Privacy & Cookie Policy
Paystack Payments Kenya Limited (“Paystack”, “Company”, “we”, “us” or “our”) offers an online payment platform that allows Users to make seamless, stress-free payments online for desired goods and services. At Paystack, we are committed to protecting the privacy and security of our consumers’ and users’ personal data. We are committed to transparency, accountability and confidentiality of your personal data. This is why our Privacy and Cookie Policy (“Privacy Policy”) describes how we collect, use, store, share, and protect personal data from Website Visitors, Paystack Users, and/or Vendors (“Data Subjects”) who engage with our services. It applies to our website and all related sites, applications, services and tools (collectively, our “Services”).
While our services are primarily designed for businesses and organisations (“Merchants”), we recognise that individual consumers may interact with us through Merchants or website visits. As such, we are committed to responsibly processing personal data for everyone involved. We generally process personal data at the direction of and on behalf of Merchants. When we do, we do so as a service provider or a “Data Processor” to those Merchants, but we do not control and are not responsible for the privacy practices of those Merchants. If you are a Customer of a Paystack Merchant, this Privacy Policy does not apply to you and you should read that third party Merchant’s Privacy Policy and direct any privacy inquiries to that Merchant. If you are a Merchant, please see the Merchant Privacy Policy for information as to how we process the personal information you provide to us as a Merchant.
This Privacy Policy does not apply to services that are not owned or controlled by Paystack, including third-party websites and the services of Paystack’s Merchants. This Privacy Policy applies to all forms of systems, operations and processes within the Paystack environment that involve the processing of personal data. Paystack is a Stripe company; for more information about Stripe’s privacy practices, see the Stripe Privacy Policy https://stripe.com/en-gb/privacy.
When you opt in to use one of our products, we will use your data for specific purposes, such as providing and improving the service. We may also share your data with subprocessors and partners, but only as necessary to offer the service you have opted into. We will handle your personal data in line with the purposes and methods outlined in this Privacy Policy.
1. The Information we Collect
The personal data we collect depends on how you interact with us, the services you use, and the choices you make. We may collect information from different sources and in various ways, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data that is publicly available.
1.1 Personal Data You Provide Directly
We collect personal data you provide to us. For example:
-
Contact information. As part of our operations, Paystack may collect information such as your name, telephone numbers, address, email address, etc. to provide you with certain services.
-
Payment information. If you make a purchase or other financial transaction, such as when you checkout with Paystack on a Merchant’s website, we collect cardholder data, financial account information, and other payment details.
-
Communications. If you contact us directly, for example with an inquiry or a support request, we may receive additional personal data about you, including your email address and the content of your communications.
1.2 Personal Data We Collect Automatically
-
Device Information. We receive information about the device and software you use to access our Services, including Internet Protocol (IP) address, web browser type, operating system version, and device identifiers.
-
Usage Information. To help us understand how you use our Services, including the Demo portion of our website, and to help us improve them, we automatically receive information about your interactions with our Services. This information includes records of your transactions and information about your other activities related to our services, such as the date and time of your sessions, the pages you view, links to/from any page, and time spent in a session. We gather some of this data through cookies and similar technologies as discussed below.
-
Location Information. When you use our Services, we collect or infer your general location information. For example, your IP address may indicate your general geographic region, which will be matched against our IP whitelist.
1.3 Personal Data That We Receive from Others or Infer
-
Partners. We may retrieve additional personal data about you from third parties and other identification/verification services, such as your financial institution and payment processor where they have the authority to share your personal data with us. We may combine that data with other information we have about you.
-
Publicly available sources. We may also gather additional data about you from public sources of information such as open government databases.
-
Inferences. We may infer additional personal data based on the personal data described above. For example, for website visitors, we may infer your interests based on the web pages you view.
When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for the provision of certain services or features, those services or features may not be available or fully functional.
2. How We Use Personal Information
We use the Personal Data we collect to:
- Provide you with the required services
- Respond to your questions or requests
- Improve features, website content and analyse data to develop products and services
- Address inappropriate use of our website
- Prevent, detect and manage risk against fraud and illegal activities using internal and third party screening tools
- Send you necessary service updates
- Send you marketing content, newsletters and service updates curated by Paystack (only with your explicit consent)
- Verify your identity and the information you provide in line with Paystack’s statutory obligations using internal and third party tools
- Maintain up-to-date records
- Resolve disputes that may arise, including investigations by law enforcement or regulatory bodies
- Any other purpose that we disclose to you in the course of providing Paystack services to you
3. How We Share Personal Data
Paystack does not sell, trade or rent personal data to anyone. Further, we will not share or disclose your personal data with or to a third party without your consent except as necessary to provide the Services or as described in this Privacy Policy.
-
Merchants. We may share your contact information with merchants as part of your purchase details for record purposes. We will not share this information with other third parties except as a necessary part of providing our website and services. We do not share your card information with merchants. Please review your merchant’s privacy policy to understand the privacy policies guiding the merchant you transact with.
-
Service providers. We share personal data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we've hired to provide customer service support, to assist in protecting and securing our systems and services, or to perform sanctions screening and identity verification services may need access to personal data to provide those functions. The processing by such third parties shall be governed by a written contract with Paystack to ensure adequate protection and security measures are put in place for the protection of personal data in accordance with the terms of this Privacy Policy.
-
Financial services & payment processing. When you provide payment data, for example to make a purchase, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.
-
Affiliates. We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our services and operate our business.
-
Partners. We may share your data with companies that we partner with for industry networking events, mixers, and other learning and development opportunities, but only with your explicit consent, with the option to opt-out at any instance.
-
Corporate transactions. We may disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
-
Legal and law enforcement. We may access, disclose, and preserve personal data in accordance with applicable law and when we believe that doing so is necessary to comply with applicable law or respond to valid legal queries, including from law enforcement or other government agencies.
-
Security, safety, and protecting rights. We will disclose
personal data if we believe it is necessary to:
-
protect our Users and others, for example to prevent fraud, or to help prevent the loss of life or serious injury to anyone;
-
operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
-
protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.
-
-
We leverage third-party analytics to analyse personal data collected through our website and apps including, account information, marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this statement. This data is aggregated and enables us to perform analytics and track the performance of our website. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.
Finally, we may share de-identified information in accordance with applicable law.
Please note that merchants, sellers, and other Users you buy from or contract with have their own respective privacy policies, and although Paystack’s Merchant Terms of Use does not allow the other transacting party to use your information for anything other than as authorised by you, Paystack is not responsible for their actions, including their data protection practices. If you provide personal data to any of those third parties, or allow us to share personal data with them, that data is governed by their privacy policies.
4. Cookies
We and our partners use cookies and similar technologies on our website to help collect information and operate the site. We use cookies to remember users and make your user experience easier; customise our services, content and advertising; help you ensure that your account security is not compromised, mitigate risk and prevent fraud,and promote trust and safety on our website. Cookies are small text files placed by a website and stored by your browser on your device. You can find more about the types of cookies we use through the Cookie Banner on our website.
Our cookies hold a unique random reference to you so that once you visit the site, we can recognise who you are and provide certain content to you.
Most web browsers are set to accept cookies by default. If you prefer, you can
go to your browser settings to learn how to delete or reject cookies. If you
choose to delete or reject cookies, this may impact your experience using our
website.
5. How We Protect your Information
Paystack has established adequate technical and organisational controls in
order to protect the integrity and confidentiality of personal data, both in
digital and physical format, and to prevent personal data from being
accidentally or deliberately compromised.
Paystack is committed to managing your personal data in line with applicable
data protection laws and best practices. We protect your personal data using
physical, technical, and administrative security measures to reduce the risks
of loss, misuse, unauthorised access, disclosure and alteration, we also use
industry-recommended security protocols to safeguard your personal data. Other
security safeguards include but are not limited to data encryption, firewalls,
and physical access controls to our building and files, and only granting
access to personal data to employees who require it to fulfil their job
responsibilities. Employees may have access to personal data only as is
appropriate for the type and scope of the task in question and are
contractually forbidden to use personal data for their own private or
commercial purposes or to disclose them to unauthorised persons, or to make
them available in any other way.
In compliance with the Payment
Card Industry Data Security Standard (PCI DSS Requirements”), we implement
access control measures, security protocols and standards including the use of
encryption and firewall technologies to ensure your card information is safe
and secure in our servers, additionally, we implement periodical security
updates to ensure that our security infrastructures are in compliance with
reasonable industry standards.
Two-factor authentication (“2FA”) is an additional layer of security we have
added to your account. When 2FA is enabled, you will be required to enter a One
Time Password (OTP) (which is a verification code we will send to you for
authentication purposes), each time you checkout using Paystack on a Merchant’s
website or platform. While we encourage you to enable this feature on every
transaction, you may choose to disable the 2FA feature after your initial
enrolment by clicking on the toggle button to disable it on your Paystack
dashboard. However, if you choose to disable this feature, you agree that
Paystack shall not be liable for any loss or damages incurred as a result of
your action.
Personal Data Breach
At Paystack, we take the security of personal data seriously and have implemented measures to prevent data breaches from occurring. However, in the event of a data breach, we have established procedures for reporting and managing incidents concerning personal data or practices leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. You may contact our Data Protection Officer (DPO) upon becoming aware of any breach of personal data or if your access credentials have been compromised to enable us to take the necessary steps towards ensuring the security of your personal data or account.
When we become aware of a data breach that affects personal data, we will notify the affected individuals and relevant authorities in accordance with applicable data protection laws and regulations. The notification will include the following information:
A description of the nature of the data breach, including the categories of personal data involved
The likely consequences of the data breach
The measures taken or proposed to be taken by Paystack to address the data breach, including any measures to mitigate its possible adverse effects
We will notify affected individuals without undue delay, but no later than 72 hours after becoming aware of the data breach, unless there are exceptional circumstances that prevent us from doing so. We will also keep a record of any data breaches and provide this information to the relevant authorities upon request.
We encourage all users and customers to take reasonable steps to protect their personal data, such as using strong passwords, regularly updating their account information, and reporting any suspicious activity to us immediately.
6. Storage Limitation
We will retain your information for the following periods:
As long as reasonably necessary for the purpose of providing our Services to you
For the duration your Paystack account is active (if applicable) and we have your consent
For the period needed to comply with our legal and statutory obligations
As needed to verify your information with a financial institution
Paystack is statutorily obliged to retain the data you provide in order to process transactions, ensure settlements, make refunds, identify fraud and comply with applicable laws and regulatory guidelines. Under applicable laws (National Payment Systems Act, Proceeds of Crime and Anti-Money Laundering Act and more), we are required to retain your transactional records for a minimum period of seven (7) years following the completion of the transaction. We keep our data retention policy under regular review. We keep our data retention policy under regular review.
Upon expiration of the applicable storage limitation periods, we will delete, erase, anonymise or pseudonymise any information we hold about you.
This Privacy Policy also applies when we retain your Personal Information after our relationship ends. We may also retain your Personal Information for the duration of any period necessary to establish, exercise or defend any legal rights and may keep Personal Information indefinitely in a de-identified format for statistical purposes, which may include for example, statistics of how you use the Services.
7. Transfer of Data
As part of our service provision, we may rely on third-party servers, resident in foreign jurisdictions, which constitutes the transfer of your personal data to computers or servers in foreign countries. An example of this is Paystack’s use of AWS as a cloud storage solution, with servers located in Ireland. We take steps designed to ensure that the data we collect under this Privacy Policy is processed and protected according to the provisions of this Policy and applicable law, wherever the data is located.
At Paystack, we take the security of personal data seriously. When personal data needs to be transferred to a country outside of Nigeria, we implement adequate measures to ensure that the data remains secure. We comply with all relevant data protection regulations and guidelines to ensure that personal data is protected at all times. Specifically, we use contractual terms to ensure that the personal data is adequately protected, or we ensure that the country to which the data is being transferred has adequate data protection laws in place. We take additional measures to ensure that the country to which the data is being transferred meets our standards for data protection.
Should you wish to transfer personal data to a country deemed to have inadequate data protection laws, Paystack will take all necessary steps to ensure that it is transferred under relevant appropriate safeguards, and where relevant, with your informed consent, and you are made aware of the risks entailed with such a transfer. In any instance, Paystack will ensure Personal Data is transmitted in a safe and secure manner. Details of the protection given when your Personal Data is transferred abroad, and details of the basis of such transfers shall be provided to you upon request.
8. Grounds for Processing of Personal Data
Processing of personal information by Paystack will be lawful if one of the following applies:
the Data Subject has given consent to the processing of his/her personal data for one or more specific purposes. You can revoke your consent by closing your Paystack account (where applicable) and/or by emailing us;
the processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which Paystack is subject;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in Paystack; and
processing is necessary for the legitimate interests pursued by Paystack or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data.
9. Choices and Rights
At Paystack we respect the rights of our customers and users, and we provide you with the ability to exercise them under the applicable data protection laws and regulations. Individuals who have Personal Information held by Paystack are entitled to reach out to Paystack to exercise the following rights:
Right to request for and access any pPersonal iInformation collected and stored by Paystack. This right allows you to request a copy of your personal information that is held by Paystack. To exercise this right, you can submit a request to the Data Protection Officer (DPO) or to our Data Subject Rights Team at [email protected].
Right to be informed regarding the use of their Personal Information;
Right to be informed about appropriate safeguards in place whenever your personal information where data is transferred abroad;
Right to object to automated decision making and processing. You have the right to object to the processing of your personal information, and to exercise this right, you can submit a request to the DPO or to our Data Subject Rights Team;
Right to request rectification and modification wherever you want us to correct your inaccurate or incomplete personal information, which Paystack keeps;
Right to request the deletion of your personal information;
Right to request the movement of your personal information data from Paystack to a third party - this is the right to the portability of data;
Right to withdraw consent to Paystack processing your personal data;
Right to object to direct marketing and to request that Paystack restricts the processing of your information;
Right to institute civil proceedings and seek compensation through the Courts; and
Right to submit a complaint to the Data Commissioner.
Your request will be reviewed and answered by Paystack’s Data Protection Officer within the prescribed statutory period upon receipt of the request. Where there are any delays in responding to your request, you will be notified of the reasons for the delay and the period within which your request will be processed.
10. Compliance to Children's Privacy
Our Services are all directed to people who are at least 18 years old or older.
We do not knowingly collect any “Personal Data” (as defined by the Data Protection Act) from anyone under 18 years of age without valid parental consent. If we become aware that we have collected such personal information without parental consent, we will take reasonable steps to delete it as soon as possible.
We also comply with other age restrictions and requirements in accordance with applicable local laws.
11. Policy Violations
Any violation of this Privacy Policy should be brought to the attention of the Data Protection Officer (details below) for appropriate sanctioning and treatment.
12. Changes to This Privacy Policy
We may need to update, modify or amend our Privacy Policy as our technology
evolves and as required by law. If we materially change the ways in which we
use or share personal data previously collected from you through our Services,
we will provide notice or obtain consent regarding such changes as may be
required by law. The Privacy Policy will apply from the effective date
provided on our website.
13. Contact Paystack’s Data Protection Officer (DPO)
If you have any questions relating to this Privacy Policy or would like to learn more about exercising your data privacy rights, please contact our DPO via email at [email protected].
For any further queries, our Data Protection Officer may be reached at the following address:
Team Investment Concept LTD,
Peponi Road,
Ikigai
Westlands
00800, Kenya
Acceptable Use Policy
By accessing or using Paystack, you agree to comply with the terms and conditions of this Acceptable Use Policy.
1. Restricted Activities
You may not use Paystack in connection with any product, service, transaction or activity that:
- violates any law or government regulation, or promotes or facilitates such by third parties;
- violates any rule or regulation of Visa, MasterCard, American Express or any other electronic funds transfer network (each, a “Card Network”);
- is fraudulent, deceptive, unfair or predatory;
- causes or threatens reputational damage to us or any Card Network;
- involves any of the business categories listed in clause 2; or
- results in or creates a significant risk of chargebacks, penalties, damages or other harm or liability for customers, yourself as a merchant, Paystack, the service providers that we rely on to provide our services or any Card Network.
