processor Module 3 applies where Customer is a processor of Personal Data and Marqeta is processing Personal Data as a processor |
Section 1, Clause 7 - Docking | The option under Clause 7 shall not apply |
Section II, Clause 9 - Sub- processors | Option 2, (general written authorisation) shall apply |
Section IV, Clause 17 - Governing law | Option 1, and where the Agreement is governed by laws of an EU member state, the laws of that EU member state apply. Otherwise Polish law shall apply. |
Section IV, Clause 18(b) - Choice of forum and jurisdiction | Where the Agreement is subject to the jurisdiction of the courts of an EU member state, the courts of that EU member state shall have jurisdiction. Otherwise, the courts of Poland shall have exclusive jurisdiction to resolve any dispute arising out of or in connection with the SCCs. |
Annex I.A - List of parties | See Annex I. A of this Exhibit |
Annex I.B - Description of transfer | See Annex I.B of this Exhibit |
Annex I.C - Competent Supervisory Authority | See Annex I.C of this Exhibit
For Switzerland (to the extent transfers are governed by the FADP), the Federal Data Protection and Information Commissioner |
Annex II - Technical and organisational measures | See Annex II of this Exhibit |
Annex III - Sub-processors | See Annex III of this Exhibit |
Additional provisions for Switzerland | Applicable to the extent the Federal Act on Data Protection (“FADP”) governs the transfer:
The term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of residence (Switzerland) in accordance with Clause 18(c) of the SCCs.
References to “GDPR” are to be understood as references to FADP. The SCCs shall apply to data pertaining to legal entities until the entry into force of the revised FADP. |
(ii) For the UK: The parties agree that the SCCs will apply but will be modified for the purposes of the UK Addendum as set out below.
Section | Details |
|---|
Table 1 - Parties | See Annex I.A of this DPA |
Table 2 - Selected SCCs, Modules and selected clauses | Modules 2 and 3 of the SCCs entered into on the date of the underlying Agreement |
Table 3 - Appendix information | Annex I.A shall be populated with the information in Annex I.A of this DPA Annex I.B shall be populated with the information in Annex I.B of this DPA Annex II shall be populated with Annex II of this DPA Annex III shall be populated with Annex III of this DPA (only for Module 2) |
Table 4 - Ending this Addendum when the approved Addendum changes | Neither party may end this UK Addendum per Section 19 of the UK Addendum, except as set forth in this Exhibit or the DPA |
Section I, Clause 7- Docking | The option under clause 7 shall not apply |
Section II, Clause 9 - Sub- processors | Option 2 (General written authorisation) shall apply. See Section 8 of the DPA. |
Section II, Clause 11 - Redress | The option under Clause 11 shall not apply |
Section IV, Clause 17 - Governing law | The laws of England and Wales |
Section IV, Clause 18(b) - Choice of forum and jurisdiction | The courts of England and Wales |
Part 2 - Mandatory clauses | Mandatory clauses of the UK Addendum as issued by the Information Commissioner’s Office and laid before the United Kingdom Parliament in accordance with section 119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under section 18 of those Mandatory Clauses shall be incorporated. |
6. To the extent the DPFs or other measures above are later updated and/or invalidated, the parties will work together to ensure that any regulated transfers pursuant to this Exhibit are compliant, whether addressed by updates to the measures above or via other alternative transfer mechanisms.
Annex I
DETAILS OF PROCESSING PERSONAL DATA
A. List of parties:
Data Exporter: Customer
Name | See Order Form |
Address | See Order Form |
Contact details | See Order Form |
Activities relevant to the data transferred | Receipt of payment services and related services as more fully described in the Agreement. |
Role | Processor or Controller |
Data Importer: Marqeta
Name | Marqeta, Inc. |
Address | 180 Grand Ave., 6th Floor, Oakland, CA 94612, USA |
Contact details | Jared Klebanoff , Assistant General Counsel, Privacy, privacy@legal.com |
Activities relevant to the data transferred | Payment services and related services as more fully described in the Agreement. |
Role | Processor |
B. Description of transfer:
Categories of data subjects whose personal data is transferred | Cardholders who participate in the card program. |
Categories of personal data transferred | Cardholder Data, which includes the Primary Account Number (“PAN”) which identifies the particular cardholder account, the Cardholder name, expiration data and/or service code (three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data), and sensitive authentication data such as card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), Personal Identification Number (“PIN”), and PIN blocks. Transaction Data, which is data related to the electronic payment card
transaction. Account Data which may consist of cardholder data and/or sensitive authentication data, and can include a unique representation of data such as name and address, or mobile number and/or email. Verification Data such as name, address, and other documentary evidence needed to conduct CIP/KYC. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | No Sensitive Data is transferred. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Data is transferred on an ongoing basis for the duration of the Services. |
Nature of the processing | Payment services and related services as more fully described in the Agreement. |
Purpose(s) of the data transfer and further processing: | Payment services and related services as more fully described in the Agreement. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Personal data is deleted after the termination of the Agreement, other than where Marqeta is required by applicable law to retain such data for additional periods, as more fully described in the Agreement. |
C. Competent supervisory authority:
As determined pursuant to Clause 13 of the SCCs, or otherwise, the Polish Personal Data Protection Office.
Annex II
MARQETA’S TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Introduction
Data protection is a top priority for Marqeta. Marqeta utilizes commercially reasonable technical and organizational measures (“Measures”) to keep the data it Processes in connection with its Services (“Service Data”) secure.
1. Information Security Program and Training.
1.1 Marqeta maintains a written information security program that:
(i) Is managed by a senior employee responsible for overseeing and implementing the program;
(ii) Includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Services Data;
(iii) Is appropriate to the nature, size, and complexity of Marqeta’s business operations.
1.2. Marqeta provides training for its Personnel who are involved in the Processing of Services Data so that they understand their data protection obligations.
2. Logical Access. Marqeta limits its Personnel’s access to Services Data as follows:
2.1. Requiring unique user access authorization through secure logins and passwords, including multi-factor authentication for remote access to our infrastructure;
2.2. Limiting the Services Data available to Marqeta Personnel on a “need to know” basis;
2.3. Restricting access to Marqeta’s production environment by Marqeta Personnel on the basis of business need;
2.4. Encrypting user credentials for production access;
2.5. Prohibiting Marqeta Personnel from storing Services Data on electronic portable storage devices such as computer laptops, portable drives, and other similar devices;
2.6. Logically separating data relating to Customer from other customers’ data, and maintaining measures designed to prevent Services Data from being exposed to or accessed by other customers; and
2.7. Upon employee termination, whether voluntary or involuntary, promptly disabling all access to Marqeta systems, including Marqeta’s physical facilities.