2. Certain Business Categories
You may not use Paystack in connection with any product, service, transaction or activity that falls within the prohibition list provided in the East African Community Customs Management Act, 2004 or any other Applicable Law.
- relates to the sale and/or purchase of:
- banned narcotics, steroids, certain controlled substances or other products that present a risk a consumer's safety;
- blood, bodily fluids or body parts;
- burglary tools;
- counterfeit items;
- illegal drugs and drug paraphernalia;
- fireworks, destructive devices and explosives;
- identity documents, government documents, personal financial records or personal information (in any form, including mailing lists);
- lottery tickets, sweepstakes entries or slot machines without the required licence;
- offensive material or hate speech or items that promote hate, violence, racial intolerance, or the financial exploitation of a crime;
- chemicals;
- recalled items;
- prohibited services;
- unlicensed financial services, stocks or other securities;
- stolen property;
- items that infringe or violate any copyright, trademark, right of publicity or privacy or any other proprietary right under the laws of any jurisdiction;
- sales of currency without BDC licence, cryptocurrency operators;
- obscene material or pornography;
- certain sexually oriented materials or services;
- certain firearms, firearm parts or accessories, ammunition, weapons or knives;
- any product or service that is illegal or marketed or sold in such a way as to create liability to Paystack; or
- production of military and paramilitary wears and accoutrement, including those of the Police and the Customs, Immigration and Prison Services.
- relate to transactions that:
- show the personal information of third parties in violation of applicable law;
- support pyramid or ponzi schemes, matrix programs, other "get rich quick" schemes or certain multi-level marketing programs;
- are associated with purchases of annuities or lottery contracts, lay-away systems, off-shore banking or transactions to finance or refinance debts funded by a credit card;
- pertain to ammunitions and arms; and
- involve gambling, gaming and/or any other activity with an entry fee and a prize, including, but not limited to casino games, sports betting, horse or greyhound racing, lottery tickets, other ventures that facilitate gambling, games of skill (whether or not it is legally defined as a lottery) and sweepstakes unless the operator has obtained prior approval from Paystack and the operator and customers are located exclusively in jurisdictions where such activities are permitted by law.
3. Actions by Paystack
If, in our sole discretion, we believe that you may have engaged in any violation of this Acceptable Use Policy, we may (with or without notice to you) take such actions as we deem appropriate to mitigate risk to Paystack and any impacted third parties and to ensure compliance with this Acceptable Use Policy. Such actions may include, without limitation:
- Blocking the settlement or completion of one or more payments;
- Suspending, restricting or terminating your access to and use of the Paystack’s Services;
- Terminating our business relationship with you, including termination without liability to Paystack of any payment service agreement between you and Paystack;
- Taking legal action against you;
- Contacting and disclosing information related to such violations to (i) persons who have sold/purchased goods or services from you, (ii) any
Service provider, Mobile Money Operator, banks or Card Networks
involved with your business or transactions, (iii) law enforcement or regulatory agencies, and (iv) other third parties that may have been impacted by such violations; or - Assessing against you any fees, penalties, assessments or expenses (including reasonable attorneys’ fees) that we may incur as a result of such violations, which you agree to pay promptly upon notice.
4. Updates, Modifications & Amendments
We may need to update, modify or amend our Acceptable Use Policy at any time. We reserve the right to make changes to this Acceptable Use Policy.
We advise that you check this page often, referring to the date of the last modification on the page.
Events Policy
This Privacy Notice describes how we process (collect, use, share, protect etc.) your personal data when you sign up for our events.
1. The data we collect
- Name and email address: To facilitate event registration and communication.
Additionally, during the event, we may collect other types of data, including:
Photographs and Video Recordings: We may capture images and videos during the event for promotional purposes, archival records, or to share highlights with attendees post-event. Please inform us if you do not wish to be photographed or recorded.
Attendance Data: Information about your participation in the event such as sessions attended, duration of attendance, and interaction with event features.
Feedback and Opinions: Any feedback or opinions you provide in event surveys or questionnaires.
Device and Connection Information: If the event is accessed via a digital platform, we may collect information about the device and internet connection used, including IP address, operating system, and browser type, for the purpose of ensuring a stable connection and optimal user experience.
Interaction Data: Data on how you interact with the event platform, such as pages viewed, links clicked, and preferences set, to help us understand attendee engagement and improve future events.
2. How we collect your data
We collect your data through the form you fill when you register for our events.
3. Why we collect your data
To send you additional information about the event, such as dial-in link to join our events;
To send you updates about our future events and contents when you accept to be contacted; and
To provide updates and resources for the event you register for
4. Lawful basis of processing
Your data will be processed on the basis of consent.
When we co-host events with our partners, they may also seek to process your data for their purposes. However, rest assured that you will be allowed to consent to this data sharing at the time of registration. If you change your mind, you retain the right to withdraw your consent at any time.
5. Who do we share your data with?
When we host events jointly with others, we share personal data with them as joint-controllers.
We share your data with our staff, who will manage and organise the event.
We use Zoom to host our events and communicate event information, such as time and meeting link, with you via email.
6. How do we share the personal data you provide to us?
When you sign up for our events, we host them on third party tools such as Zoom or other event management tool, which process the data on our behalf for the purpose of hosting the event. In addition, we also use tools such as MailChimp or any other communication tool to send you marketing messages and updates about our future events and contents when you agree to be contacted.
7. How we process your data when we co-host events
Sometimes we collaborate with our partners to co-host events. When you sign up to attend the event, we share the data with our partners. However, you will be allowed to opt-in to the sharing and provided with a link to their privacy notice.
8. How we protect data
We take reasonable technical, physical and organisational measures to ensure the protection of your personal information. We also ensure that your information is safe with our partners, with whom we share your data.
9. Period of retention of your data
We delete your data one month after the event, unless you require us to contact you afterwards.
10. Your data protection rights
You have a right to access your data and ask us to correct or even erase it. You can object to processing, restrict processing and even withdraw your consent.
If you have questions or want to contact us about data protection
You can send an email to our Data Protection Officer at [email protected].
Terms of Use
By using this website (www.paystack.com), any of our websites, and/or services, you agree to these Terms of Use. The website Privacy Policy, Acceptable Use Policy, and Merchant Terms of Service (where applicable) are incorporated by reference into these Terms of Use.
About Us
Paystack Payments Kenya Limited, (“we”, “us” or “our”) is an online payment
gateway that makes it easy for merchants to accept payments online from users or customers.
We are an independent contractor for all purposes, providing this website and our services on an independent service provider basis. We do not endorse, have control or assume the liability or legality for the products or services that are paid for with our service. We do not guarantee
any user’s identity and cannot ensure that a buyer or seller will complete a transaction.
This Terms of Use is an agreement between you and Paystack. It details Paystack’s obligations to you. It also highlights certain risks of using the services, and you must consider such risks carefully as you will be bound by the provision of this Agreement through your use of this website or any of our services.
Privacy Policy
Paystack is committed to managing your Personal Information in line with global industry best practices. You can read our Privacy Policy to understand how we use your information and the steps we take to protect your information.
Age Restriction
Our website and services are not directed to children under 18. We do not knowingly transact or provide any services to children under 18.
Disputes & Reversal
If you believe that an unauthorized or otherwise problematic transaction has taken place, you agree to notify us immediately to enable us to take action to help prevent financial loss.
All claims against us related to payments should be made within 45 (forty-five) days after the date of such payment. It will be taken that you waive all claims against us, to the fullest extent of the law, after the said period of time.
If you enter into a transaction with a merchant and have a dispute over the goods or services you purchased, Paystack has no liability for such goods or services, and your claim must be brought against the merchant. Paystack's only involvement with regard to such transactions is as a payment gateway.
We may intervene in disputes between users and merchants concerning payments but have no obligation to do so.
Your transaction ID and/or transaction details will be required to resolve all disputes.
Acceptable Use Policy
You are independently responsible for complying with all applicable laws related to your use of our website and services. However, by accessing or using Paystack, you agree to comply with the terms and conditions of our Acceptable Use Policy which you can read on our Acceptable Use Policy page.
Disclaimers
WE TRY TO KEEP PAYSTACK AVAILABLE AT ALL TIMES, BUG-FREE AND SAFE, HOWEVER, YOU USE IT AT YOUR OWN RISK.
OUR WEBSITE AND SERVICES ARE PROVIDED “AS IS” WITHOUT ANY EXPRESS, IMPLIED AND/OR STATUTORY WARRANTIES (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED OR STATUTORY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE OR PURPOSE, TITLE, AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS). WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, PAYSTACK MAKES NO WARRANTY THAT OUR WEBSITE AND SERVICES WILL MEET YOUR REQUIREMENTS OR THAT OUR WEBSITE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU THROUGH OUR WEBSITE OR FROM PAYSTACK, ITS PARENTS, SUBSIDIARIES, OR OTHER AFFILIATED COMPANIES, OR ITS OR THEIR SUPPLIERS (OR THE RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS OF ANY SUCH ENTITIES) (COLLECTIVELY, "PAYSTACK PARTIES") SHALL CREATE ANY WARRANTY.
Limitation of Liability
IN NO EVENT WILL ANY OF THE PAYSTACK PARTIES BE LIABLE FOR ANY
COSTS, CLAIMS, PENALTIES, ACTIONS, JUDGEMENTS, SUITS, EXPENSES,
DISBURSEMENTS, FINES OR OTHER AMOUNTS WHICH YOU MAY SUSTAIN, BE
THREATENED WITH OR SUFFER, OR DAMAGES WHATSOEVER (INCLUDING,
WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF REVENUES, LOST
PROFITS, LOSS OF GOODWILL, LOSS OF USE, BUSINESS INTERRUPTION, OR
OTHER INTANGIBLE LOSSES), ARISING OUT OF OR IN CONNECTION WITH
PAYSTACK'S WEBSITE OR SERVICES (INCLUDING, WITHOUT LIMITATION, USE,
INABILITY TO USE, OR THE RESULTS OF USE OF PAYSTACK'S WEBSITES OR
SERVICES), WHETHER SUCH DAMAGES ARE BASED ON WARRANTY,
CONTRACT, TORT, STATUTE, OR ANY OTHER LEGAL THEORY, IN EXCESS OF
THE AMOUNT OF THE TRANSACTION OR THE EQUIVALENT OF TWENTY
THOUSAND UNITED STATES DOLLARS (US$20,000.00) DOLLARS, WHICHEVER
IS LESSER.
THE PAYSTACK PARTIES WILL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES OF ANY KIND
WHATSOEVER OR HOWSOEVER CAUSED (WHETHER ARISING UNDER
CONTRACT, DELICT OR OTHERWISE, AND WHETHER THE LOSS OR DAMAGE
WAS ACTUALLY FORESEEN OR REASONABLY FORESEEABLE), INCLUDING
BUT NOT LIMITED TO ANY LOSS OF COMMERCIAL OPPORTUNITIES OR LOSS
OF PROFITS, AND WHETHER AS A RESULT OF NEGLIGENT (INCLUDING
GROSSLY NEGLIGENT) ACTS OR OMISSIONS OF THE PAYSTACK PARTIES.
By agreeing to these Terms of Use, you agree to indemnify, defend and hold the Paystack Parties harmless against any claim by any third party for any costs, damages (including, without limitation, indirect, extrinsic, special, penal, punitive, exemplary or consequential loss or damage of any kind), penalties, actions, judgments, suits, expenses, disbursements, fines, or other amounts arising, whether directly or indirectly, from a breach of this Terms of Use by you.
Exclusions
Some jurisdictions do not allow the exclusion of certain warranties or the limitation or exclusion of liability for certain damages. Accordingly, some of the above disclaimers and limitations of liability may not apply to you. To the extent that any Paystack Party may not, as a matter of applicable law, disclaim any implied warranty or limit its liabilities, the scope and duration of such warranty and the extent of the Paystack’s Party's liability shall be the minimum permitted under such applicable law.
Updates, Modifications & Amendments
We may need to update, modify or amend our Terms of Use as our technology evolves. We reserve the right to make changes to this Terms of Use at any time by giving notice to users on this page.
We advise that you check this page often, referring to the date of the last modification on the page. If a user objects to any of the changes to the Terms of Use, the User must cease using our website and/or services immediately as your continued use of the website and/or services will be deemed as your acceptance of the changes.
Applicable Law
These Terms of Use shall be interpreted and governed by the laws currently in force in the Republic of Kenya.
Legal Disputes
We shall make n effort to settle all disputes amicably. Any dispute arising out of this Terms of Use which cannot be settled by mutual agreement/negotiation within 1 (one) month shall be referred to arbitration by a single arbitrator in accordance with the Kenyan Arbitration Act 1995 (as amended from time to time). The arbitrator shall be appointed by both of us (we and you), failing which, within fourteen (14) business days, such arbitrator shall be appointed by the chairman for the time being of the Chartered Institute of Arbitrators of Kenya upon application of either party;
The findings of the arbitrator and subsequent award shall, in the absence of manifest error, be binding on both of us. Each of us shall bear our respective costs in connection with the arbitration. The venue for the arbitration shall be in Nairobi, and the language of the arbitration shall be in English.
Severability
If any portion of these Terms of Use is held by any court or tribunal to be invalid or unenforceable, either in whole or in part, then that part shall be severed from these Terms of Use and shall not affect the validity or enforceability of any other part in this Terms of Use.
Suspension of the website and/or services
We may, without liability, temporarily suspend the website and/or services for any reason, including for repairs or upgrades to the website and/or services or as a result
of the third-party services that we make use of. Paystack will take reasonable efforts to notify Users of such suspensions in advance.
Merchant Services Agreement
Introduction
Paystack Payments Kenya Limited (“Paystack”) is a limited liability company incorporated under the laws of Kenya and licensed by the Central Bank of Kenya to operate as a Payment Service Provider. Paystack facilities payments and provides payment infrastructure to Merchants (the “Services” or “Paystack Services”)
This Merchant Services Agreement (“MSA” or “this Agreement”) is a legal and binding agreement between Paystack and you, (“you”, “the Merchant”) who has set up a Paystack account to access the Services offered by Paystack (“Paystack Account”). It provides a general description of the Services that Paystack may provide to you, including those that allow you to accept payments from purchasers of your goods or services or donors to your organization (your “Customers”).
This Agreement incorporates:
Paystack’s Terms of Service and Acceptable Use Policy (as amended from time to time) which is linked to above.
Paystack’s Terms of Use, Data Privacy, Protection & Cookie Policy and Dispute Policy (as amended from time to time).
The Data Processing Agreement (as amended from time to time), a copy of which can be found here.
This MSA is divided into five (5) sections.
Section A: General Terms and Conditions.
Section B: Payment Processing Services
Card Payments.
Bank and USSD payments.
QR payments.
Other payment processing activities
Section C: Paystack’s Technology
Section D: Settlement, Fees, Taxes and Disputes
Section E: Data Usage, Privacy and Security
Annexure A: Definitions
Section A: General Terms and Conditions
1. Your Paystack Account:
1.1 Registration and Permitted Activities:
Only businesses (including sole proprietors), bona fide charitable organizations, and other entities or persons located in Kenya are eligible to create a Paystack Account and use the Services described in this Agreement. Paystack and its affiliates may provide Services to you or your affiliates in other countries or regions under separate agreements.
To register for a Paystack Account, you or the person or people submitting the application (your “Representative”) must provide us with your business or trade name, physical address, email, phone number, business registration or registered company number, URL, the nature of your business or activities, and certain other information about you that we require. We may also collect personal information (including name, date of birth, and government-issued identification number) about your beneficial owners, principals, and your Paystack Account administrator or Representative. Until you have submitted, and we have reviewed and approved all required information, your Paystack Account will be available to you on a preliminary basis only, and we may terminate it at any time and for any reason.
If you use our Payment Services, your name (or the name used to identify you) may appear on your Customers’ bank or other statements. To minimize confusion and avoid potential disputes, these descriptors must be recognizable to your Customers and must accurately describe your business or activities. You may only use Pasytack’s Payment Services to facilitate Transactions (as defined below in paragraph 2) with your Customers. You may not use Paystack’s Payment Services for any prohibited business activities as set out in clause 4.2 of Section A below.
1.2 Business Representatives and Underage:
You and your Representative individually affirm to Paystack that your Representative is authorised to provide the information described in Section 1.1 above on your behalf and to bind you to this Agreement. We may require you or your Representative to provide additional information or documentation demonstrating your Representative’s authority. Without the express written consent of Paystack, neither you nor your Representative may register or attempt to register for a Paystack Account on behalf of a user Paystack previously terminated from use of the Services.
If you are a sole proprietor, you are personally responsible and liable for your Representative’s use of the Services and your obligations to Customers, including payment of any amounts owed under this Agreement.
You may not use the Services if you are under 18 years of age.
1.3 Validation and Underwriting:
At any time during the term of this Agreement and your use of the Services, we may require additional information from you to verify beneficial ownership or control of the business, validate information you provided, verify you or your Representative’s identity, and assess your financial condition and the risk associated with your business. This additional information may include business invoices or utility bills, copies of government-issued identification, business licences, or other information related to your business, its beneficial owners or principals. If you use Pasytack’s payment processing Services, we may also request that you provide copies of financial statements, reporting and validating documentation that allows us to calculate outstanding credit exposure/risk of loss, or other records pertaining to your compliance with this Agreement. We may also require you to provide a personal or company guarantee. Your failure to provide this information or material may result in suspension or termination of your Paystack Account.
You authorise us to retrieve information about you from our service providers and other third parties, including credit reporting agencies and information bureaus and you authorise and direct such third parties to compile and provide such information to us. You acknowledge that this may include your name, addresses, credit history, and other data about you or your Representative. You acknowledge that we may use your information to verify any other information you provide to us, and that any information we collect may affect our assessment of your overall risk to our business. You acknowledge that in some cases, such information may lead to suspension or termination of your Paystack Account. Paystack may periodically update this information as part of our underwriting criteria and risk analysis procedures.
1.4 Changes to your Business, Keeping your Paystack Account Current:
You agree to keep the information in your Paystack Account current. You must promptly update your Paystack Account with any changes affecting you, the nature of your business activities, your Representatives, beneficial owners, principals, or any other pertinent information. We may suspend your Paystack Account or terminate this Agreement if you fail to keep this information current.
You also agree to promptly notify us in writing immediately and in any event no more than three days after any of the following occur:
you are the subject of any voluntary or involuntary winding up or insolvency application, petition or proceeding, receivership, or similar action (any of the foregoing, a “Insolvency Proceeding”);
there is an adverse change in your financial condition (or you reasonably expect there to be such a change in the future);
there is a planned or anticipated liquidation or substantial change in the basic nature of your business;
you transfer or sell 25% or more of your total assets, or there is any change in the control or ownership of your business or parent entity;
there is a change in the regulatory status of your business or your business has been notified that it is the subject of an investigation or enforcement action by a regulator or law enforcement;
you receive a judgment, writ or warrant of attachment or execution, lien or levy against 25% or more of your total assets; or
you establish a presence in a jurisdiction outside of Kenya in respect of which you intend to submit Transactions.
2. Your Relationship with Your Customers
You may only use the Services for legitimate Transactions with your Customers. You know your Customers better than we do, and you are responsible for your relationship with them. You are expected to conduct appropriate KYC on your Customers as required under the AML Regulations and obtain KYC information including but not limited to customer name, email address, phone number, service purchased and delivery address. You agree to provide Paystack with the KYC information when required.
Paystack is not responsible for the products or services you publicize or sell, or that your Customers purchase using the Services; or if you accept donations, for your communication to your Customers of the intended use of such donations. You affirm that you are solely responsible for the nature and quality of the products or services you provide, and for delivery, support, refunds, returns, and for any other ancillary services you provide to your Customers.
Paystack provides Services to you but we have no way of knowing if any particular purchase, sale, donation, order, or other transaction (each a “Transaction”) is accurate or complete, or typical for your business. You are responsible for knowing whether a Transaction initiated by your Customer is erroneous (such as a Customer purchasing one item when they meant to order another) or suspicious (such as unusual or large purchases, or a request for delivery to a foreign country where this typically does not occur). If you are unsure if a Transaction is erroneous or suspicious, you agree to review the Transaction and, if necessary, contact your Customer before fulfilling or completing the Transaction. You are solely responsible for any losses you incur due to erroneous or fraudulent Transactions in connection with your use of the Services and you undertake to fully indemnify us for any loss we may suffer.
3. Services and Paystack Account Support
We will provide you with support to resolve general issues relating to your Paystack Account and your use of the Services. This support includes resources and documentation that we make available to you through the current versions of Paystack’s support pages, API document, and other pages on our website (collectively, “Documentation”). The most efficient way to get answers to your questions is to review our Documentation. If you still have questions after reviewing the Documentation, please contact us by sending an email to [email protected]
You are solely responsible for providing support to Customers regarding Transaction receipts, product or service delivery, support, returns, refunds, and any other issues related to your products and services and business activities. We are not responsible for providing support for the Services to your Customers unless we agree to do so in a separate agreement with you or one of your Customers.
4. Services Requirements, Limitations and Restrictions
4.1 Compliance with Applicable Laws: You must use the Services in a lawful manner, and must obey all Laws applicable to your use of the Services and to Transactions. As applicable, this may include compliance with domestic and international Laws related to the use or provision of financial services, notification and consumer protection, unfair competition, privacy, and false advertising, and any other Laws relevant to Transactions.
4.2 Restricted Businesses and Activities: You may not use the Services to enable any person (including you) to benefit from any activities Paystack has identified as restricted or prohibited business (“Restricted Businesses”). Restricted Businesses include use of the Services in or for the benefit of a country, organization, entity, or person embargoed or blocked by any government, including those on sanctions lists identified by the United States Office of Foreign Asset Control (OFAC).
Please review the list of Restricted Businesses thoroughly before registering for and opening a Paystack Account. If you are uncertain whether a category of business or activity is restricted or have questions about how these restrictions apply to you, please contact us. We may add to or update the Restricted Business List at any time.
4.3 Other Restricted Activities: You may not use the Services to facilitate illegal Transactions. In addition, you may not allow, and may not allow others to:
access or attempt to access non-public Paystack systems, programs, data, or services;
copy, reproduce, republish, reverse engineer, upload, post, transmit, resell, or distribute in any way, any data, content, or any part of the Services, Documentation, or our website except as expressly permitted by applicable Laws;
transfer any rights granted to you under this Agreement;
work around any of the technical limitations of the Services or enable functionality that is disabled or prohibited;
reverse engineer or attempt to reverse engineer the Services;
perform or attempt to perform any actions that would interfere with the normal operation of the Services or affect use of the Services by our other users; or
impose an unreasonable or disproportionately large load on the Service.
5. Suspicion of Unauthorized or Illegal Use
We may refuse, condition, or suspend any Transactions that we believe: (a) may violate this Agreement or other agreements you may have with Paystack; (b) are unauthorised, fraudulent or illegal including Transactions that may violate any applicable law including the Anti-Money Laundering and Combating of Terrorism (AML/CFT) Financing Laws (Amendment) Act, 2023, AML Regulations, the Prevention of Terrorism Act Number 30 of 2012, the Data Protection Act, No 24 of 2019, and the Consumer Protection Act Number 46 of 2012; or (c) expose you, Paystack, or others to risks unacceptable to Paystack. If we suspect or know that you are using or have used the Services for unauthorised, fraudulent, or illegal purposes, we may share any information related to such activity with the appropriate financial institution, regulatory authority, or law enforcement agency consistent with our legal obligations. This information may include information about you, your Paystack Account, your Customers, and Transactions made through your use of the Services.
6. Disclosures and Notices; Consent:
6.1 Consent to Electronic Disclosures and Notices: By registering for a Paystack Account, you agree that such registration constitutes your consent, and you consent to electronic provision of all disclosures and notices from Paystack (“Notices”), including those required by Law. You also agree that your electronic consent will have the same legal effect as a physical.
6.2 Methods of Delivery: You agree that Paystack can provide Notices regarding the Services to you through our website or through the Dashboard (as defined below), or by mailing Notices to the email or physical addresses identified in your Paystack Account. Notices may include notifications about your Paystack Account, changes to the Services, or other information we are required to provide to you. You also agree that electronic delivery of a Notice has the same legal effect as if we provided you with a hard copy. We will consider a Notice to have been received by you within 24 hours of the time a Notice is either posted to our website or emailed to you.
6.3 SMS and Text Messages: In the event of a suspected or actual fraud or security threat to your Paystack Account, Paystack will use SMS, email or another secure procedure to contact you. Standard text or data charges may apply to such Notices.
6.4 Requirements for Delivery: It should come as no surprise to you that you will need a computer or mobile device, internet connectivity, and an updated browser to access your Dashboard and review the Notices provided to you. If you are having problems viewing or accessing any Notices, please contact us and we can find another means of delivery.
6.5 Withdrawing Consent: Due to the nature of the Services, you will not be able use the Services without agreeing to electronic delivery of Notices. By selecting the checkbox feature at the point of creating your Paystack Account you have consented to using the Services. However, you may choose to withdraw your consent to receive Notices electronically by terminating your Paystack Account.
7. Confidentiality and Non-Disclosure
7.1 Each Party, You and Paystack (the “Receiving Party”) will take all reasonable precautions to protect Confidential Information of the other party (the “Disclosing Party”), including all precautions the Receiving Party employs with respect to its confidential materials of a similar nature. The Receiving Party will not disclose the Disclosing Party’s Confidential Information to any third party without the Disclosing Party’s prior written permission, except permission will not be required when the disclosure is: (a) to the Receiving Party’s Affiliates; and (b) where Paystack is the Receiving Party, to Payment Method Acquirers and Payment Method Providers, and their respective Affiliates, and to Paystack third party service providers. In all cases, the Receiving Party must ensure that the third-party recipients do not use or disclose the Confidential Information other than in accordance with this Agreement. The Receiving Party may also disclose the Disclosing Party’s Confidential Information to the extent required by Law or court order, as long as the Receiving Party uses reasonable efforts to limit disclosure and to obtain confidential treatment or a protective order and has, to the extent reasonably possible, allowed the Disclosing Party to participate in the proceeding.
7.2 The restrictions and obligations in Clause 7.2 will not apply with respect to any information that the Receiving Party documents or receives: (a) is, through no improper action or inaction by the Receiving Party or its Affiliate, agent, consultant or employee, generally available to the public; (b) was in its possession or known by it without restriction prior to receipt from the Disclosing Party; (c) was rightfully disclosed to it by a third party without breach of any obligation of confidentiality; or (d) was independently developed by the Receiving Party’s employees who have had no access to such information.
8. Dormant or Inactive Accounts
Where a Paystack Account is dormant or inactive and deemed to be abandoned under the provisions of the Unclaimed Financial Assets Act, Paystack shall use its reasonable efforts to locate the account holder and notify the account holder of the Paystack Account. If Paystack is unsuccessful in locating the Paystack Account holder, Paystack shall deal with the abandoned property in accordance with the provisions of the Unclaimed Financial Assets Act.
Where Paystack receives notification of the death or mental incapacity of a Paystack Account Holder, Paystack shall suspend all account activity until satisfied that the relevant provisions of the Law of Succession Act Chapter 160 of the Laws of Kenya or the Mental Health Act, Chapter 248 of the Laws of Kenya (as the case may be) have been followed.
A person claiming access to funds by virtue of being a successor (in the event of death) or manager (in the event of permanent incapacity) shall, upon request by Paystack, produce letters of administration/grant of probate (in the event of death) or a court order authorizing the person to manage the estate (in the event of permanent incapacity) or such other document as may be prescribed.
9. Complaints Handling Mechanism
Complaints shall be made by calling +2548789527, +254711577577/+254713208208 or sending an email to [email protected].
We will take all reasonable measures within our means to resolve your complaints within thirty (30) days of receiving the Complaints and in accordance with the NPS Regulations.
10. Termination
10.1 This Agreement is effective upon the date you first access or use the Services and continues until terminated by you or Paystack. You may terminate this Agreement by closing your Paystack Account at any time and ceasing to use the Service. If you use the Services again or register for another Paystack Account, you are consenting to this Agreement. We may terminate this Agreement or close your Paystack Account at any time for any reason (including, without limitation, for any activity that may create harm or loss to the goodwill of a Payment Method) by providing you advance Notice (which shall not be less than 24 hours). We may suspend your Paystack Account and your ability to access the Services, or terminate this Agreement, on immediate Notice if:
we determine in our sole discretion that you are ineligible for the Services because of significant fraud or credit risk, or any other risks associated with your Paystack Account;
you use the Services in a prohibited manner or otherwise do not comply with any of the provisions of this Agreement;
any Law, Payment Method Provider or Payment Method Acquirer requires us to do so; or
we are otherwise entitled to do so under this Agreement. A Payment Method Provider or Payment Method Acquirer may terminate your ability to accept a Payment Method, at any time and for any reason, in which case you will no longer be able to accept the Payment Method under this Agreement;
we receive a regulatory directive to do so;
you suspend, or threaten to suspend, payment of your debts or you are unable to pay your debts as they fall due or you admit an inability to pay its debts or you are otherwise deemed to be insolvent in accordance with the laws applying to you; or
your Dispute rate consistently crosses acceptable thresholds set by the Card Networks and Paystack, or you keep receiving excessive Disputes.
10.2 Effect of Termination:
Termination does not immediately relieve you of obligations incurred by you under this Agreement. Upon termination, you agree to (i) complete all pending Transactions, (ii) stop accepting new Transactions, and (iii) immediately remove all Paystack and Payment Method’s logos from your website (unless permitted under a separate licence with the Payment Method). Your continued or renewed use of the Services after all pending Transactions have been processed serves to renew your consent to the terms of this Agreement. If you terminate this Agreement, we will liaise with our Acquirers to pay out any remaining funds owed to you in accordance with Section E.
In addition, upon termination, you understand and agree that (i) all licences granted to you by Paystack under this Agreement will end; (ii) subject to Section E, we reserve the right (but have no obligation) to delete all of your information and account data stored on our servers; (iii) we will not be liable to you for compensation, reimbursement, or damages related to your use of the Services, or any termination or suspension of the Services or deletion of your information or account data; and (iv) you are still liable to us for any Fees or fines, or other financial obligation incurred by you or through your use of the Services prior to termination including but not limited to Disputes.
Upon termination of this Agreement or your Paystack Account, we reserve the right to withhold a percentage of your pending settlements to service any incurred disputes. This is subject to your dispute volume and value.
Any provision of this agreement that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this agreement (including Sections A(7)) shall remain in full force and effect.
11. Right to Amend
We have the right to change or add to the terms of this Agreement at any time and to change, delete, discontinue, or impose conditions on use of the Services by posting such changes on our website. We will provide you with Notice of any changes through the Dashboard, via email, or through other reasonable means. If you are an existing Paystack user, the changes will come into effect on the date we specify in the Notice which shall be within at least 7 days of the Notice, and your use of the Services, API, or Data after a change has taken effect, constitutes your acceptance of the terms of the modified Agreement. You can access a copy of the current terms of this Agreement on our website at any time. You can find out when this Agreement was last changed by checking the “Last updated” date at the top of the Agreement
12. Assignment
You may not assign this Agreement, any rights or licences granted in this Agreement, or operation of your Paystack Account to others without our prior written consent. If you wish to make such an assignment, please contact us. If we consent to the assignment, the assignee must agree to assume all of your rights and obligations owed by you related to the assignment, and must agree to comply with the terms of this Agreement. Paystack may assign this Agreement without your consent or any other restriction. If we make an assignment, we will provide reasonable Notice to you
13. Right to Audit
If:
we believe that a security breach, leak, loss, or compromise of Data has occurred on your systems, website, or app affecting your compliance with this Agreement (including any Card Scheme Rules or the rules of a Payment Method Provider which you are required to comply with under the terms of this Agreement);
we believe that you have breached a requirement of PCI-DSS or PA-DSS which you are subject to under this Agreement;
or an audit is required by a Payment Method Provider, a Card Scheme or a regulator,
then we may require you to permit a third-party auditor approved by us to conduct a security audit of your systems and facilities, and you must fully cooperate with any requests for information or assistance that the auditor makes to you as part of the security audit. The auditor will issue a report to us which we may share with our Payment Method Providers, Payment Methods Acquirers and any government body or regulatory agency. You shall indemnify us for all costs which we incur as a result of said audit.