3. Data Encryption. Marqeta uses industry-standard encryption in alignment with NIST 800-175B, by Implementing
encryption in transit over the public internet, and Implementing encryption of Services Data at rest, including any backups.
4. Network Security, Physical Security and Environmental Controls
4.1. Marqeta uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Services Data.
4.2. Marqeta maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide Services.
4.3. Marqeta monitors privileged access to applications that process Services Data, including cloud services.
4.4. Marqeta’s Services operate on a variety of infrastructure Service Providers and are protected by the physical security and environmental controls of these Service Providers. Marqeta ensures that these data centers are certified and compliant against industry standards such as SOC2 and ISAE 3402.
5. Independent Security Assessments. Marqeta periodically assesses the security of its systems and services as follows:
5.1. Marqeta hires accredited, independent third parties to audit and attest to various compliance and certifications annually:
(i) Payment Card Industry: Data Security Standards (PCI-DSS) and 3DS (PCI-3DS)
(ii) American Institute of Certified Public Accountants (AICPA): Service Organization Controls 1 (SOC1) and Service Organization Controls 2 (SOC2)
(iii) International Auditing and Assurance Standards Board (IAASB): International Standard on Assurance Engagements 3402 (ISAE 3402)
At Customer’s request and pursuant to a non-disclosure agreement, Marqeta will provide such audit reports and/or summaries of audit reports to Customer, so that it may verify Marqeta’s compliance with the adopted security framework.
5.2. At least annual penetration testing of Marqeta systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and cross-site request forgery.
5.3. At least quarterly vulnerability scanning. Vulnerabilities identified and rated as critical risks are remediated or mitigated promptly after discovery.
6. Incident Response. Marqeta maintains an incident response process to identify and respond to potential and actual Data Incident. Marqeta will take reasonable measures to mitigate the risks related to a Data Incident and will notify Customer of any Data Incident impacting Customer in accordance with the DPA.
7. Business Continuity Management. Marqeta maintains an appropriate business continuity and disaster recovery plan, including, processes to ensure failover redundancy with its systems, networks, and data storage.
8. Due Diligence Over Subcontractors or Service Providers. Marqeta will:
8.1. Conduct appropriate due diligence prior to engaging any subcontractors or Service Providers to assist with the provision of the Services;
8.2. Apply written security measures that oblige subcontractors and Service Providers to adhere to security measures consistent with and no less protective of Services Data than these Measures.
8.3. Assess the security capabilities of any such subcontractors and Service Providers on a periodic basis to ensure each subcontractor and Service Provider’s ability to comply with these Measures.
Annex III
MARQETA’S LIST OF SUB-PROCESSORS:
SECTION C
POWERED BY MARQETA
1. Marqeta’s Obligations.
(a) Services Description. Marqeta will provide the Services in order to provide Customer with a Card Program.
(b) Instructions. If Customer Instructions include enabling Commando Mode, Customer is responsible for all such transactions relating to the Cards, including any losses or complaints. Compliance with Law. Marqeta will comply with Applicable Law and Card Brand Rules that directly apply to Marqeta.
2. Customer’s Obligations.
(a) Use of Services. For Card Programs under this Section C, Customer will perform its responsibilities as set forth in the Documentation and will be solely responsible for the program management of each Card Program, including but not limited to designing and facilitating the marketing and advertising of each Card Program, managing the relationship with each Issuer and Card Brand, obtaining Issuer approvals, creating applicable Cardholder agreements, providing required customer service, Card dispute resolution services, and Card Program due diligence.
(b) Card Restrictions. Customer will be responsible for establishing, implementing, and enforcing any restrictions or controls on Cards (e.g. spending limits for Cards, restricting the merchants or merchant types at which Cards may be used).
(c) Audit. Each Party will fully cooperate with each Regulator of the other Party or Issuer (if applicable) in accordance with Applicable Law in conjunction with an audit of such Party by a Regulator. Furthermore, in conjunction with an audit of Customer by a Regulator, Marqeta will cooperate with any request of a Regulator to review the Services, including, without limitation, providing any information or material lawfully requested by such Regulator, and permitting such Regulator to inspect or audit Marqeta as to the Services in accordance with Applicable Law and Marqeta will be entitled to a reasonable hourly rate for work performed in conjunction with such audit. The Party seeking to conduct an audit under this Section will provide at least 30 (thirty) business days’ notice and the Parties will agree upon the scope of the audit and audit plan.
(d) Customer is responsible for ensuring that Sanctions screening is performed in order to ensure compliance with Section 2(d) in Schedule A.
(e) Customer represents and warrants that it has entered into a program management, BIN sponsorship, or other similar agreement with an Issuer for the issuance of Cards related to the Card Program(s). Customer will cooperate in good faith with Marqeta and such Issuer to enable Marqeta to enter into an agreement with such Issuer setting forth the Issuer’s rights and obligations related to the Card Program(s) for which such Issuer is issuing the Cards (“Sponsor Bank Agreement”). In the event that Marqeta, acting reasonably and in good faith, is unable to enter into a Sponsor Bank Agreement with such Issuer with commercially reasonable terms that are generally consistent with industry standard terms for Sponsor Bank Agreements, Marqeta and Customer will cooperate in good faith to resolve the issues prior to going live with the applicable Card Program(s) for which such Issuer is issuing the Cards.
(f) Customer will comply with any Applicable Law and Card Brand Rules that apply to or relate to this Agreement and / or the Card Program(s).
3. Card Funding and Settlement. Customer is responsible for all funds loaded, authorized, and settled in connection with the Cards and for the settlement of all transactions relating to the Cards.
4. Limitation of Liability.
(a) Except for (i) a Party’s breach of a Party’s intellectual property rights, or (ii) a Party’s indemnification obligations for third party Claims for infringement of intellectual property rights, or (iii) Customer's liability for Card Losses, or (iv) liabilities which cannot be limited or excluded by Applicable Law, including for fraud or fraudulent misrepresentation or for death or personal injury arising from a Party's negligence (each, an “Excluded Claim”), in no event will either Party or their respective representatives and suppliers, including any Marqeta Service Provider or Customer Service Provider, be liable to the other Party, whether in contract, tort (including breach of warranty, negligence, or strict liability), or otherwise, for any indirect, incidental, consequential, special, exemplary, or punitive damages regardless of whether such Party knew or should have known of the possibility of such damages. The Parties agree that fines, fees, penalties, or assessments from a Card Brand, Issuer, Regulator, or governmental agency (“Fees and Fines”), are direct and not indirect, incidental, consequential, special, exemplary, or punitive damages.
(b) Except for (i) an Excluded Claim or (ii) a Party’s payment or funding obligations under this
Agreement, or (iii) Customer’s obligation to pay or reimburse Marqeta for Fees and Fines as result of Customer’s,
Customer’s Personnel, or Customer Service Provider’s action or inactionsa Party’s total cumulative liability to the
other Party under the Agreement will not exceed the revenue earned by Marqeta under this Agreement during the
twelve (12) months immediately preceding the date on which the issue giving rise to a Party’s liability under the
Agreement occurred.
(c) Notwithstanding anything to the contrary in this Agreement, neither Party will be in breach of this Agreement or otherwise responsible or liable for non-performance of its obligations to the extent such non- performance is attributable to (i) a breach by the other Party of its obligations under this Agreement, (ii) the other Party’s failure to cooperate with and perform activities reasonably required on a timely basis, or (iii) in the case of Marqeta, Marqeta’s reliance on information and Customer Instructions provided by Customer in accordance with Paragraph 2(b) in Section A above. In the event of the foregoing, where Customer has not performed its obligations under this Agreement, Marqeta will: (i) be excused from any resulting delays in performing the Services and be entitled to a corresponding adjustment in the SLA; and (ii) not be responsible to Customer for any claims by Customer or third parties arising from or relating to the failure of any third-party software, hardware, communications devices, Internet services, e-mail systems, or other systems or functions.
(d) No action, regardless of form, arising out of any claimed breach of this Agreement or the Services may be brought by either Party more than one (1) year after discovery of the breach.
(e) Each Party has a general duty to mitigate any losses suffered by such Party, including through the enforcement of its agreements with third parties.
5. Data Use. Marqeta may use Cardholder Data or Transaction Data for (i) performing its obligations under this Agreement, (ii) improving and developing Marqeta’s products and the services and performing services for Marqeta’s customers generally, including for performing fraud screening and verifying identities and information, and (iii) complying with Applicable Law or Card Brand Rules. Customer confirms that it has provided all required disclosures to and obtained any necessary authorizations from its Cardholders, and Customer agrees that it is permitted under Applicable Law to enable Marqeta to utilize the Cardholder Data and Transaction Data for the purposes described in this Agreement
SECTION D
MANAGED BY MARQETA
1. Marqeta’s Obligations.
(a) Card Program. Marqeta will provide Card program Services (the “Card Program”) to Customer. To
do this, Marqeta will enter into an agreement with an Issuer. Customer shall be responsible for all fees and charges (including pass through charges) related to the Card Program, as detailed in the Order Form or supporting documentation.
(b) Instructions. If Customer Instructions include enabling Commando Mode, Customer is responsible for all such transactions relating to the Cards, including any losses or complaints.
2. Customer’s Obligations.
(a) Card Program Interface. Customer will provide Cardholders and any authorized users, who are designated by Cardholder to use a Card on Cardholder’s behalf or direction, with (i) any required website and/or mobile interface necessary to use the Card and to manage Card accounts, and (ii) any Card disclosures or permissions required by Applicable Law (and in such language, form and substance required by Applicable Law). Customer will not alter any information it receives from Cardholders or authorized users that Customer provides to Marqeta. Customer will obtain on an individual basis, and will maintain records of, a Cardholder’s or an authorized user's acceptance of each applicable version of (1) the Cardholder agreement and/or Card terms and conditions , and (2) the Issuer’s privacy policy and “opt-in” acceptance or withdrawal. Marqeta and Issuer may audit such list pursuant to Section 2(g) below.
(b) Non-Circumvention. Marqeta is solely responsible for (i) selecting the Issuer, Card Brand(s), and related requirements with respect to any Card Program and (ii) engaging and contacting Issuer and Card Brands with respect to the Services (in each case, Marqeta is the “Decision Maker”). Customer will not engage or contact Issuer or Card Brand(s) regarding the Services. During the term of the Agreement Customer will not, directly or indirectly, by contract or otherwise (1) circumvent, interfere with, or devalue Marqeta’s relationship with Issuer, any Card Brand, or any Marqeta Service Provider, or (2) solicit Issuer or any Marqeta Service Provider to provide Services directly to Customer. Customer represents and warrants that it does not have an existing agreement and is not discussing an agreement with an issuer or Card Brand relating to the issuance of cards. Nothing contained in this Section will prevent Customer from soliciting Issuer or any Marqeta Service Provider to perform services that are unrelated to the Agreement.
(c) Card Restrictions. Customer will be responsible for establishing, implementing, and enforcing any restrictions or controls on Cards (e.g. spending limits for Cards, restricting the merchant types where Cards may be used), pursuant to the Issuer Program Requirements (defined in Section 4(b) below). If Customer offers Cards to non-consumer customers (i.e. commercial or business customers) then Customer, unless otherwise agreed to by the Parties, will ensure Cards are (i) not used to pay employee wages, and (ii) used exclusively for business purposes (i.e. business expenses), and not for personal, family or household use. Customer understands that Cards are and remain the property of the Issuer. The Card Program and Cards are only for provision in the UK and European Economic Area.
(d) Marketing. Customer shall ensure that all marketing materials and any new or modified materials from time to time (including advertisements, brochures, applications, marketing materials, telemarketing scripts and any other written materials relating to a Card Program or any other materials sent to or viewed by a Cardholder or prospective Cardholder from time to time) and all marketing practices for the Card Program (i) comply with Applicable Law, the Card Brand Rules and the Bank Rules (as defined below), and do not infringe any third party intellectual property or other rights, (ii) are approved by Marqeta in writing in advance of use (who shall liaise with the Issuer for Issuer's approval where required), such approval not to be unreasonably withheld or delayed (and Customer acknowledges that such approval does not provide any confirmation of Customer's compliance with Applicable Law), and (iii) are only used in the pre-approved marketing channels for the Card Program. The Customer shall be responsible for the costs and expenses of any changes to the materials for any reason, including any changes required for continued compliance with Applicable Law, the Card Brand Rules and the Bank
(e) Third-Party Complaints. Customer will catalog, maintain and provide copies of all third-party complaints, including but not limited to Cardholder chargebacks or alleged unauthorized or erroneous transactions (“Complaints”), it receives, and its responses to such Complaints for the applicable time period required by Applicable Law or Card Brand Rules. Customer will provide Marqeta with a monthly summary of all such Complaints in a form reasonably acceptable to Marqeta. Customer’s handling of Complaints will comply with the Documentation Marqeta will (i) at all times have access to pending and closed Complaints and Customer’s responses, and (ii) have the right to audit such Complaints. Marqeta will work with Customer and Issuer to resolve Complaints based on information in Marqeta’s possession or received by Customer in accordance with a process agreed to by the Parties and Issuer. Customer will be responsible for all third-party costs and expenses Marqeta incurs in connection with resolving any Complaints.