14. No Agency; Third Party Services
Except as expressly stated in this Agreement, nothing in this Agreement serves to establish a partnership, joint venture, or other agency relationship between you and us, or with any Payment Method Provider. Each party to this Agreement, and each Payment Method Provider and Payment Method Acquirer, is an independent contractor. Unless a Payment Method Provider or Payment Method Acquirer expressly agrees, neither you nor we have the ability to bind a Payment Method Provider or Payment Method Acquirer to any contract or obligation, and neither party will represent that you or we have such an ability.
We may reference or provide access to third-party services, products, and promotions that utilize, integrate, or provide ancillary services to the Services (“Third-Party Services”). These Third-Party Services are provided for your convenience only and do not constitute our approval, endorsement, or recommendation of any such Third-Party Services for you. You access and use any Third-Party Service based on your own evaluation and at your own risk. You understand that your use of any Third-Party Service is not governed by this Agreement. If you decide to use a Third-Party Service, you will be responsible for reviewing, understanding and accepting the terms and conditions associated with its use. We expressly disclaim all responsibility and liability for your use of any Third-Party Service. Please also remember that when you use a Third-Party Service, our Privacy Policy is no longer in effect. Your use of a Third-Party Service, including those that have a link on our website, is subject to that Third-Party Service’s own terms of use and privacy policies.
15. Force Majeure
Neither party will be liable for any delays in processing or other non-performance caused by telecommunications, utility failures, or equipment failures; labour strife, riots, war, or terrorist attacks; non-performance of our vendors or suppliers, epidemic, pandemic, fires or acts of nature; or any other event over which the respective party has no reasonable control. However, nothing in this section will affect or excuse your liabilities or your obligation to pay Fees, Fines, Disputes, Refunds, Reversals, or Returns under this Agreement.
16. Your Liability For Third-Party Claims Against us
Without limiting, and in addition to, any other obligations that you may owe under this Agreement, you are at all times responsible for the acts and omissions of your employees, Representatives, contractors and agents, to the extent such persons are acting within the scope of their relationship with you.
You agree to defend Paystack, our Affiliates, and their respective employees, agents, and service providers (each a “Paystack Entity”) against any claim, suit, demand, loss, liability, damage, action, or proceeding (each, a “Claim”) brought by a third party against a Paystack Entity as a result of your use of the Services or your actions, and you agree to fully reimburse the Paystack Entities for any Claims that result from: (a) your breach of any provision of this Agreement; (b) any Fees, Fines, Disputes, Refunds, Reversals, Returns, or any other liability we incur that results from your use of the Services; (c) negligent or wilful misconduct of your employees, Representatives, contractors, or agents; or (d) contractual or other relationships between you and Customers (e) failure to obtain any regulatory approvals or permits required to operate your business (f) court order claims, fines or legal sanctions arising from your use of the Service.
Important Note for Sole Proprietors: If you are using the Services as a sole proprietor, please keep in mind that the Law and the terms of this Agreement consider you and your business to be legally one and the same. You are personally responsible and liable for your use of the Services, payment of Fees, Refunds, Reversals, Fines, losses based on Disputes or fraud, or for any other amounts you owe under this Agreement and for all other obligations to us and to your Customers. You risk personal financial loss if you fail to pay any amounts owed.
17. Representations, Warranties and Undertakings
Each party warrants to the other party, for the duration of this Agreement, that (a) it has the power and capacity to enter into this Agreement and has obtained all necessary approvals to do so (b) it has not entered into and shall not enter into any arrangement which may conflict with this Agreement and (d) it has obtained or will obtain the necessary authorisations, approvals, consents or permissions in relation to the services as contemplated under this Agreement.
By accepting the terms of this Agreement, you represent and warrant that: (a) you are eligible to register and use the Services and have the authority to execute and perform the obligations required by this Agreement; (b) any information you provide us about your business, products, or services is accurate and complete; (c) any Charges represent a Transaction for permitted products, services, or donations, and any related information accurately describes the Transaction; (d) you will fulfil all of your obligations to Customers and will resolve all Disputes with them; (e) you will comply with all Laws applicable to your business and use of the Services; (f) your employees, contractors and agents will at all times act consistently with the terms of this Agreement; (g) you will not use the Services for illegal or unauthorised transactions or services and (h) you will not use the Services, directly or indirectly, for any fraudulent or illegal undertaking, or in any manner that interferes with the normal operation of the Services.
IP and Services
We provide the Services and Paystack’s IP “as is” and “as available”, without any express, implied, or statutory warranties of title, merchantability, fitness for a particular purpose, noninfringement, or any other type of warranty or guarantee. No data, documentation or any other information provided by Paystack or obtained by you from or through the services — whether from Paystack or another Paystack Entity, and whether oral or written — creates or implies any warranty from a Paystack Entity to you.
You affirm that no Paystack Entity controls the products or services that you offer or sell or that your Customers purchase using the Payment Processing Services. You understand that we cannot guarantee and we disclaim any knowledge that your Customers possess the authority to make, or will complete, any transaction.
The Paystack Entities disclaim any knowledge of, and do not guarantee: (a) the accuracy, reliability, or correctness of any data provided through the Services; (b) that the Services will meet your specific business needs or requirements; (c) that the Services will be available at any particular time or location, or will function in an uninterrupted manner or be secure; (d) that Paystack will correct any defects or errors in the Service, API, documentation, or data; or (e) that the Services are free of viruses or other harmful code. Use of data you access or download through the Services is done at your own risk — you are solely responsible for any damage to your property, loss of data, or any other loss that results from such access or download. You understand that the Paystack Entities make no guarantees to you regarding transaction processing times or pay-outs.
Nothing in this Agreement operates to exclude, restrict or modify the application of any implied condition, warranty or guarantee, or the exercise of any right or remedy, or the imposition of any liability under law where to do so would: (a) contravene that law; or (b) cause any term of this Agreement to be void.
18. Limitation of Liability
Under no circumstances will any Paystack Entity be responsible or liable to you for any indirect, punitive, incidental, special, consequential, or exemplary damages resulting from your use or inability to use the Services or for the unavailability of the Services, for lost profits, personal injury, or property damage, or for any other damages arising out of, in connection with, or relating to this Agreement or your use of the Services, even if such damages are foreseeable, and whether or not you or the Paystack Entities have been advised of the possibility of such damages. The Paystack Entities are not liable, and deny responsibility for, any damages, harm, or losses to you arising from or relating to hacking, tampering, or other unauthorised access or use of the Services, your Paystack Account, or Data, or your failure to use or implement anti-fraud measures, Security Controls, or any other data security measure. The Paystack Entities shall not be liable for damages to you or others caused by (a) your access or use of the Services inconsistent with the Documentation; (b) any unauthorised access of servers, infrastructure, or Data used in connection with the Services; (c) interruptions to or cessation of the Services; (d) any bugs, viruses, or other harmful code that may be transmitted to or through the Services; (e) any errors, inaccuracies, omissions, or losses in or to any Data provided to us; (f) third-party content provided by you; (g) the defamatory, offensive, or illegal conduct of others , (h) any negligent or wilful misconduct of your employees, Representatives, contractors, or agent or (i) unforeseen circumstances that prevent the execution of a payment transaction despite any reasonable precautions taken by a party and such circumstances may include but are not limited to Force Majeure .
You agree to limit any additional liability not disclaimed or denied by the Paystack Entities under this Agreement to your direct and documented damages; and you further agree that under no circumstances will any such liability exceed in the aggregate the amount of Fees paid by you to Paystack during the three-month period immediately preceding the event that gave rise to your claim for damages.
These limitations on our liability to you will apply regardless of the legal theory on which your claim is based, including contract, tort (including negligence), strict liability, or any other theory or basis.
19. General Indemnity
In consideration of Paystack providing the Services, you undertake to indemnify us and hold us harmless against any loss, charge, damage, expense, fee or claim which the we may suffer or incur or sustain thereby and you absolve us from all liability for loss or damage which you may sustain in connection with our provision of the Services in accordance with this Agreement.
The indemnity in this clause shall also cover all demands, claims, actions, losses and damages of whatever nature which may be brought against any of us or which we may suffer or incur arising from its acting or not acting on any request or arising from the malfunction or failure or unavailability of any hardware, software, or equipment, the loss or destruction of any data, power failures, corruption of storage media, natural phenomena, riots, acts of vandalism, sabotage, terrorism, any other event beyond the our control, interruption or distortion of communication links or arising from reliance on any person or any incorrect, illegible, incomplete or inaccurate information or data contained in any request received by us.
The Indemnity in this clause shall also cover any loss or damage that may arise from your use, misuse, abuse or possession of any third party software, including without limitation, any operating system, browser software or any other software packages or programs, any unauthorized access to your Paystack Account or any breach of security or any destruction or accessing of your data or any destruction or theft of or damage to any of your equipment, any loss or damage occasioned by the failure by you to adhere to this Agreement, any negligent or wilful misconduct of your employees, Representatives, contractors, or agent, supplying of incorrect information or loss or damage occasioned by the failure or unavailability of third party facilities or systems or the inability of a third party to process a transaction or any loss which may be incurred by us as a consequence of any breach by this Agreement by you.
20. Responding to Legal Process
Paystack may respond to and comply with any writ of attachment, lien, levy, subpoena, warrant, or other legal order (“Legal Process”) that we believe to be valid. We or any Payment Method Provider (or, where applicable, the Payment Method Acquirer for the Payment Method) may deliver or hold any funds or, subject to the terms of our Privacy Policy, any Data as required under such Legal Process, even if you are receiving funds or Data on behalf of other parties. Where practicable, we will make reasonable efforts to provide you Notice of such Legal Process by sending a copy to the email address we have on file for you. Paystack is not responsible for any losses, whether direct or indirect, that you may incur as a result of our response or compliance with a Legal Process.
21. Dispute Resolution: The laws applicable in The Republic of Kenya will govern this Agreement, without reference to its conflict of law principles to the contrary.
Should any dispute, claims or complaints arise, you may contact the details provided under clause 9 above in accordance with Paystack’s complaint handling procedures.
Any dispute arising out of or in connection with this Agreement that is not resolved through Paystack’s complaint handling procedures may be:
submitted to any dispute resolution mechanisms provided by Paystack in partnership with other Payment Method Providers ;
referred to arbitration under the following terms:
a) Such arbitration shall be resolved under provisions of the Kenyan Arbitration Act 1995 (as amended from time to time);
b) The tribunal shall consist of one (1) arbitrator to be appointed by mutual agreement (you and Paystack) failing which within fourteen (14) Business Days such arbitrator shall be appointed by the chairman for the time being of the Chartered Institute of Arbitrators of Kenya upon application of either party;
c) The place and seat or arbitration shall be in Nairobi and the language of arbitration shall be in English;
d) The award of the arbitration tribunal shall be final and binding upon the parties to the extent permitted by law and any party may apply to a court of competent jurisdiction for enforcement of such award. The award of the arbitration tribunal may take the form of an order to pay an amount or to prohibit certain activities;
e) Notwithstanding the above provisions of this clause, a party is entitled to seek preliminary injunctive relief or interim or conservatory measures from any court of competent jurisdiction pending the final decision or award of the arbitrator
22. Additional Services: From time to time Paystack may offer additional features or services that may be subject to additional or different terms of service and fees. You will not use these additional features and services unless you agree to the applicable terms. Paystack may also provide access to features or services that are identified as “beta” or “pre-release”. You understand that beta/pre-release services are still in development, may have bugs or errors, may be feature incomplete, may materially change or be discontinued prior to a full commercial launch, or may never be released commercially. Despite any other provision of this Agreement, any use of or reliance on beta or pre-release features or services is done at your own risk, and these features or services are provided as is, without warranty of any kind, and the indemnity in Agreement does not extend to any beta or pre-release features or services.
23. Cumulative Rights, Construction, Waivers; Costs: The rights and remedies of the Parties under this Agreement are cumulative, and each Party may enforce any of its rights or remedies under this Agreement, along with all other rights and remedies available to it at Law, in equity or under the Payment Method Rules. No provision of this Agreement will be construed against any party on the basis of that party being the drafter. Unless stated otherwise, the word “including” means “including, without limitation.” The failure of either Party to enforce any provision of this Agreement will not constitute a waiver of that Party’s rights to subsequently enforce the provision.
24. Entire Agreement
This Agreement and all policies and procedures that are incorporated by reference constitute the entire agreement between you and Paystack for provision and use of the Services. Except where expressly stated otherwise in a written executed document between you and Paystack, this Agreement will prevail over any conflicting policy or agreement for the provision or use of the Services. This Agreement sets forth your exclusive remedies with respect to the Services. If any provision or portion of this Agreement is held to be invalid or unenforceable under Law, then it will be reformed and interpreted to accomplish the objectives of such provision to the greatest extent possible, and all remaining provisions will continue in full force and effect.
25. Language
The parties hereby acknowledge that they have required this Agreement and all related documents to be in the English language
26. Employing Paystack’s Employees
You shall not offer any employment to any employee of Paystack that was directly involved in providing Services to you, in terms of this Agreement for a period of six (6) months, after the employee has left the employ of Paystack, without the prior written consent of Paystack.
27. Anti-Bribery Provisions and Sanctions
You represent and undertake to Paystack that:
you will comply with Anti-Corruptions Laws;
you shall not undertake any act or engage (directly or in agreement with others or any third party) in any activities directly or indirectly with respect to any matters, either in private or public dealings which would violate any Anti-Corruption Laws or be considered as being unethical, fraudulent, illegal or improper;
you are not and will not be involved in any illegal or terrorist activities;
none of your bank accounts is being used fraudulently, negligently, for illegal or terrorist activities or for any purpose that does not comply with any law.
you will not use the Services or contribute or otherwise make available, directly or indirectly, the proceeds from the Services to any other person or entity if such party uses or intends to use such proceeds for the purpose of financing the activities of any person or entity which is subject to any sanctions list specified OFAC.
Section B: Payment Processing Services
Paystack works with Payment Method Providers or Acquirers to provide you with access to Payment Methods and Payment Processing Services.
Your use of a Payment Method may be subject to separate terms applicable to the Payment Method. We may add or remove Payment Method Providers and Payment Method Acquirers at any time. The terms for a Payment Method or Payment Processing Services may be amended from time to time. Your continued use of the Payment Processing Services or Method constitutes your consent and agreement to such additions, removals and amendments.
Specific Payment Methods
Cards Payments: When accepting Card payments, you must comply with all applicable Card Scheme Rules including rules specified by the Payment Method Providers and Payment Method Acquirers (Visa and Mastercard or any other Card Scheme). Here are few things to note about Card payments:
The Card Schemes may amend their Rules at any time without notice to you, and Paystack reserves the right to change the Card Payment option at any time to comply with the Card Scheme Rules. You agree to fully comply with all applicable Card Schemes Rules and regulations, Card usage and acceptance requirements and merchant monitoring standards;
We may share with the Card Schemes (and the Payment Method Acquirer) information you provide to us that we use to identify the nature of your products or services, including the assignment of your business activities to a particular payment network merchant category code (MCC). You remain responsible for ensuring that the products or services you provide to your Customers are in compliance with the Scheme Rules and applicable laws in Kenya and the countries its customers are based in;
Cardholders or Customers typically raise payment card network Disputes (also known as “chargebacks”) when a merchant fails to provide the product or service to the Customer, or where the Cardholder did not authorise the Charge. High Dispute rates (typically those exceeding 1% total payment volume) may result in your inability to accept Card Payments or use other Payment Processing Services. Failure to timely and effectively manage Disputes with your Customers or Cardholders may ultimately result in your inability to accept Card Payments for your business. You agree to resolve chargeback disputes via Paystack’s portal and be liable for the transaction where you fail to respond within the stipulated period for resolving the chargeback dispute (16 hours) or provide inaccurate or insufficient information for resolving chargebacks;
The Card Scheme Rules state that you may only accept Card payments for bona fide legal commercial transactions between you and your Customers for goods or services that are free of liens, claims, and encumbrances. Also, you can only use trademarks or service of the Card Schemes or Payment Method Acquirer as permitted by their Rules.