(f) Audit. During the term of the Agreement and for at least five (5) years thereafter (or longer if required by Applicable Law), Customer acknowledges and agrees that its compliance with the terms, conditions, and provisions of the Agreement, as well as its business practices, (including, but not limited to Customer’s AML/CTF, CMS and Sanctions programs) are subject to review and audit by Marqeta, Issuer, the applicable Card Brands, or a Regulator, , or any third-party designee of Marqeta, Issuer, Card Brand, or Regulator, (the “Auditing Parties”), and Customer will keep, maintain, and make available (i) books, records, , information and data, and (ii) access to premises, facilities, equipment, and systems related to the activities applicable to the use of the Services so that the Auditing Parties can determine Customer’s compliance with the terms, conditions, and provisions of the Agreement. Customer will be responsible for all costs and expenses for keeping, maintaining, and making available books and records. If any Audit shows that Customer is in material breach of the Agreement, Customer shall be liable for the costs of any follow up Audit undertaken by an Auditing Party to determine whether any identified issue has been addressed.
(g) Retail Partner. If Marqeta agrees, such agreement not to be unreasonably withheld, Customer may partner with a retailer (“Retail Partner”) under a separate written agreement to make incentives, rewards, goods, or services available in connection with the Card Program.
(h) Digital Wallet. If applicable to the Card Program, Customer will comply with the terms and conditions of its agreements with all digital wallet providers for the provisioning of Cards into a digital wallet and will notify Marqeta and Issuer promptly upon the expiration or termination of any such agreements.
(i) Customer’s Lending Services. If Marqeta provides a Card Program in connection with Customer’s lending services, Customer agrees it must first either enter into a written agreement with a Marqeta-approved financial institution (“Lending Bank”) or obtain appropriate lending licenses for the purpose of originating loans for Customer’s lending customers. Customer shall be solely responsible for ensuring compliance with Applicable Law for its lending services. Customer acknowledges that Marqeta will have no obligation to comply with or facilitate Customer’s or any third party’s compliance with Applicable Law with respect to Customer’s lending services and business, and that neither Marqeta or the Issuer will be responsible for extending any credit to an end user.
(j) Right to Take Over Services. If Customer fails to perform a regulatory or compliance obligation or directive of Issuer under the Agreement, after reasonable notice and opportunity to cure or where necessary to ensure uninterrupted service for Cardholders, Marqeta or Issuer, upon notice to Customer, may, but is not obligated to, take over the performance of such obligation or directive and to continue operating the Card Program. Marqeta’s performance of an obligation or directive that Customer has failed to perform under this subsection will be at Customer’s sole cost and expense, and, if applicable, will be based on the pricing of that obligation or directive as it relates to Services set forth in the applicable Order Form.
(k) Issuer Custodial Deposit Agreement. Certain Card Programs may require a separate agreement between Customer and Issuer (“Issuer Custodial Deposit Agreement”) and Customer’s use of the Services and Cards will be conditioned upon entering into that Issuer Custodial Deposit Agreement to open and maintain a custodial account with the Issuer (“Custodial Account”). Customer acknowledges and agrees that to the extent the Issuer Custodial Deposit Agreement contains additional or conflicting terms relating to the Program Funding Account (as defined below) the terms set forth in the Issuer Custodial Deposit Agreement shall govern, control, and supersede the Agreement solely with respect to the subject matter covered therein.
(l) Legal Requests. Customer will promptly notify Marqeta of any subpoenas, garnishments, lawsuits, levies, regulatory inquiries or document provision orders, or other legal requests (each a “Legal Request”) that request Cardholder Data, Transaction Data, or relate to the Cards, Card Program, or this Agreement. Customer will not disclose any Cardholder Data or Transaction Data in response to a Legal Request without first notifying Marqeta (to the extent not prohibited by the Legal Request) and providing Marqeta and/or Issuer an opportunity to defend against such disclosure.
(m) Business Continuity. Customer has in place and will keep in place a reasonable business continuity plan and disaster recovery procedures.
(n) Response to Inquiries. Customer will promptly respond to any reasonable inquiries or referrals from Marqeta or Issuer relating to the Cards or Program but in no event more than three (3) business days. In the event that Customer fails to promptly respond or to provide the requested information, Customer acknowledges and agrees that Marqeta and/or Issuer may deactivate any Cards that are the subject of the inquiry or referral.
(o) Compliance Management. Customer will create, implement, and manage a Compliance Management System (“CMS”) for the Program acceptable to Marqeta and/or Issuer. The CMS will include, but will not be limited to, (a) policies and procedures, (b) employee training (where the program is approved by Marqeta, and the training logs are reported to Marqeta), and (c) regular testing and monitoring activities. Testing and monitoring results will be reported to Marqeta in accordance with agreed upon procedures and on a quarterly basis. The CMS will also include adequate oversight and active involvement from Customer’s Board of Directors which shall be reported on a quarterly basis to the Bank.
(p) Data Use.
(i) For clarity, and notwithstanding anything to the contrary in this Agreement, Cardholder Data and Transaction Data are not Customer’s Confidential Information.
(ii) Customer may use Cardholder Data and Transaction Data solely to perform obligations in accordance with operating a Card Program and Applicable Law and will maintain Cardholder Data and Transaction Data in strict confidence. This Section shall not apply to, limit or prohibit the use of information and data to the extent such information or data has been independently obtained by Customer for purposes independent of the Card Program, even if such information or data is duplicative of Cardholder Data or Transaction Data.
(iii) With respect to Customer personnel and / or Customer Service Providers that have access to Cardholder Data and / or Transaction Data, Customer will perform usual and customary initial, and regular follow-up, due diligence and / or background checks in accordance with Applicable Law, and Customer will regularly audit, monitor, and oversee such Customer personnel and / or Customer Service Providers to ensure compliance with the terms of this Agreement.
3. Mutual Obligations.
(a) In fulfilling their respective obligations under this Agreement, each Party will comply with this Agreement, Card Brand Rules and/or Applicable Law that applies to or relates to this Agreement and / or the Card Program(s).
(b) Each Party will comply with written policies, guidelines, or directives that Issuer provides to the Parties (collectively, “Bank Rules”). Marqeta may make changes to, or terminate or suspend relevant elements of, the Services, the System, or the Card Program, or this Agreement to comply with changes to Applicable Law, the Card Brand Rules (including PCI DSS) and the Bank Rules. When this occurs, Marqeta will notify Customer as soon as reasonably possible, and Marqeta reserves the right to recover any additional costs from the Customer. The Customer shall provide all required information, cooperation and assistance to enable Marqeta to comply with its obligations to the Issue in respect of the Card Program. If required by the Issuer, Customer shall enter into any direct terms with the Issuer required under the Bank Rules.
4. Issuer.
(a) Bank Approval. The Parties understand that under Applicable Law, the Issuer is responsible for monitoring and enforcing the regulatory compliance of the Card Program. Thus, the Card Program (and all relevant materials, disclosures and marketing efforts and collateral) is subject to the initial and ongoing approval and supervision of Issuer. Marqeta will be responsible for submitting Card Program requests and approvals to Issuer. Marqeta does not make any representations, warranties, or covenants to Customer with respect to Marqeta’s ability to obtain approvals from Issuer. Customer acknowledges that Issuer may withdraw its acceptance and approval of the Card Program and the provision of the Services to Customer if Customer breaches the Agreement or if circumstances arise that pose material and undue risks to the Issuer.
(b) Issuer Program Requirements. Marqeta or Issuer may establish parameters for the Card Program, including with respect to the types of transactions that may be initiated with Cards, the businesses at which Cards may be used, restrictions on the amounts and velocity of transactions, customer verification requirements, marketing collateral review, required disclosures, prohibited industries, customer service, reporting and other parameters (collectively, the “Issuer Program Requirements”). Issuer Program Requirements may be modified from time to time by Marqeta or Issuer upon notice to Customer. Customer agrees to adhere to the Issuer Program Requirements.
5. Fee Changes. If revenue sharing and/or any incentive payment is offered to Customer, it is with an understanding that there will not be a material change in the net cost from either of the Issuer or Card Brands and that Marqeta will maintain its Card Brand Decision Maker status as set forth in Section 2(b). If Marqeta’s costs or benefits from either of Issuer or Card Brands materially increase, or if Marqeta’s relationship with a Card Brand is reduced or removed with respect to a Card Program, Marqeta will notify Customer of a corresponding change in revenue sharing and/or incentive terms.
6. Card Funding and Settlement.
(a) Customer is responsible for all funding in connection with a Card Program as more specifically detailed in the Order Form. Marqeta will not be obligated to advance or otherwise provide Issuer, or any third party, funds related Customer acknowledges that Issuer may make withdrawals from any funds to satisfy its legitimate payment and exposure liabilities.
(b) Customer, directly or through approved third parties, will transfer funds to a deposit account established by the Issuer (the “Program Funding Account”) to fund all loads and settlement required in connection with this Agreement. Such funds will be sent via the method as specified in the Order Form.
(c) Customer is required to maintain a minimum balance in the Program Funding Account (the “Minimum Program Funding Amount”) as defined in the Order Form. The Minimum Program Funding Amount must be deposited into the Program Funding Account no later than seven (7) days prior to the Go Live Date (as defined in the Order Form). At all times, unless otherwise agreed upon in writing by the Parties, Customer will maintain the Minimum Program Funding Amount in the Program Funding Account. To cover unusual volatility, Marqeta may require that Customer initiate an additional transfer to cover additional funding obligations upon twenty-four (24) hours’ notice. Customer must request return of any Program Funding Account funds via written request. Customer is not authorized, and will not attempt, to initiate a withdrawal of funds from the Program Funding Account. In addition to the Program Funding Account, Customer must comply with collateral requirements or other conditions set forth in the Configuration Schedule(s) attached to the Order Form, including to maintain any reserve funds, to ensure that Customer can satisfy its financial obligations.
(d) If Customer fails to maintain sufficient funds in the Program Funding Account to cover loads, authorization, and settlement and/or fails to maintain the Minimum Program Funding Amount or any collateral requirements, Marqeta may terminate this Agreement or suspend performing the Services or authorizing transactions until Customer has met its obligations under this subsection. Marqeta will notify Customer and request immediate payment for all deficient amounts, which Customer will pay within one (1) Business Day and may charge interest for such failure at a daily rate of six (6) bps per day (0.06% per day) multiplied by such deficient amounts (the “Daily Interest Obligation”). Customer’s failure to pay deficient amounts within one (1)Business Day will constitute a material breach of this Agreement that is not subject to the cure periods set forth herein. Marqeta will withhold all revenue share payments until all deficient amounts are paid. In addition to any other remedies available to Marqeta or Issuer at law or under the Agreement and to the extent permitted by Applicable Law, Marqeta may, as a continuous right, set off any amounts owed to it against any outstanding amounts owed to Customer until Customer’s liability owed to Marqeta is fully paid.
(e) Customer acknowledges and agrees that for funds deposited by or on behalf of Customer to the Program Funding Account and / or any collateral account, as applicable, it has received reasonably equivalent value in, among other things, the services made available to Customer by and through Marqeta and Issuer without which deposits the services would not be available to Customer. Customer also agrees Marqeta and Issuer have provided reasonably equivalent value to Customer in consideration for each purchase made with a card issued under this Agreement, no such transfer has been made for or on account of an antecedent debt owed by Customer, and no such transfer is or may be voidable or subject to avoidance under any applicable bankruptcy, insolvency or other similar law.
7. Limitation of Liability.
(a) Except for (i) a Party’s breach of a Party’s intellectual property rights, or (ii) a Party’s indemnification obligations for third party Claims for infringement of intellectual property rights, or (iii) Customer's liability for Card Losses, or any fines by a Card Brand or Regulator related to the Card Program or (iv) liabilities which cannot be limited or excluded by Applicable Law (including for fraud or fraudulent misrepresentation or for death or personal injury arising from a Party's negligence), or (iv) Customer’s intentional misuse of Personal Data, or (v) misappropriation of any KYC Service Provider IP (each, an “Excluded Claim”), in no event will either Party or their respective representatives and suppliers, including any Marqeta Service Provider or Customer Service Provider, be liable to the other Party, whether in contract, tort (including breach of warranty, negligence, or strict liability), or otherwise, for any indirect, incidental, consequential, special, exemplary, or punitive damages regardless of whether such Party knew or should have known of the possibility of such damages. The Parties agree that fines, fees, penalties, or assessments from a Card Brand, Issuer, Regulator, or governmental agency (“Fees and Fines”), are direct and not indirect, incidental, consequential, special, exemplary, or punitive damages.