It is a requirement under the Card Scheme Rules not to discriminate by Card type or charge surcharges for acceptance of payments by Cards. Also, you have an obligation not to sell, divulge (whether wilfully or negligently), release, misuse, negligently handle, provide or exchange any information relating to Cards to third parties without the prior written consent of the Cardholder;
Also, you may be required to establish a direct relationship with a Payment Method Acquirer if your business turnover exceeds the threshold specified by the relevant Card Scheme;
The Card Schemes restricts us from onboarding another payment service provider as a merchant. In view of this, you must refrain from acting as a payment service provider and providing any form of payment aggregation services.
You are also required to provide on your website the following information to a Cardholder for every Transaction: Your official name, complete description of the goods sold and services offered, merchandise return and refund policy, customer service contact information, including email address and/or telephone number, address, delivery policy, your consumer data protection policy and all legally required information to be provided to the Cardholder. Based on the information provided, the Cardholder must understand that you, the Merchant, is responsible for the transaction, delivery of the products or services sold, for customer service and dispute resolution applicable to the Transaction. If you accept any recurring Transactions, the Cardholder must be informed how to stop receiving the goods and/or services and discontinue the Charges. There are other requirements of the Card Scheme that apply to you as a merchant. It is important that you stay abreast of your obligations under the Card Scheme Rules and comply with them.
Unstructured Supplementary Service Data (USSD) & Pay with Bank:The USSD and Pay with Bank payment methods are provided by banks (Payment Method Provider). Accordingly, the Payment Method Providers have terms and conditions that apply to USSD and Pay with Bank payment methods. Here are few things to note about the USSD and Pay with Bank payment methods:
Authorisation and authentication of USSD and Pay with Bank transactions are usually done by the Payment Method Provider. Accordingly, we may not be able to confirm the status of a USSD or Pay with Bank payment until we receive notification from the Payment Method Provider.
There are various factors beyond our control which may affect USSD payments and Pay with Bank payments. We do not accept liability for any damages or losses arising out of delays caused by latency or network issues or other issues that are not within our control.
We may suspend the USSD or Pay with Bank payment options in the event of scheduled maintenance/downtime by the Payment Method Provider, poor service or system issues.
In order for a Customer to pay you using the USSD payment option, the customer must have enrolled with the Payment Method Provider to use the USSD service and requires a pin to complete a transaction. Under no circumstances should you ask the customer to provide you with their USSD pin or transaction code.
Payment by USSD and Pay with Bank payment channels may be subject to certain thresholds that are determined by the Payment Method Provider. We may not be able to process a payment above the threshold set by a Payment Method Provider.
Please ensure that you report any suspicious transactions using these payment methods or other payment methods to us.
Quick Response (QR) Payment:This payment method will enable Customers to pay you by scanning a QR code from a mobile device. Here are few things to note about QR payment method:
Customers may use a QR Code to perform a Transaction. You agree to conclude the Transaction in compliance with the terms and conditions of this Agreement and in a manner that complies with all applicable Laws.
You must comply with all applicable rules set by a Payment Method Acquirer or Payment Method Provider for accepting QR code payments. You are required to have the appropriate devices to accept payments using QR Code. Also, it’s important to mention that telecommunication connectivity and data may be required to accept payments using QR code.
You must check all Transaction details and Transaction reports and notify us of any alleged discrepancies immediately when you become aware of the discrepancies, but no later than 30 (thirty) days of the date of the relevant Transaction(s).
You may only Process Customers' Personal Data in compliance with all Laws and regulations and you specifically agree not to process Customer Personal Data unless you obtain the Customer's consent.
We do not guarantee uninterrupted availability of this payment method or other payment methods. We do not accept liability for failed Transactions if Transactions fail for reasons beyond our control, including, but not limited to, a telecommunication connectivity failure.
- MPESA: MPESA is provided by Safaricom PLC (Safaricom). Safaricom have terms and conditions that apply to payments via MPESA which can be accessed here (as may be amended from time to time). Here are few things to note about payments with MPESA:
You must comply with terms and conditions set by Safaricom with respect to MPESA payments.
Authorisation and authentication of MPESA Payment transactions are usually done by Safaricom. Accordingly, we may not be able to confirm the status of a payment until we receive notification from Safaricom.
There are various factors beyond our control which may affect MPESA payments. We do not accept liability for any damages or losses arising out of delays caused by latency or network issues or other issues that are not within our control.
We may suspend the MPESA payment option in the event of scheduled maintenance/downtime by Safaricom, poor service or system issues.
In order for a Customer to pay you using the MPESA payment option, the customer must have enrolled with Safaricom to use the MPESA service and requires a pin to complete a transaction. Under no circumstances should you ask the customer to provide you with their MPESA pin or transaction code.
Payment by MPESA channels are subject to certain thresholds that are set out in the National Payment System Regulations. We may not be able to process a payment above the prescribed thresholds.
Additional transaction costs may be levied by Safaricom in connection with MPESA payments.
Please ensure that you report any suspicious transactions using these payment methods or other payment methods to us.
Section C: Paystack’s Technology
1. API and Dashboard
Paystack has developed and provides access to APIs that may be used to access the Services. You may use the APIs solely as described in the Documentation to use the Services on the website and through the applications identified in your Paystack Account. You may manage your Paystack Account, connect with other service providers, and enable additional features through the Dashboard. Paystack will use the Dashboard to provide you with information about your Paystack Account. Paystack will also provide you with access to monthly summary reports which will include all your Paystack Account activity, grouped by month, up to the most recent full day. The information will be provided in English.
You may not use the API for any purpose, function, or feature not described in the Documentation or otherwise communicated to you by us. Due to the nature of the Services, we will update the API and Documentation from time to time, and may add or remove functionality. We will provide you Notice in the event of material changes, deprecations, or removal of functionality from the API so that you may continue using the Services with minimal interruption.
We will make publishable and secret API keys for live and test Transactions available to you through the Dashboard. Publishable keys identify Transactions with your Customers, and secret keys permit any API call to your Paystack Account. You are responsible for securing your secret keys — do not publish or share them with any unauthorised persons. Failure to secure your secret keys will increase the likelihood of fraud on your Paystack Account and potential losses to you or your Customers. You should contact us immediately if you become aware of any unauthorised use of your secret key or any other breach of security regarding the Services.
2. Ownership of Paystack IP
As between you and Paystack, Paystack and its licensors exclusively own all rights, title, and interest in the patents, copyrights (including rights in derivative works), moral rights, rights of publicity, trademarks or service marks, logos and designs, trade secrets, and other intellectual property embodied by, or contained in the API, Services, Dashboard, and Documentation (collectively, “Paystack IP”) or any copies thereof. Paystack IP is protected by copyright, trade secret, patent, and other intellectual property Laws, and all rights in Paystack IP not expressly granted to you in this Agreement are reserved.
You may choose to or we may invite you to submit comments or ideas about improvements to the Service, our API, our platform, or any other component of our products or Services (“Ideas”). If you submit an Idea to us, we will presume that your submission was voluntary, unsolicited by us, and delivered to us without any restrictions on our use of the Idea. You also agree that Paystack has no fiduciary or any other obligation to you in connection with any Idea you submit to us, and that we are free to use your Ideas without any attribution or compensation to you.
3. License
You are granted a nonexclusive and non-transferable licence to electronically access and use the Paystack IP only in the manner described in this Agreement. Paystack does not sell to you, and you do not have the right to sublicense the Paystack IP. We may make updates to the Paystack IP or new Services available to you automatically as electronically published by Paystack, but we may require action on your part before you may use the Paystack IP or new Services (including activation through the Dashboard, or acceptance of new or additional terms). Paystack may revoke or terminate this licence at any time if you use Paystack IP in a manner prohibited by this Agreement. You may not: (i) claim or register ownership of Paystack IP on your behalf or on behalf of others; (ii) sublicense any rights in Paystack IP granted by us; (iii) import or export any Paystack IP to a person or country in violation of any country’s export control Laws; (iv) use Paystack IP in a manner that violates this Agreement or Laws; or (v) attempt to do any of the foregoing.
4. Paystack’s Marks and Reference to our Relationship
We may make certain Paystack logos or marks (“Paystack’s Marks”) available for use by you and other users to allow you to identify Paystack as a service provider. To use Paystack’s Marks, you must first obtain our written consent. Paystack may limit or revoke your ability to use Paystack’s Marks at any time. You may never use any Paystack Marks or Paystack IP consisting of trademarks or service marks without our express permission in writing, or in a manner that may lead people to confuse the origin of your products or services with ours.
During the term of this Agreement, you may publicly identify us as the provider of the Services to you and we may publicly identify you as a Paystack user. If you do not want us to identify you as a user, please contact us in writing. Neither you nor we will imply any untrue sponsorship, endorsement, or affiliation between you and Paystack. Upon termination of your Paystack Account, both you and Paystack will remove any public references to our relationship from our respective websites.
5. Content
You may use the Services to upload or publish text, images, and other content (collectively, “Content”) to your Paystack Account, storefront and to third-party sites or applications but only if you agree to obtain the appropriate permissions and, if required, licences to upload or publish any such Content using the Services. You agree to fully reimburse Paystack for all fees, fines, losses, claims, and any other costs we may incur that arise from publishing illegal Content through the Services, or claims that Content you published infringes the intellectual property, privacy, or other proprietary rights of others.
Section D: Settlement, Fees, Taxes and Disputes
1. Fees and Fines
Paystack will provide the Services to you at the rates and for the fees (“Fees”) as agreed i.e., 2.9% for local Visa, Mastercard, 3.8% for international Visa, Mastercard; all Amex and 1.5% for MPESA and incorporated into this Agreement as updated from time to time. The Fees include charges for Transactions (such as processing a payment) and for other services connected with your Paystack Account. We may revise the Fees at any time. However, we will provide you with at least 30 days’ advance notice before revisions become applicable to you or such shorter notice as is reasonably possible if the change to the Fees is required to comply with a new Law or regulatory directive.
In addition to the Fees, you are also responsible for any penalties or fines imposed in relation to your Paystack Account on you or Paystack by any Payment Method Provider or Payment Method Acquirer resulting from your use of Payment Processing Services in a manner not permitted by this Agreement or a Payment Method Provider’s rules and regulations. You agree to indemnify Paystack in respect of any such penalties or fines.
If you do not understand the Fees or you have a question about Fees, please contact us.
You are also obligated to pay all taxes, fees and other charges imposed by any governmental authority, including any value added tax on the Services provided under this Agreement.
2. Taxes and Other Expenses
Our fees are exclusive of any applicable taxes, except as expressly stated to the contrary. You have sole responsibility and liability for: (i) determining what, if any, taxes apply to the sale of your products and services, acceptance of donations, or payments you receive in connection with your use of the Services; and (ii) assessing, collecting, reporting, and remitting taxes for your business to the appropriate tax and revenue authorities. If we are required to withhold any taxes, or we are unable to validate any tax-related identification information you provide to us, we may deduct such taxes from amounts otherwise owed and pay them to the appropriate taxing authority. If you are exempt from payment of such taxes, you must provide us with a copy of the certificate that satisfies applicable legal requirements attesting to your tax-exempt status. Upon our reasonable request, you must provide us with information regarding your tax affairs.
We may send documents to you and regulatory authorities for Transactions processed using the Services. We may receive requests from tax and regulatory authorities in relation to your use of the Services. If you use Payment Processing Services, you acknowledge that we will report the total amount of payments you receive as required by appropriate tax and regulatory authorities. We also may, but are not obliged to, electronically send you tax-related information
3. Settlement, Payouts and Disputes
a. Your Payout Account: We will, with partner banks or Payment Method Acquirer, arrange to settle funds to the bank account in your name (your “Payout Account”). You affirm that you are authorised to receive payments in your Payout Account and that the Payout Account is owned by you, and administered and managed by a licensed financial institution.
Alternatively, or in addition to this standard pay out process, depending on the services available to you, you may request that Paystack transfer or pay out funds (“Payout”) to certain other types of supported accounts and/or supported payment instruments held by you or by third party beneficiaries designated by you (“Recipients”) (such Service, the “Payout Service”). Additional information on supported accounts and/or supported payment instruments is available in our Documentation.
Please make sure that any information about the Payout Accounts that you provide to us is accurate and complete. If you provide us with incorrect information (i) you understand that funds may be settled to the wrong account and that we may not be able to recover the funds from such incorrect transactions and (ii) you agree that you are solely responsible for any losses you or third parties incur due to erroneous settlement transactions, you will not make any claims against us related to such erroneous settlement transactions, and you will fully reimburse us for any losses we incur.
b. Payout Service: When the Payout Service is enabled, you acknowledge and agree to the following conditions and restrictions; (i) Paystack is not responsible for validation of your Payout instructions (such as information to identify your intended Recipient, the date on which you would like your transfer to occur, and the amount of the transfer). Paystack will use this information to attempt to complete the requested transfer or pay out you submit and is not responsible for any incorrect or delayed Payouts due to erroneous, incorrect, unclear, or inconsistent instructions provided by you; (ii) You must not initiate Payout if there are insufficient funds available i.e., in your Paystack Account balance or other supported accounts. As part of this Payout Service, depending on the service available to you, Paystack may offer you the ability to fund your Paystack Account in order to fulfill your pay out instructions. Notwithstanding the foregoing, if a Payout exceeds the amount of available funds in your Paystack Account balance, you will be fully liable to Paystack for such exceeding amount; (iii) Paystack transfers funds as per your instructions for your risk and account and for your benefit. You are responsible to ensure the Payouts for which you provide instructions to Paystack are legal in all respects and comply with applicable law; (iv) You will ensure each Payout does not in any way violate any anti-money laundering laws, terrorism financiering laws, or other laws or regulations that may pertain to the transferring of funds, and will, where relevant, perform background checks on the Recipients of funds transferred via the Payout Service to ensure such compliance; (v) in connection with this Payout Service, Paystack is not entering into any legal relationship with the Recipient of the funds. You will not in any way imply to the Recipient that Paystack has any obligation towards the Recipient with respect to a Payout, and you will handle any communications regarding a Payout directly with the Recipient; (vi) In connection with this Payout Service, Paystack will not invoice or otherwise communicate with the Recipients designated by you to receive a Payout. Paystack will not provide any form of support in relation to the Payout Service towards Recipients of Payouts; and (vii) You may only use the Payout Service to make Payouts to Recipients (a) with which you have a direct business relationship, and (b) where each Payout must be made pursuant to an agreement between you and the Recipient as payment for services rendered, as payment for activities performed by the Recipient, or for making a refund to the Recipient on a payment previously made by such Recipient to you.
c. Payout Schedule: The term “Payout Schedule” refers to the time it takes for our partner banks or Payment Method Acquirer to initiate settlement to your Payout Account. For local transactions, we will work with our partner banks or Payment Method Acquirer to settle your Payout Account not later than 2 Business Day from the transaction date (T+2). While international transactions will be settled 7 Business Days from the transaction date.
It is important to mention that acquiring banks or Payment Method Acquirer are responsible for settling your Payout Account based on the Banking Regulation and the NPS Regulations . We work very closely with them to ensure they settle funds to your Payout Account according to the Payout Schedule and the terms of this Agreement. However, please be aware that a Payment Method Provider, a Payment Method Acquirer, or the financial institution holding your Payout Account, may delay settlement for any reason. Most often the delays occur due to technical reasons that are completely out of our control. We are not responsible for any action taken by a Payment Method Provider, a Payment Method Acquirer, or the financial institution holding your Payout Account to not credit the Payout Account or to otherwise not make funds available to you as you expected.