(b) Except for: (i) an Excluded Claim; (ii) a Party’s payment or funding obligations under theis Agreement; or (iii) Customer’s obligation to pay or reimburse Marqeta for Fees and Fines as result of Customer’s, Customer’s Personnel, or Customer Service Provider’s action or inactions, a Party’s total cumulative liability to the other Party under the Agreement will not exceed the revenue earned by Marqeta under this Agreement during the twelve (12) months immediately preceding the date on which the issue giving rise to a Party’s liability under this Agreement occurred.
(c) Notwithstanding anything to the contrary in this Agreement, neither Party will be in breach of this Agreement or otherwise responsible or liable for non-performance of its obligations to the extent such non- performance is attributable to (i) a breach by the other Party of its obligations under this Agreement, (ii) the other Party’s failure to cooperate with and perform activities reasonably required on a timely basis, or (iii) in the case of Marqeta, Marqeta’s reliance on information and Customer Instructions provided by Customer in accordance with Section 2(b) in Section A above. In the event of the foregoing, where Customer has not performed its obligations under this Agreement, Marqeta will: (i) be excused from any resulting delays in performing the Services and be entitled to a corresponding adjustment in the SLA; and (ii) not be responsible to Customer for any claims by Customer or third parties arising from or relating to the failure of any third-party software, hardware, communications devices, Internet services, e-mail systems, or other systems or functions.
(d) No action, regardless of form, arising out of any claimed breach of this Agreement or the Services may be brought by either Party more than one (1) year after discovery of the breach.
(e) Each Party has a general duty to mitigate any losses suffered by such Party, including through the enforcement of its agreements with third parties.
8. Effect of Termination. Upon expiration or termination of the Agreement, Customer will be responsible for the payment of all fees accrued, due, and payable by Customer up to the later of the date of such expiration or termination or the completion of the transition. Marqeta may set off such fees owed by Customer by applying the remaining funds in the Program Funding Account. Within thirty (30 days after the wind down of the Card Program, the Issuer will return, by ACH or wire transfer, all remaining funds owned by Customer held in the Program Funding Account and/or remaining on Cards, as adjusted for settlement, disputes, and chargebacks on Cards occurring on and after the end of the Term.
SECTION E
SERVICE LEVELS
1. Performance Standard. The “Performance Standard” is a Monthly Transaction Success Rate of 99.99% (rounded) or greater in a calendar month. “Monthly Transaction Success Rate” means one hundred (100) multiplied by (1) minus the following: The number of transaction authorization attempts that Marqeta failed to properly process for Customer in a calendar month which resulted in a card network Stand-In Processing decline (“Marqeta- Responsible STIP Declines”) divided by the total number of transaction authorization attempts for Customer in the same calendar month. Marqeta-Responsible STIP Declines does not include transaction authorization attempts where a Card Brand or Customer caused the failure to properly process the transaction authorization attempts. The Monthly Transaction Success Rate is illustrated below:
Monthly Transaction Success Rate % = 100 * (1 - (Customer’s Marqeta-Responsible STIP Declines / Customer’s Attempted Transaction Authorizations))
2. Performance Standard Credits.
(a) Marqeta Managed Performance Standard Credits. With regard to Customer’s receipt of Managed by Marqeta Services, in the event that Marqeta does not meet the Performance Standard in a calendar month and Customer experienced more than 10 Marqeta-Responsible STIP Declines in that month, then Marqeta will pay Customer the portion of its Monthly Incentive Payment that is equal to the difference between the Performance Standard and the Monthly Transaction Success Rate, as illustrated in the example below:
Example: If the Monthly Transaction Success Rate is 99.59% in a calendar month and Customer experienced 11 Marqeta-Responsible STIP Declines in that month, then Marqeta will pay Customer 0.40% of its Monthly Incentive Payment for that month.
(b) Marqeta Powered Performance Standard Credits. With regard to Customer’s receipt of Powered by Marqeta Services, in the event that Marqeta does not meet the Performance Standard in a calendar month and Customer experienced more than 10 Marqeta-Responsible STIP Declines in that month, Marqeta will pay Customer the portion of the total of its Monthly Access Fee, Settled Transaction Fee, Processed Transaction Fee and Volume Fee, as applicable, for that month that is equal to the difference between the Performance Standard and the Monthly Transaction Success rate for that month, as illustrated in the example below:
Example: If the Monthly Transaction Success Rate is 99.59% in a calendar month and Customer experienced 11 Marqeta-Responsible STIP Declines in that month, then Marqeta will pay Customer 0.40% multiplied by the total of Customer’s Monthly Access Fee, Settled Transaction Fee, Processed Transaction Fee, and Volume Fee, as applicable, for that month.
3. Service Reporting. In order to receive any Performance Standard Credits, Customer must report a failure to meet the Performance Standard to Marqeta via the communications channels provided during the Customer onboarding process within seven (7) calendar days of the failure to meet the Performance Standard.
4. API Response Time Performance Target. The “API Response Performance Target” is a response time of 1,000 milliseconds or less for 99.99% (rounded) or greater of all Critical API Calls made during a calendar month. The API Response Performance Target is measured by the time that it takes for the System to respond to a Critical API Call from Customer. “Critical API Call” means an API call other than an API call that is part of an authorization request (i) that operates on one account, one card and one transaction, as applicable for that API call, and (ii) where the response time to that API call directly impacts the Cardholder experience.
5. Schedule Maintenance. Marqeta will notify Customer of scheduled downtime for maintenance or upgrades at least ten (10) calendar days in advance (“Scheduled Maintenance”). Scheduled Maintenance will not exceed more than four hours per calendar month. Measurement of Marqeta’s compliance with the Performance Standard shall exclude any Scheduled Maintenance.
6. Technical Support. Technical support incidents will be addressed as follows:
(a) Technical Support Response Time Performance Target. Customer will notify Marqeta via
support911@marqeta.com for Severity Level 0/1 incidents and
support@marqeta.com for Severity Level 2/3 incidents. The below sets out Marqeta's “Performance Targets” for each Severity Level:
(i) Severity Level 0/1 – Marqeta resources will initially respond within fifteen (15) minutes of notice from Customer of the incident and will ensure continuous support to resolve all Severity Level 0/1 incidents. Marqeta will promptly (1) advise Customer of the status of remedial efforts being undertaken with respect to such incident; (2) implement a temporary workaround and/or correct the cause of the incident; and (3) report to Customer on the root cause(s) of such incident.
(ii) Severity Level 2/3 – Marqeta resources will initially respond within two Business Days of notice from Customer of the incident and will work to resolve Severity Level 2/3 incidents in order of their priority.
(b) Severity Level Descriptions. Initial incident severity level determinations will be set by Marqeta in good faith based on Customer’s notification and may be modified by Marqeta during resolution.