We reserve the right to change the Payout Schedule or to suspend settlement to you. Non-exhaustive examples of situations where we may do so are: (a) where there are pending, anticipated, or excessive Disputes, Refunds, or Reversals; (b) in the event that we suspect or become aware of suspicious activity; or (c) where we are required by Law or court order. We have the right to withhold settlement to your Payout Account upon termination of this Agreement if we reasonably determine that we may incur losses resulting from credit, fraud, or other legal risks associated with your Paystack Account. If we exercise our right to withhold a Payout for any reason, we will communicate the general reason for withholding the Payout and give you a timeline for releasing the funds.
d. Reserve: Where applicable, Paystack will set up a Reserve (which may also be referred to as a “balance”) to account for the risk exposure of Merchant’s Transactions. The Reserve is set based on Paystack’s reasonably assessed and then-current estimate of (i) the total amount of Merchant’s Transactions at any point in time (ii) Refund rates; (iii) Chargeback rates; (iv) potential Fine exposure; and (v) any other relevant liabilities. The Reserve will be periodically adjusted in line with increasing or decreasing Transaction volumes and any changes to the aforementioned factors.
Paystack may from time to time adjust Merchant’s Reserve Level and the underlying assumptions in its sole discretion to bring it in line with its then-current estimates of risk exposure. Upon Merchant’s request, Paystack will inform Merchant of the parameters, available information, estimations, assumptions and calculations used to establish Merchant’s then-current Reserve Level. Paystack will not take such action arbitrarily and will, where reasonably possible considering the grounds for and urgency of the adjustment, request and consider Merchant’s input on Paystack’s amended assessment of Merchant’s risk level prior to amending Merchant’s Reserve.
Paystack may fund the Reserve through any or all of; (i) using funds you provide upon Paystack’s request; (ii) using funds for your Payout or Payout Service; (iii) debiting your Paystack Account balance and/or Payout Accounts. Promptly upon Paystack’s request, Merchant will, from time to time, provide Paystack with all reasonably necessary information regarding Merchant’s financial stability, its then-current ability to provide the Merchant Products and Services to Customers, and any other information Paystack deems reasonably necessary to conduct its risk exposure analysis. Paystack may also change the Reserve Level or terms (a) if Paystack believes that there is, or is likely to be, a change in the underlying risk presented by your use of Paystack services; or (b) as a Payment Method Acquirer or Payment Method Provider requires.
Upon termination of the Agreement or otherwise whenever Paystack no longer processes Transactions for Merchant, the Reserve will be gradually released to Merchant, taking into account the decreased risk on processed Transactions and other Merchant liabilities, until the entire Reserve is released and all obligations and liabilities of Merchant towards Paystack have been fulfilled. Generally, a Reserve will be fully released to Merchant approximately six (6) months following the effective date termination of the Agreement or the date that Paystack stops processing for Merchant, as applicable, unless specific potential liabilities of Merchant remain at that point in time
e. Disputes: A Dispute (also known as a Chargeback) is a reversal request of a credit card transaction initiated by the cardholder, often due to value not being delivered or issues with the purchase. It could result in the reversal of the said transaction. You may be assessed for Disputes if (i) value is not given for transactions; (ii) transactions are unauthorised or improperly authorised; (iii) transactions do not comply with Card Network Rules or the terms of this Agreement or are allegedly unlawful or suspicious; (iv) your transactions have been flagged by a regulator or law enforcement agency or (v) any reversals for any reason by the Card Network, our processor, or the acquiring or issuing banks. Where a Dispute occurs, you are immediately liable for all claims, expenses, fines and liability we incur arising out of that Dispute and agree that we may recover these amounts by deducting such sums from the amounts which we would otherwise settle to you (as per (d) below) or by debiting your Payout Account.
As a merchant, you acknowledge and agree that Disputes may arise even long after the date of the specified transaction. Regardless of the termination of this Agreement for any reason, you expressly acknowledge that we retain the right to recover chargebacks, fraud claims, Dispute fees, and related fines from you pertaining to all chargebacks that occur in relation to transactions processed during the term of this Agreement. This obligation shall survive the termination of this Agreement.
f. Payout Amount: You agree that in settling amounts due from us to you under this Agreement, we may deduct any amount which you owe to us under this Agreement (including our fees as stated in the Fee Schedule, any Reversals, Invalidated Payments, Chargebacks, Refunds or other amounts that you owe to Paystack under this Agreement) or any other agreement which you have entered into with us. If the Payout is not sufficient to cover the amounts due from you, you agree that we may debit your Paystack Account balance and/or Bank Account for the applicable amounts, and/or set-off the applicable amounts against future Payouts. Upon our request, you agree to provide us with all necessary bank account and related information and grant us permission to debit amounts due from your Bank Account.
4. Security Interest, Collections and Set-Off Rights
a. Security Interest: At any time upon our request, you will provide us, or you will procure that an entity(ies) or person(s) reasonably satisfactory to us will provide us, with security in such form and over such assets as we require to secure the performance of your obligations and liabilities to us under this Agreement, including all amounts that you owe to us or may owe in the future. You will execute and deliver any documents and pay any associated fees we consider necessary to create, perfect, and maintain security in such form and over such assets as we may reasonably require. We may also delay settlement to you in accordance with Section D(3)(b) above.
b. Collection and Set-Off Rights: You agree to pay all amounts owed to us and to our affiliates on demand. Your failure to pay amounts owed to us or to our affiliates under this Agreement is a breach and you will be liable for any costs we incur during collection in addition to the amount you owe. Collection costs may include attorneys' fees and expenses, costs of any arbitration or court proceeding, collection agency fees, any applicable interest, and any other related cost. Where possible, we will first attempt to collect or set-off amounts owed to us and to our affiliates from settlements due to you.
In certain circumstances, we may require a personal, parent or other guarantee (a “Guarantee”) from a user’s principal, owner, or other guarantor. A Guarantee consists of a legally binding promise by an individual or an entity to pay any amounts the user owes in the event that the user is unable to pay. If we require you to provide us with a Guarantee, we will specifically inform you of the amount of, and the reasons for the Guarantee. If you are unable to provide such a Guarantee when required, you will not be permitted to use the Services.
5. Reconciliation and Error Notification
The Dashboard contains details of transaction, charges, and other activity on your Paystack Account. Except as required by Law, you are solely responsible for reconciling the information in the Dashboard generated by your use of the Services with your records of Customer Transactions, and for identifying any errors.
You agree to review your Paystack Account and immediately notify us of any errors. We will investigate any reported errors, including any errors made by Paystack or a Payment Method Provider, and, when appropriate, attempt to rectify them by crediting or debiting the Payout Account identified in the Dashboard. However, you should be aware that your ability to recover funds you have lost due to an error may be very limited or even impossible, particularly if we did not cause the error, or if funds are no longer available.
For Transaction errors, we will work with you and our Payment Method Providers to correct a Transaction error in accordance with the applicable Payment Method Rules. If you fail to communicate an error to us for our review without undue delay and, in any event, within 6 months after you discovered it and flagged it in the Dashboard, you waive your right to make any claim against us or our Payment Method Providers for any amounts associated with the error.
Section E: Data Usage, Privacy and Security
Confidentiality: Paystack will only use Personal Data as permitted by this Agreement, by other agreements between you and us, or as otherwise directed or authorised by you through written instructions. Our employees that process Personal Data obtained from you are bound to a duty of confidence, with professional secrecy clauses incorporated into their contracts.
Privacy: Protection of Personal Data is very important to us. Our Privacy Policy explains how and for what purposes we collect, use, retain, disclose, and safeguard the Personal Data you provide to us. You agree to the terms of our Privacy Policy through the consent checkbox upon sign up, which we may update from time to time.
You affirm that you are now and will continue to be compliant with the Data Protection Regulations and all applicable Laws governing the privacy, protection, and your use of Data that you provide to us or access through your use of the Services. You also affirm that you have obtained all necessary rights and consents under applicable Laws to disclose to Paystack – or allow Paystack to Process– any Personal Data that you provide to us or authorise us to collect, including Data that we may collect directly from Customers using cookies or other similar means. As may be required by Law and in connection with this Agreement, you are solely responsible for disclosing to Customers that Paystack processes Transactions (including payment Transactions) for you and may receive Personal Data from you. Additionally, where required by Law, we may delete or disconnect a Customer’s Personal Data from your Paystack Account when requested to do so by the Customer.
Paystack will provide some or all of the Services from systems located within Kenya or other countries outside of Kenya. As such, it is your obligation to disclose to your customers that Payment Data may be transferred, processed and stored outside of Kenya and, as set forth in our Privacy Policy, may be subject to disclosure as required by applicable Laws, and to obtain from your customers all necessary consents under applicable Laws in relation to the foregoing.Security: You will protect all Data you receive through the Services, and you may not disclose or distribute any such Data, and you will only use such Data in conjunction with the Services and as permitted by this Agreement or by other agreements between you and us. We will ensure adequate technical and organizational measures are implemented to protect the confidentiality, integrity and availability of personal data, such as compliance to ISO 27001. You will also implement measures to ensure the security of Personal Data.
If we become aware of an unauthorised acquisition, disclosure or loss of Personal Data on our systems, we will notify you consistent with our obligations under applicable Law. We will also notify you and provide you with sufficient information regarding the unauthorised acquisition, disclosure or loss to help you mitigate any negative impact on your Customers.
Where necessary, for the retrieval, provision, or processing of Personal Data for risk management purposes, we will assist with the Data Protection Impact Assessment (DPIA) process in a supportive capacity. Please note that Paystack’s role will only be limited to providing the necessary data and information needed for the DPIA.PCI Compliance: If you use Payment Processing Services to accept Card Transactions, you must comply with the Payment Card Industry Data Security Standards (“PCI-DSS”) and, if applicable to your business, the Payment Application Data Security Standards (PA-DSS) (collectively, the “PCI Standards”). The PCI Standards include requirements to maintain materials or records that contain payment card or Transaction data in a safe and secure manner with access limited to authorised personnel.
You will promptly provide us, or any applicable Payment Method Provider or Payment Method Acquirer, with documentation demonstrating your compliance with the PCI Standards upon our request. If you are unable to provide documentation sufficient to satisfy us, the Payment Method Providers, or the applicable Payment Method Acquirers, that you are compliant with the PCI Standards, then Paystack and any applicable Payment Method Provider or Payment Method Acquirer, may access your business premises on reasonable notice to verify your compliance with the PCI Standards.
If you elect to store or hold “Account Data”, as defined by the PCI Standards (including Customer card account number or expiration date), you must maintain a system that is compliant with the PCI Standards. If you do not comply with the PCI Standards, or if we or any Payment Method Provider or Payment Method Acquirer are unable to verify your compliance with the PCI Standards, we may suspend your Paystack Account or terminate this Agreement. If you intend to use a third party service provider to store or transmit Account Data, you must not share any data with the service provider until you verify that the third party holds sufficient certifications under the PCI Standards, and notify us of your intention to share Account Data with the service provider. Further, you agree to never store or hold any “Sensitive Authentication Data”, as defined by the PCI Standards (including CVC or CVV2), at any time. You can find information about the PCI Standards on the PCI Council’s website.Data Processing: You are the data controller and we are the data processor in relation to Personal Data processed on your behalf under this Agreement, except that we will be a data controller in relation to Personal Data where we determine the purposes and manner in which the Personal Data is processed (including, for example, in complying with any regulations or laws imposed upon us through Payment Method Rules or by Payment Method Providers or Payment Method Acquirers).
We will, to the extent that we are a data processor, process Personal Data in accordance with the terms of this Agreement and lawful instructions reasonably given by you to us from time to time, and we will delete or return all Personal Data to you, the controller, upon termination of this Agreement. We will not be liable for any claim brought by a data subject arising from any action or omission by us, to the extent that such action or omission resulted from your instructions. However, we will assist as required with retrieving the necessary Data to treat Data Subject Access Requests, on the basis this Data lies with us.
The terms and conditions of the Data Processing Agreement (a copy of which can be found here), are hereby incorporated and made a part of this Agreement by reference. The Parties acknowledge and agree that the execution of this Agreement shall automatically and simultaneously constitute the execution of the Data Processing Agreement.
6. Security and Fraud Controls
a. Paystack’s Security: Paystack is responsible for protecting the security of Data in our possession. We will maintain commercially reasonable administrative, technical, and physical procedures to protect User Data and Personal Data stored in our servers from unauthorised access, accidental loss, modification, or breach, and we will comply with applicable Laws and Payment Method Rules when we handle User and Personal Data. However, no security system is impenetrable and we cannot guarantee that unauthorised parties will never be able to defeat our security measures or misuse any Data in our possession. You provide User Data and Personal Data to Paystack with the understanding that any security measures we provide may not be appropriate or adequate for your business, and you agree to implement Security Controls (as defined below) and any additional controls that meet your specific requirements. In our sole discretion, we may take any action, including suspension of your Paystack Account, to maintain the integrity and security of the Services or Data, or to prevent harm to you, us, Customers, or others. You waive any right to make a claim against us for losses you incur that may result from such actions.
b. Your Security: You are solely responsible for the security of any Data on your website, your servers, in your possession, or that you are otherwise authorised to access or handle. You will comply with applicable Laws and Payment Method Rules when handling or maintaining User Data and Personal Data, and will provide evidence of your compliance to us upon our request. If you do not provide evidence of such compliance to our satisfaction, we may suspend your Paystack Account or terminate this Agreement.
c. Security Controls: You are responsible for assessing the security requirements of your business, and selecting and implementing security procedures and controls (“Security Controls”) appropriate to mitigate your exposure to security incidents. We may suggest some Security Controls you should implement. However, your responsibility for securing your business is not diminished by any Security Controls that we provide or suggest, and if you believe that the Security Controls we suggest are insufficient, then you must separately implement additional controls that meet your requirements.
d. Fraud Risk: While we may suggest Security Controls, we cannot guarantee that you or Customers will never become victims of fraud. Any Security Controls we suggest may include processes or applications developed by Paystack, its affiliates, or other companies. You agree to review all the Security Controls we suggest and choose those that are appropriate for your business to protect against unauthorised Transactions and, if appropriate for your business, independently implement other security procedures and controls not provided by us. If you disable or fail to properly use Security Controls, you will increase the likelihood of unauthorised Transactions, Disputes, fraud, losses, and other similar occurrences. Keep in mind that you are solely responsible for losses you incur from the use of lost or stolen payment credentials or accounts by fraudsters who engage in fraudulent Transactions with you, and your failure to implement Security Controls will only increase the risk of fraud. We may assist you with recovering lost funds, but you are solely responsible for losses due to lost or stolen credentials or accounts, compromise of your username or password, changes to your Payout Account, and any other unauthorised use or modification of your Paystack Account. Paystack is not liable or responsible to you and you waive any right to bring a claim against us for any losses that result from the use of lost or stolen credentials or unauthorised use or modification of your Paystack Account, unless such losses result from Paystack’s wilful or intentional actions. Further, you will fully reimburse us for any losses we incur that result from the use of lost or stolen credentials or accounts.
We may also provide you with Data regarding the possibility or likelihood that a Transaction may be fraudulent. We may incorporate any subsequent action or inaction by you into our fraud model, for the purpose of identifying future potential fraud. You understand that we provide this Data to you for your consideration, but that you are ultimately responsible for any actions you choose to take or not take in relation to such Data.
EXHIBIT A - Definitions
“Affiliate” means an entity controlling, controlled by, or under common control with the applicable party.
“Agreement or MSA” means this Merchant Services Agreement;
“AML Regulations” means the Proceeds of Crime and Anti-Money Laundering Act, 2009 and the Prevention of Terrorism Act Number 30 of 2012 and the regulations made thereunder and any amendments to, or replacement of, the same;
“Anti Bribery Laws” means the Bribery Act, Number 47 of 2016, The Anti-Corruption and Economic Crimes Act, 2003, the AML Regulations, The Ethics and Anti-Corruption Commission Act, 2011 (EACCA), the Foreign Corrupt Practice Act of the United States of America and the Bribery Act 2010 of the United Kingdom as well as all applicable anti-bribery and anti-corruption regulations and codes of practice.
“Banking Regulations” means the Banking Act Chapter 488 of the Laws of the Kenya and the regulations made thereunder as amy be amended from time to time and all the guidelines, circulars or directives applicable to banks in Kenya.
“Business Day” means any day other than a Saturday, Sunday or public holiday on which commercial banks are generally open in the Republic of Kenya;
“Card or Payment Card” means a credit card, debit card or similar card issued to a Cardholder by an issuer in accordance with a license granted by the respective Card Schemes;
“Cardholder” means the person to whom a Card is issued by an issuer and whose name, where applicable, is printed or embossed on a valid Card;
“Card Scheme” means Visa, MasterCard and any other applicable Payment Scheme associated with the provision of Services to Merchants.