(i) Severity Level 0 – Complete Service Failure: Occurs when Marqeta is unable to process transactions and/or process Critical API Calls, is unable to send JIT authorization requests to Customer, or a complete loss of the Services or access to the Services.
(ii) Severity Level 1 – Impaired Service Failure: Services are partially inoperative, and the inoperative portion of the Services severely restricts the ability 1) to process or authorize Customer’s transactions or 2) complete Critical API Calls.
(iii) Severity Level 2 – Reduced Performance: Operational performance of the Services is impaired while most critical operations remain functional.
(iv) Severity Level 3 – Minor Flaws: Minor impacts on Customer’s business operations.
7. Termination Failure. If Customer experiences Significant Incidents that total more than four hundred twenty (420) minutes per calendar month in (i) three (3) consecutive calendar months, or (ii) four (4) calendar months within a six (6) month period (each a “Termination Breach”), then Customer may elect to terminate the Agreement upon thirty (30) days prior written notice to Marqeta. Customer must provide such notice to Marqeta within seven (7) days of the date of the Termination Breach. For the purposes of determining whether a Termination Breach has taken place, “Significant Incident” means sixty (60) or more consecutive minutes of a Severity Level 0 or 1 downtime.
8. Sole Remedy. This Service Level Agreement sets forth Customer’s sole remedy related to Marqeta’s failure to meet the Performance Standard or Performance Target.
SECTION F
DEFINITIONS
Capitalized terms used elsewhere in the Agreement have the definitions set forth below:
1. “Affiliate” means with respect to any Person, each Person who directly or indirectly controls, is controlled by, or is under common control with a Party.
2. “API” means application programming interface.
3. "Applicable Law" means laws, regulations, statutes, codes, rules, orders, licenses, certifications, decrees, standards or written policies, guidelines, directives, or interpretations imposed by any authority, including any Regulator, potentially that has or has asserted jurisdiction over the Party or matter in question, that apply to or relate to this Agreement and / or the Card Program(s), including those relating to privacy, anti-corruption, anti-bribery, anti-slavery, fair lending and anti-discrimination, disclosure requirements and prohibitions on unfair, deceptive or abusive acts and practices.
4. “Bank Rules” means written policies, guidelines, or directives that Issuer provides to the Parties.
5. “Card” means a prepaid card, debit card, credit card or any other device, technology, or medium that is issued by the Issuer either as a physical card, virtual card, account access device or number containing a PAN that is associated with a card account.
6. “Card Brand” means any operator of a payment card network, such as Visa, Discover, or Mastercard.
7. “Card Brand Rules” means the rules, by-laws, and standards of any applicable Card Brand.
8. “Card Program” means a set of solutions, offerings, and services operated by or on behalf of the Customer, in connection with which Marqeta provides the Services and System under the terms of this Agreement.
9. “Cardholder” means that person or entity that is issued a Card.
10. “Cardholder Data” means information that is provided to or obtained by either Party in the performance of its obligations or use of Services under this Agreement or otherwise regarding Applicants and current or former Cardholders or applicants to become Cardholders.
11. “Commando Mode” means an optional feature pursuant to which the System makes authorization decisions based on business rules pre-defined by Customer in the event that Customer fails to respond to a JIT authorization request.
12. “Confidential Information” means the terms of this Agreement and information about the Disclosing Party’s technology, customer information, business activities, operations, and its trade secrets (as defined under Applicable Law), which are proprietary or confidential. Confidential Information also includes (without limitation) (i) existing or contemplated products, services, designs, technology, source code, processes, technical data, engineering, techniques, methodologies and concepts and any related information, (ii) information relating to business plans, sales or marketing methods and customer lists or requirements of a Party, (iii) all information about current and potential future customers of a Party, and (iv) any material marked or designated “confidential” or which by its nature or the circumstances surrounding its disclosure should reasonably be regarded as confidential. Confidential Information does not include information that a Receiving Party can demonstrate: (1) was in the public domain at the time of disclosure, (2) was in the legal possession of the Receiving Party at the time of disclosure without a duty of confidentiality, or (3) was independently developed by the Receiving Party without reference to the Disclosing Party’s Confidential Information.
13. “Customer Service Provider” means an Affiliate of Customer, Customer’s customers, Retail Partners, Lending Bank, or any other third party with whom Customer has a relationship, in each case, relating to Customer’s rights or obligations in connection with the Agreement.
14. “Documentation” means user manuals, responsibility matrices, and/or other information that describe the features, functions, and operations of the Services, which may be modified from time to time by Marqeta.
15. “Issuer” means the regulated financial institution with whom a Party enters into an agreement to issue Cards.
16. “JIT” or “Just In Time” means a method that enables Customer to automatically authorize or decline Card transactions in real time via Marqeta’s API.
17. “KYC Services” means customer identification verification services as set forth in an applicable Order Form.
18. “OFAC” means the Treasury Department’s Office of Foreign Assets Control
19. “PAN” means primary account number.
20. “Person” means any corporation, company, partnership, firm, joint venture, association, trust government agency, political subdivision, other entity, or individual.
21. “Sanctions” means any and all economic or financial sanctions, sectoral sanctions, secondary sanctions, trade embargoes and restrictions and anti-terrorism laws, including but not limited to (i) those imposed by the U.S. government (including those administered by OFAC), (ii) the United Nations Security Council and (iii) all other lists from any other applicable sanctions regimes.
22. “Transaction Data” means any data, except Cardholder Data, about a transaction initiated with a Card
SECTION G
ADDITIONAL REGULATORY TERMS
To the extent that Customer is a Regulated Entity and is subject to the oversight by a Regulator in relation to Regulated Services that are outsourced to Marqeta under the Agreement, such that the Services are considered an outsourcing subject to requirements of Applicable FS Law, the following provisions of this Section G will apply.
1. Definitions. The following definitions of interpretation apply in this Section G. Capitalized terms used but not defined below have the meanings ascribed to them elsewhere in this Agreement:
(a) “Applicable FS Law” means the laws of the European Union (EU) and any member state of the EU and United Kingdom (UK), in force from time to time in relation to the activities of a regulated financial institution, and any mandatory orders, directions and guidelines of a Regulator of financial services, including the EBA Guidelines and the Digital Operational Resilience Act (Regulation (EU) 2022/2554).
(b) “BRRD” means any Applicable FS Law that gives effect to the requirements of Directive 2014/59/EU or Directive 2013/36/EU, or such equivalent bank recovery and resolution regimes in any EU Member State or the UK.
(c) “EBA Guidelines” means the EBA Guidelines on outsourcing arrangements, dated 25 February 2019 (EBA/GL/2019/02).