“Card Scheme Rules” The collective set of bylaws, rules, regulations, operating regulations, procedures and/or waivers issued by the Card Scheme as may be amended or supplemented over time and with which the Merchant must comply when using the relevant payment method.
“Charge” means a credit or debit instruction to capture funds in connection with a Transaction.
“Dispute” means an instruction initiated by a Customer for the return of funds for an existing Charge (including a chargeback or dispute on a Payment Method).
“Fine” means any fines, levies, or other charges imposed by us, a Payment Method Provider or a Payment Method Acquirer, caused by your violation of Laws or this Agreement, or as permitted by the applicable Payment Method Rules.
“Confidential Information” means all information relating to either Party which is obtained, whether in writing, pictorially, in machine readable form or orally or by observation in connection with this Agreement, including but without limitation, financial information, know-how, processes, ideas, intellectual property (irrespective of its registrability or patentability status), schematics, trade secrets, technology, customer list (potential or actual) and other customer-related information, sales statistics, market, market intelligence, marketing and other business strategies and other commercial information of a confidential nature;
“Customer” means a consumer or company that purchases products or services from the Merchant, or a donor;
“Data” used without a modifier means all Payment Data, Personal Data, and Paystack Data.
“Data Protection Regulations” means the Data Protection Act Number 24 of 2019 and the regulations thereunder and any amendments to, or replacement of, the same.
“Data Subject” means an identifiable person who are customers of the merchant; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
“Dashboard or Paystack Dashboard” means the interactive user interface that Merchant may access in order to view information about Merchant’s Paystack Account.
“Documentation” means the sample code, instructions, and other content available on the Paystack website, the first page of which is currently located at https://paystack.com/docs, including all replacement pages.
“IP Rights” means all copyrights, patents, trademarks, trade secrets, moral rights and other intellectual property and proprietary rights.
“KYC” means Know Your Customer processes that the Merchant undertakes in order to verify its customers before pursuing a business relationship with them;
“Law” or “Laws” means all laws, rules, regulations, and other binding requirements of any governmental authority with jurisdiction.
“NPS Regulations” means the National Payment System Act Number 39 of 2011 (NPS Act) and the regulations thereunder and any amendments to, or replacement of, the same.
“PA-DSS” means the Payment Application Data Security Standard.
“Payment Data '' means payment account details; information communicated to or by Payment Method Acquirers of Payment Method Providers; financial information specifically regulated by Laws and Payment Method Rules; and any other information used with the Payment Services to complete a Transaction.
“Payment Method” means a type of payment method that Paystack accepts as part of the Paystack Services.
“Payment Method Acquirer” means an entity that is authorized by a Payment Method Provider to enable the use of a Payment Method by accepting Charges from Customers on behalf of the Payment Method Provider, and routing these Charges to the Payment Method Provider.
“Payment Method Provider” means the provider of a Payment Method.
''Payment Method Rules'' means the rules, as in effect at the time of a Transaction, set by the Payment Method Provider and Payment Method Acquirers for the use of a Payment Method, and includes, in relation to Payment Cards, the network operating rules for the Visa, MasterCard and American Express networks.
“Payment Services” means the services Paystack offers that enable Merchant to accept payments, manage subscriptions, and perform transaction reporting and other financial transactions.
“Payout Account” means the bank account designated by Merchant for the deposit of settlement funds owed to Merchant under this Agreement.
“Payout Schedule” means the amount of time it takes for Paystack to initiate a transfer of settlement funds arising from Transactions to the Payout Account.
“Paystack Account” means Merchant’s Paystack account.
“Paystack Data” means information created by or originating from Paystack, including the details of the Application Programming Interface (API) interactions via the Paystack Platform, information used in fraud detection and analysis, and any aggregated, de-identified, or anonymized information generated from Data.
“Paystack Platform” means the hardware, software and other technology that Paystack owns or licenses and which Paystack uses to provide the Paystack Dashboard and Paystack Services.
“Paystack Pricing Page” means https://paystack.com/[countrycode]/pricing, where “country code” means the two-letter abbreviation for the country where Merchant is located.
“Paystack Services” (and “Services”) means the Payment Services, and the associated analytics and business services Paystack offers.
“PCI-DSS” means the Payment Card Industry Data Security Standards.
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others;
“Processing” means any operation or set of operations that is performed on any Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction and includes processing (as such term is defined under the Kenyan Data Protection Regulation).
“Reserve” means the sum of funds retained up to the applicable Reserve Level, as continuously determined by Paystack, from funds to be Settled or made available by Merchant to cover for potential Refunds, Chargebacks, Fines, paid but not yet fully delivered Merchant Products and Services and other potential financial obligations of Merchant towards Paystack governmental authorities, Acquirers and Scheme Owners. Also referred to as “Balance”.
“Reserve Level” means the level of Reserve(s) set for Merchant from time to time pursuant to these Terms and Conditions and/or the Agreement.
“Restricted Business” means any of the categories of businesses and business practices for which the Paystack Services cannot be used and which are identified on the then-current Paystack Restricted Business List (which can be found on the Paystack website) for the jurisdiction of Merchant’s Paystack Account.
“Reversal” means an instruction initiated by a Payment Method Provider, a Payment Method Acquirer or us to return funds for an existing Charge or over settled funds. Reversals may result from (i) invalidation of a charge by a Payment Method Provider or a Payment Method Acquirer; (ii) funds settled to you in error or without authorisation; and (iii) submission of a Charge in violation of the applicable Payment Method Rules, or where submission of the Charge or your use of Payment Processing Services violates this Agreement.
“Trademark’ means the trademarks registered in the name of, or licensed to either Party and such other trademarks as are used by either Party on or in relation to the Services during the term of this Agreement;
“Transaction” means a Payment Method request initiated by Merchant via the Paystack Platform with respect to a payment from a Customer to Merchant, and includes the authorization, settlement and if applicable, Disputes, Refunds and Reversals, with respect to that Payment Method request.
“Transaction Data” means all the information related to processing an electronic payment on behalf of a Merchant, including the name of the user, number of attempts made prior to completion of the payment and time of completion amongst other things.
“Unclaimed Financial Assets Act” means Unclaimed Financial Assets Act (Number 40 of 2011) and the regulations thereunder as may be amended from time to time.
Words importing persons or parties shall include firms and corporations and any organisation having legal capacity. The defined words, where the context so requires, shall be deemed and understood to be and have the same effect as operative clauses subsequently.
Words importing the singular shall include the plural and vice versa, and words importing the masculine gender shall include the feminine and vice versa.
A provision of law is a reference to that provision as amended or re-enacted.
Data Processing
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”/ “Agreement”) is subject to and forms part of your Paystack Merchant Services Agreement, where applicable, and governs Paystack’s and its affiliates’ Processing of Personal Data.
If your Paystack Account is located in Kenya, you enter this DPA with Paystack Payments Kenya Limited (“Paystack”).
-
DEFINITION & INTERPRETATION
-
In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
“Controller” As defined under the Kenya Data Protection Act. In this Agreement, Merchant shall be the controller.
“Data Protection Legislation”, “Data Protection Law(s)” means the Kenya Data Protection Act, and all other applicable laws or regulations relating to the processing of personal data and privacy, as such legislation shall be amended, revised or replaced from time to time.
“Data Subject” is an individual who is the subject of Personal Data.
“Instructions/Approved Purpose” As defined in Clause 2 below.
“Main Agreement” means the Merchant Service Agreement entered into by the Parties (Paystack and the Merchant), where relevant.
“Personal Data/ Data”, ”Merchant Data” means any information relating to a Data Subject that is processed by the Processor as a result of, or in connection with, the provision of the Services under the Main Agreement; including but not limited to a name, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. For the avoidance of doubt, Personal Data/Data/Merchant Data shall include only the types of personal data listed under Schedule I, Part A of this DPA.
“Personal Data Breach” means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Privacy Policy” means the Privacy Policy of Paystack displayed on its website at http://www.paystack.com/terms.
“Processing” means any activity that involves the use of Personal Data or as applicable Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
“Processor” As defined under the Kenya Data Protection Act. In this Agreement, Paystack shall be the processor. “Restricted Transfer” means a transfer of Personal Data to a Third Country.
“Services” means the services the Processor provides to the Controller pursuant to the Main Agreement, specifically the provision of payment processing and related services.
“Sub-Processor” means any third-party processor appointed by and on behalf of the Processor in connection with this Agreement. A list of Paystack’s sub-processors is available here.
“Supervisory Authority” means an independent public authority which is established under any Data Protection Law for the purpose of overseeing compliance with such legislation, in this case the Office of the Data Protection Commissioner.
“Terms and Conditions” means Paystack’s https://paystack.com/terms#terms and https://paystack.com/terms#terms-of-service agreed to by the Merchant prior to the use of the Services.
“Third Countries” means a country or territory outside the countries listed in Part B of the Schedule attached to this Agreement. -
In this DPA:
- The terms used in this DPA will have the meanings set out in this DPA. Capitalised terms not otherwise defined in this DPA will have the meaning given to them in the Main Agreement, where applicable. Except as modified below, the terms of the Main Agreement will remain in full force and effect, where a Main Agreement has been signed;
-
In consideration of the mutual obligations set out in this DPA, the Parties agree that the terms and conditions set out below will be added to the Main Agreement. In cases where there is no Main Agreement, the terms of the DPA will still apply as a standalone Agreement;
-
the schedules and appendices to this DPA form part of this DPA and will have the same force and effect as if set out in the body of this DPA and any reference to this DPA will include the schedules and appendices;
-
the background section and all headings are for ease of reference only and will not affect the construction or interpretation of this DPA;
-
unless the context otherwise requires, references to the singular include the plural and vice versa;
-
unless the context otherwise requires, references to a “person” include any individual, body corporate, association, partnership, firm, trust, organisation, joint venture, government, local or municipal authority, governmental or supra-governmental agency or department, state or state agency or any other entity (in each case whether or not having separate legal personality);
-
references to any statute or statutory provision will include any subordinate legislation made under it and will be construed as references to such statute, statutory provision and/or subordinate legislation as modified, amended, extended, consolidated, re-enacted and/or replaced and in force from time to time;
-
any words following the words “include”, “includes”, “including”, “in particular” or any similar words or expressions will be construed without limitation and accordingly will not limit the meaning of the words preceding them;
-
to the extent only of any conflict or inconsistency regarding the processing of Personal Data between the provisions of the Main Agreement (where relevant) and this DPA, this DPA will prevail;
-
references to a Party to this DPA include references to the successors or assigns (immediate or otherwise) of that Party.
-
-
SCOPE OF PROCESSING/APPROVED PURPOSE
-
As part of Paystack providing the Service to the Merchant under the Main Agreement or general Terms and Conditions, Paystack shall comply with the obligations imposed upon it under Data Protection Law and agrees and declares as follows:
(i) to process Personal Data in accordance with the Merchant's documented instructions as set out in the Main Agreement (if applicable), Terms and Conditions, and this DPA for the specific purpose of providing the Service(s) to the Merchant, (ii) to retain, use, or disclose Personal Data only for the specific purpose of providing the Service(s) to the Merchant as set out in the Main Agreement (if applicable), Terms and Conditions, Privacy Policy, and this DPA and (iii) any other written instructions given by the Merchant and acknowledged by Paystack as constituting instructions under this Agreement (collectively, the “Instructions/Approved Purpose”). Paystack will comply with the Instructions unless it is otherwise unable to comply with an Instruction or prohibited by applicable Data Protection Law.
-
-
ROLES OF THE PARTIES
For the purposes of applicable Data Protection Law and this DPA, the Parties agree that in relation to the Merchant’s Personal Data Processed by Paystack pursuant to the Main Agreement (where applicable), the Merchant is the Controller and Paystack is the Processor. Both Parties shall comply with any obligations applicable to them under Data Protection Legislation with respect to the processing of Personal Data.
-
PROCESSING OF PERSONAL DATA
- Paystack will:
- comply with all applicable Data Protection Laws in the Processing of the Merchant’s Personal Data on behalf of the Merchant and provide such assistance and information as required under Data Protection Legislation in order to assist the Merchant to comply with its obligations under Data Protection Laws;
- only Process the Merchant’s Personal Data and any Personal Data the Merchant provides in accordance with the Approved Purpose or on written instructions from the Merchant (or, if directed by the Merchant) for the purposes of performing the Services (including with respect to transfers of the Merchant’s Personal Data to a Third Country or an International Organisation, which shall be in compliance with the Data Protection Laws);
- not knowingly or negligently do anything or fail to do anything which would cause the Merchant to be in breach of its obligations as a Controller under Data Protection Laws;
- not modify, amend or alter the Merchant’s Personal Data or disclose or permit the disclosure of the Merchant’s Personal Data to any third party unless it is required for the performance of the Services, for the Approved Purpose or/is specifically authorized to do so in writing by the Merchant or permitted by Data Protection Law;
- not disclose nor allow any person to access the Merchant’s Personal Data from any Third Country or by any international organisation, other than for the performance of the Services, the Approved Purpose or on the written instructions of the Merchant; unless required to do so under any law to which Paystack is subject. In that event, Paystack will, to the extent permitted by law, promptly inform the Merchant of the legal requirement before Processing the Merchant’s Personal Data.
- Paystack shall immediately notify the Merchant prior to any Processing being carried out, if in Paystack’s opinion, any instruction from or on behalf of the Merchant infringes or is likely to infringe Data Protection Laws.
- Paystack will:
-
PAYSTACK PERSONNEL
- Paystack will:
- take all reasonable steps to ensure the reliability of all Paystack employees, contractors and agents (“Paystack Personnel”) who have access to Personal Data;
- ensure that any access to the Merchant’s Personal Data by Paystack Personnel is provided on a strict "need to know" basis only and that Paystack Personnel do not Process the Merchant’s Personal Data except for the Approved Purpose or in accordance with the written instructions of the Merchant, unless required to do so by law;
- ensure that all Paystack Personnel involved in the performance of the Services have undergone appropriate data privacy training in relation to the Processing and security of the Merchant’s Personal Data.
- Without prejudice to the foregoing, Paystack will ensure that all Paystack Personnel:
- who have access to the Merchant’s Personal Data are informed of its confidential nature prior to disclosing any of the Merchant’s Personal Data to them; and
- are subject to professional secrecy (whether contractual or statutory) to maintain the Merchant’s Personal Data in confidence.
- Paystack will:
-
DATA SECURITY AND CONFIDENTIALITY
- Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Paystack will in relation to the Merchant’s Personal Data, implement and maintain at all times appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate:
- the pseudonymisation and encryption of the Merchant’s Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
- the ability to restore the availability and access to the Merchant’s Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
- In assessing the appropriate level of security, Paystack will take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
- Paystack will ensure that any Sub-Processor implements and maintains appropriate processes to promptly respond to a Personal Data Breach.
- Paystack shall ensure full compliance with applicable Data Protection Legislation, including any legislation in other jurisdictions that might be applicable taking into account both Parties’ global operations.
- Paystack shall obtain consent from any individual or establish another appropriate legal basis for Processing Personal Data when required by such Data Protection Laws.
- Paystack may retain documentation as Paystack deems reasonably necessary to comply or demonstrate compliance with any law that Paystack may be subject to.
- Paystack shall exercise the same degree of care as it uses with its own Data and confidential information, but in no event less than reasonable care, to protect the Personal Data from misuse and unauthorised access or disclosure in accordance with all applicable Data Protection Laws, including:
- maintaining adequate physical controls and password protections for any server or system on which the Data is stored;
- ensuring that Data is not stored on any mobile device (for example, a laptop or smartphone) or transmitted electronically unless encrypted; and
- taking any other measures reasonably necessary to prevent any use or disclosure of the Personal Data other than as allowed under this Agreement.
-
DATA SUBJECT RIGHTS
- Taking into account the nature of the Processing, Paystack, where feasible, will assist the Merchant, insofar as this is commercially reasonable for Paystack, towards the fulfilment of the Merchant’s obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Laws.