(d) “Regulated Entity” means an entity that provides Regulated Services that are subject to the oversight of a Regulator.
(e) “Regulated Services” means any financial services in the EU or UK that are subject to Applicable FS Law and the oversight of a Regulator.
For the purpose of this Addendum, a Regulator means a prudential or conduct regulator or resolution authority in the EU or UK with supervisory rights, as provided under Applicable FS Law, over Customer as a Regulated Entity or Marqeta as the provider of Services to a Regulated Entity.
2. Governance and Cooperation.
(a) To the extent allowed by Applicable Law, Marqeta will notify Customer if it becomes aware of any development that has or will have a material impact on Marqeta’s ability to comply with Marqeta's obligations under Applicable Law or perform a critical or important function of the Services, including informing Customer of any planned outages in accordance with the processes set out in Section E (Service Levels). In respect of any such material developments, Marqeta will upon Customer’s written request, provide any available and relevant reports and/or a summary of such reports, reasonably requested by Customer.
(b) Marqeta confirms that it has implemented and periodically tests its security controls and business continuity and disaster recovery plans in respect of its internal business operations and in respect of the Services, which may be invoked in the event of an emergency.
(c) Details of the regions where any data may be process is set out in Annex III of the Section B-1 (Global Data Processing Addendum). In the event of any failure, discontinuation or insolvency of Marqeta, any relevant Customer data may be accessed in accordance with the self-access functionality and through the Transition Services.
(d) As and when reasonably required by the Customer, Marqeta shall at the Customer's reasonable cost (based on Marqeta's standard day rate or as indicated in the applicable Order Form) assist if an ICT-related incident related to the Service occurs and shall participate in any relevant ICT security awareness programs and digital operational resilience trainings.
(e) Where Marqeta and the Customer agree that it is relevant and appropriate to the Services, they shall work together to undertake within controls directed by Marqeta - security and threat led penetration testing to assess the effectiveness of any cyber and internal ICT security measures and processes that have been implemented in respect of the Services.
(f) Customer will treat all notifications and information provided under this Section G as Marqeta's Confidential Information.
3. Additional Support and Audit Right.
(a) Regulatory Support. Marqeta agrees to allocate, free of charge, five (5) working man days per calendar year (where a “working man day” is equal to eight (8) business hours) to support Customer with its requests for cooperation, assistance or information pursuant to this Section G. Any additional support beyond such allocation will be charged to the Customer at Marqeta's standard day rate (or as indicated in the applicable Order Form). Where requested in writing by Customer, Marqeta will provide the Customer with an estimate of any additional support.
(b) Legal Rights. Marqeta acknowledges that Customer and Regulators have certain legal rights of audit and investigation, including under the BRRD and EBA Guidelines.
(c) Additional Audit Rights. To the extent required by Applicable FS Law, in addition to the audit rights elsewhere in the Agreement, Marqeta agrees to reasonably cooperate with a request by Customer to inspect or audit Marqeta's performance of the Services, including permitting the Customer to monitor the provision of the Services on an on-going basis through its monitoring of the performance standards and service level commitments set out in Section G (Service Levels). Any such audit or investigation by the Customer will be at the Customer's cost and in accordance with the pricing and terms outlined in the applicable Order Form.
4. Sub-Contractors.
(a) Marqeta may use sub-contractors (which may include its Affiliates) to perform all or any part of the Services, but Marqeta remains responsible under this Agreement for services performed by its sub-contractor to the same extent as if Marqeta performed them itself. The controls and requirements in relation to the appointment of sub-contractors that process personal data are set out in the Schedule B-1 (Global Data Processing Addendum).
(b) When appointing any sub-contractors, Marqeta will:
(i) carry out vendor due diligence over the sub-contractor in accordance with Marqeta's internal policies;
(ii) oversee those services that it has sub-contracted to ensure that material terms of this Agreement are met; and
(iii) ensure that sub-contractors comply with all laws that apply to the sub- contractor in its performance of the sub-contracted services and the terms of its agreement with Marqeta, including, as relevant, in respect of providing information, assistance with request for rights of audit.
(c) Marqeta will keep the Customer informed, upon request, of any sub-contractor engaged in the performance of any of Marqeta’s obligations under this Agreement which by the nature of their services handle any personal data of Customer (and are available at
https://www.marqeta.com/sub-processors). Where there are material changes affecting the sub-contractor arrangements, such as the appointment of a new sub-contractor engaged in any critical functions forming part of the Services, Marqeta will notify the Customer of such material change in writing (a "
MC Notice'') and the Customer may object to the material change by giving Marqeta notice in writing within twenty (20) business days of receiving the MC Notice, provided that such objection must be on reasonable, substantial grounds, and where applicable directly related to such new sub-contractor's ability to meet its sub- contracted obligations. If the Customer does not so object, the change of sub-contractor arrangements will be deemed accepted by the Customer. Upon Customer’s written request, Marqeta will make available any relevant information reasonably requested by Customer about any material change to the sub-contractor arrangements, to enable Customer to carry out its own risk assessment of the change and to raise objections as described under this Section 4.
5. Additional Termination Rights.
(a) In addition to the termination rights elsewhere in the Agreement, or any applicable Order Form, Customer may terminate the Agreement or the relevant Service:
(i) immediately on written notice to Marqeta if Marqeta commits a material breach of any Applicable Law in relation to the performance of its obligations under the Agreement;
(ii) upon thirty (30) days’ written notice to Marqeta if Marqeta commits a material breach of its security, confidentiality or data protection obligations under the Agreement, and such breach is not remedied before the end of such thirty (30) day period;
(iii) upon thirty (30) days’ written notice to Marqeta if the Customer is required to do so in accordance with Applicable FS Law due to the following circumstances, if such circumstances have not been resolved to Customer's reasonable satisfaction before the end of such thirty (30) day period:
(1) impediments capable of altering the performance of the outsourced function so as to cause material breach of the Agreement are identified; or
(2) material changes affecting the outsourcing arrangement or Marqeta that are not otherwise addressed in this Agreement.
(iv) upon thirty (30) days’ written notice to Marqeta if Customer is required to terminate this Agreement by a Regulator due to the following circumstances:
(1) impediments capable of altering the performance of the outsourced function so as to cause material breach of the Agreement are identified; or
(2) material changes affecting the outsourcing arrangement or Marqeta that are not otherwise addressed in this Agreement.
(b) Unless such termination under this Section G arises from Marqeta's material breach of the Agreement, Customer will pay Marqeta the Early Termination Fee.
(c) On any termination of the Agreement Marqeta agrees to provide Transition Services as outlined in Section A of the Agreement.