- Paystack will:
- notify the Merchant if Paystack or a Sub-Processor receives any query, complaint or request from a Data Subject to access, delete, block, or restrict access to their Personal Data, or to receive a machine-readable copy of their Personal Data within five (5) calendar days of Paystack receipt or notification of such request; and
- at the Merchant’s request, assist with responding to such queries, complaints, and requests
- If either Party receives any correspondence, enquiry or complaint from any individual), Supervisory Authority, other competent regulator or other third party in connection with Data Processed by Merchant or Personal Data shared by Merchant with Paystack under the Agreement (collectively, "Correspondence"), then the Parties shall cooperate in good faith as necessary to assist that Party to respond to such Correspondence, where possible, and fulfil their respective obligations under Data Protection Laws.
-
REQUESTS FROM AUTHORITIES
- Where it is legally required, Paystack will use reasonable efforts to promptly inform the Merchant if Paystack or any Sub-Processor receives any request, inquiry, complaint, notice, subpoena or any other communication from a regulatory authority (including a Supervisory Authority) or other competent authorities (“Authority”) relating to the Processing of the Merchant’s Personal Data under the Main Agreement (where relevant) or in relation to any other matter under Data Protection Laws, except where Paystack is prohibited from doing so under any law that it is subject to.
- The Merchant will at Paystack’s request:
- Assist Paystack to respond to any communication from an Authority and to meet any applicable statutory or regulatory deadlines with regards to its Processing of Merchant’s Personal Data.
-
LEGAL REQUESTS
- In the event national law, court or regulator requires Paystack or any of its Sub-processors to disclose Personal Data to a third party, Paystack shall first inform the Merchant of such legal or regulatory requirement and provide the Merchant with the opportunity to object or challenge the requirement, unless national law prohibits such notice.
-
MANAGING AND REPORTING PERSONAL DATA BREACHES
- Paystack shall:
- notify the Merchant in accordance with applicable Data Protection Law of any Personal Data Breach involving the Merchant’s Personal Data, and in any event within thirty-six (36) hours of becoming aware of the Personal Data Breach, and shall take appropriate measures to mitigate its possible adverse effects; and
- provide the Merchant with sufficient information to permit it to meet any obligations to report the Personal Data Breach to a Supervisory Authority and/or to inform Data Subjects of the Personal Data Breach under Data Protection Laws.
- Paystack shall:
-
DATA PROTECTION IMPACT ASSESSMENTS
- Paystack, upon request, will provide the Merchant with commercially reasonable information and assistance, taking into account the nature of the processing and the information available to Paystack, to help the Merchant conduct any Data Protection Impact Assessment, data transfer impact assessment or prior consultation it is required to conduct under Data Protection Law.
-
RETURN, DELETION OR DESTRUCTION OF PERSONAL DATA
- Unless storage is required by law, Paystack shall return, delete or destroy Personal Data in accordance with the Paystack Data Retention Schedule:
- after the end of the provision of the Services relating to the Processing of the Merchant’s Personal Data; or
- after termination or expiration of the Main Agreement; or
- after a Merchant’s request to return, delete or destroy
- Neither Paystack, nor any Sub-Processor or Paystack personnel will retain copies of any of the Merchant’s Personal Data in any form unless required to do so by any law to which they are subject and only to the extent and for such period as required by such law. In that event, Paystack shall ensure the confidentiality of all Merchant’s Personal Data and shall ensure that Merchant’s Personal Data is only Processed as needed for the purpose(s) specified under Applicable Laws requiring its storage, and for no other purpose. Paystack’s obligation to protect Merchant’s Personal Data in accordance with Data Protection Laws will continue until all Merchant’s Personal Data has been returned to the Merchant or deleted or destroyed.
- Unless storage is required by law, Paystack shall return, delete or destroy Personal Data in accordance with the Paystack Data Retention Schedule:
-
AUDIT RIGHTS
- The Parties acknowledge that Paystack uses external auditors to verify the adequacy of its security measures and validate the level of compliance of Paystack with its obligations under this DPA.. These audits:
- will be performed at least annually;
- will be performed according to requirements of the applicable International Standard(s) including ISO (International Organization for Standardization), mandatory industry rules and standards including, to the extent applicable, the Payment Card Industry Data Security Standard ("PCI-DSS") or such other alternative standards that are substantially equivalent to such frameworks;
- will be performed by independent third-party security professionals at Paystack’s selection and expense; and
- will result in the generation of certificate(s) and/or an audit report(s) affirming that Paystack’s data security controls achieve prevailing industry standards in accordance with attestation standards established by the International Standards Organisation or such other alternative standards that are substantially equivalent (“Report”).
- At the Merchant’s written request and without charge, Paystack will provide the Merchant with a redacted summary of the Report (“Summary Report”). The Summary Report will constitute Paystack’s confidential Information under the confidentiality provisions of Paystack's Main Agreement. Where a Main Agreement is not in place, confidentiality provisions are available upon request.
- To the extent the Merchant’s audit obligations under applicable Data Protection Law are not reasonably satisfied through a Summary Report or other documentation Paystack makes generally available to its Merchants, the Merchant may request to conduct an audit of Paystack under Data Protection Law (“Data Protection Audit”) upon at least thirty (30) calendar days’ advance written notice to Paystack and at the Merchant’s expense. The notice requirement in this Clause 13.3 shall not apply if Merchant reasonably believes that a Personal Data Breach has occurred or is occurring, or Paystack is in material breach of any of its obligations under this DPA (“Exceptional Circumstances”). In such an event, Paystack shall bear the responsibility of conducting a Data Protection Audit. Should the Merchant be dissatisfied with the results of Paystack’s Internal Audit, the Merchant may request a subsequent external-led Audit at its own expense.
- Following receipt by Paystack of a request under Section 13.3, Paystack and the Merchant will discuss and agree in advance on: the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit. Provided that such Data Protection Audit shall be conducted no more than once during any twelve-month period with the exceptions of Clause 13.3., during normal business hours with reasonable duration, and shall not interfere with Paystack’s operations. Only the systems and areas applicable and relevant to the processing of Merchant-provided data shall be accessed.
- The Merchant in conducting such Data Protection Audit may use an independent, accredited third-party audit firm subject to an appropriate duty of confidentiality with Paystack. Paystack may object in writing to an auditor appointed by the Merchant to conduct any audit under this Section, if the auditor is, in Paystack’s reasonable opinion, not suitably qualified or independent, a competitor of Paystack, or otherwise manifestly unsuitable. Any such objection by Paystack will require the Merchant to appoint another auditor or conduct the audit itself.
- No Data Protection Audit shall involve access to any data relating to any other Paystack Merchant or to systems or facilities not involved in the processing of Personal Data for Merchant and in no event shall a Data Protection Audit cause Paystack to violate its confidentiality obligations to any other third party.
- The Merchant shall be responsible for all costs and expenses relating to a Data Protection Audit conducted under this Section 13. Any report generated in connection with such a Data Protection Audit shall be considered Paystack’s confidential information and shall be promptly provided to Paystack. Clause 13.7. shall not apply when a Data Protection Audit is being carried out under the Exceptional Circumstances mentioned in 13.3 above.
-
SUB-PROCESSING
- Subject to compliance by Paystack with the terms of this DPA, the Merchant authorises Paystack to engage the Third-Party Sub-Processors listed here to Process the Merchant’s Personal Data in the performance of the Services, provided always that:
- Before any Sub-Processor Processes the Merchant’s Personal Data, Paystack carries out appropriate due diligence to ensure that the Sub-Processor can provide the level of protection for the Merchant’s Personal Data required by this DPA;
- Paystack and each Sub-Processor have signed an agreement including terms which contain the same (or equivalent) obligations in relation to the Merchant’s Personal Data as those set out in this DPA and meet the requirements of applicable Data Protection Laws, (“Sub-Processing Agreement”) prior to any Processing of the Merchant’s Personal Data being carried out;
- Paystack has complied with its obligations in respect of Sub-Processors and any transfer of the Merchant’s Personal Data in accordance with this DPA; and
- each Sub-Processor complies with the terms imposed on them under the relevant Sub-Processing Agreement with Paystack.
14.2 Paystack will remain fully liable to the Merchant for the performance of any Sub-Processor's obligations, and for any acts or omissions of any Sub-Processor.
14.3 Paystack shall appoint new Sub-processors for Processing Merchant Personal Data only if Merchant is provided with an opportunity to object to the appointment of each Sub-processor within thirty (30) calendar days after Paystack issues such notice to Merchant in writing regarding such Sub-processor. For each new Sub-processor appointment, all terms of this Clause 14 shall be deemed applicable.
-
MERCHANT OBLIGATIONS
- As part of the Merchant receiving the Services under the Main Agreement and/or Terms and Conditions, the Merchant agrees to abide by its obligations under Applicable Data Protection Laws between the Parties,
- Should Paystack decide to process data outside the instructions of the Merchant, Paystack will be deemed to act as a “Controller” (or equivalent concept) of the Merchant’s Data.
- Where applicable, the Merchant shall ensure that it has legal capacity in utilizing Paystack’s Services to process Personal Data of a Data subject.
- Merchant’s Security Responsibilities. Without prejudice to Paystack’s obligations under Clause 6 (Data Security) and 10 (Data Breach), and elsewhere in the Agreement, Merchant is responsible for its use of the Services and its storage of any copies of Merchant Data outside Paystack’s or Paystack’s Sub-processors’ systems, including:
- using the Services and additional security controls to ensure a level of security appropriate to the risk to the Merchant’s Data;
- securing the account authentication credentials, systems and devices the Merchant uses to access the Services; and
- backing up or retaining copies of its Data as appropriate.
- Merchant’s Security Assessment. The Merchant agrees that the Services, security measures implemented and maintained by Paystack, and Paystack’s commitments under Clause 6 (Data Security) provide a level of security appropriate to the risk to the Merchant’s Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Merchant’s Personal Data as well as the risks to individuals).
- The Merchant shall obtain consent from any individual or establish another appropriate legal basis for Processing where required by Data Protection Laws.
- The Merchant shall reasonably cooperate with Paystack's reasonable periodic requests for information regarding Merchant's privacy and security practices and compliance with this DPA and their own Privacy Policy, including information Paystack deems reasonably necessary to comply or demonstrate compliance with Data Protection Law.
-
LIMITATION OF LIABILITY
- Both Parties agree that in no event shall Paystack’s aggregate liability exceed the value of all fees paid by Merchant to Paystack in the last twelve (12) months immediately preceding the incident that gave rise to Merchant’s claim (“Supercap”). In the event of a conflict between the provisions of this DPA and the MSA, the provisions of the DPA shall prevail.
- This section shall not be construed as limiting the liability of either Party with respect to claims brought by Data Subjects or under the Data Protection Legislation
-
INDEMNITY
- The Merchant acknowledges that Paystack is reliant on the Merchant for direction as to the extent to which it is entitled to use and process the Personal Data. Consequently, Paystack shall not be liable for any claim arising from any action or omission by Paystack to the extent that such action or omission resulted from the Merchant’s express instructions.
-
GOVERNING LAW AND JURISDICTION
- The parties to this DPA submit to the choice of jurisdiction stipulated in the Main Agreement (where applicable, otherwise in line with the jurisdiction referenced in this Agreement) with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Main Agreement, where applicable.
-
COUNTERPARTS
- This DPA may not be amended or modified except in writing and signed by both Parties. This DPA may be signed in any number of counterparts, (including a PDF file), each of which will be an original, but which together will constitute one and the same document. Each Party’s rights and obligations concerning assignment and delegation under this DPA shall be as described in the Main Agreement (where relevant). Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. This DPA, along with the Main Agreement and/or Terms and Conditions, constitutes the entire understanding between the Parties with respect to the processing of personal data, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter.
-
SEVERANCE
- If any provision of this DPA is held to be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either:
- amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible;
- construed in a manner as if the invalid or unenforceable part had never been included.
- If any provision of this DPA is held to be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either:
Service Providers, Sub-processors, and Affiliates
Given the dynamic nature of our operations, our business requirements and sub-processor relationships may change. We may discontinue the use of a sub-processor or include a new sub-processor, depending on our business needs.
This page will be regularly revised to reflect any additions or removals to our roster of sub-processors, and affiliates. If you are a Merchant or otherwise a Controller (as defined under data protection laws), you are entitled to a notice when a change is made to our list of sub-processors, and you may object to that change within 30 days in accordance with the Data Processing Agreement you signed with us.
List of Sub-Processors & Service Providers
Sub-processor | Service provider | Description of Processing | Services to be provided | Location |
Zendesk | Customer service platform | Germany/Ireland |
Pipedrive | Sales customer relationship management | Germany |
Dropbox sign | eSignatures | U.S.A |
Google Workspace | Email, file storage, collaboration tools, and services | U.S.A |
Microsoft 365 | File storage and collaboration tools | U.S.A |
Bento | Marketing tool | U.S.A |
Notion | Internal workspace | U.S.A |
Greenhouse | Recruitment platform | U.S.A |
Amazon Web Services | Cloud service provider | Ireland |
Refinitiv | Compliance and sanctions’ screening | United Kingdom |
Smile ID | ID verification | United Kingdom |
Infobip | User authentication (OTP) | United Kingdom |
Twilio | User authentication (OTP) | U.S.A |
Termii | User authentication (OTP) | Nigeria |
Safaricom | Payment Processing | Kenya |
GT Bank Ghana | Payment Processing | Ghana |
ABSA/Barclays | Payment Processing | Ghana |
Vodafone | Payment Processing | Ghana |
MTN | Payment Processing | Ghana |
NSANO | Payment Processing | Ghana |
One Africa | Payment Processing | Ghana |
Airtel | Payment Processing | Ghana |
Access Bank | Payment Processing | Nigeria |
Sterling Bank | Payment Processing | Nigeria |
Titan Trust Bank Limited | Payment Processing | Nigeria |
Zenith Bank | Payment Processing | Nigeria |
Kuda Microfinance Bank Limited | Payment Processing | Nigeria |
First City Monument Bank Limited | Payment Processing | Nigeria |
Stanbic IBTC Bank PLC | Payment Processing | Nigeria |
Wema Bank | Payment Processing | Nigeria |
Union Bank | Payment Processing | Nigeria |
United Bank for Africa | Payment Processing | Nigeria |
Providus Bank | Payment Processing | Nigeria |
VAS2Nets | Payment Processing | Nigeria |
Seamfix Nigeria Ltd | Payment Processing | Nigeria |
Partech Innovation | Payment Processing | Nigeria |
NIBSS | Payment Processing | Nigeria |
MasterCard | Payment Processing | Nigeria |
Interswitch | Payment Processing | Nigeria |
IATA | Payment Processing | Nigeria |
Lightspeed Development Computer Services | Payment Processing | Nigeria |
Zazu Africa Limited | Payment Processing/Issuing | Nigeria |
ABSA Bank Ltd | Payment Processing, Acquiring Bank | South Africa |
Altron TMT (Pty) Ltd (Altech Card Solutions) | Payment Processing | South Africa |
Call Pay | Payment Processing | South Africa |
Nedbank | Payment Processing, Acquiring Bank | South Africa |
Ozow | Payment Processing, EFT Collections | South Africa |
Stitch Money | Payment Processing | South Africa |
Xero | Payment Processing | South Africa |
Transaction junction | Payment Processing | South Africa |
Altron Fintech (ACS) | Payment Processing | South Africa |
CyberSource | Payment Processing | South Africa |
BankServ Africa | Card payment authentication | South Africa |
Ukheshe Technologies | Provider: scan to pay and snapscan collections | South Africa |
List of Paystack’s Affiliates
Depending on your location and the nature of Paystack service involved, one or more of our affiliates will be providing the service to you.
Paystack Payments Limited |
Nigeria |
Paystack Ghana Limited |
Ghana |
Paystack South Africa (PTY) Limited |
South Africa |
Paystack Payments Kenya Limited |
Kenya |
Paystack Ivory Coast SARLU |
Côte d’Ivoire |
Paystack Rwanda Limited |
Rwanda |
Paystack Egypt S.A.E | Egypt |
Effective Date: Thursday, Sep 26, 2024