Gateway Services Agreement
Last updated: June 2021

WHEREAS:


(A) WHEREAS, the Company wishes to engage Solid for the provision of Services as described herein;


(B) WHEREAS, Solid has agreed to supply the said services on the terms and conditions set out in this Agreement;


(C) WHEREAS, it is the express objective and intention of the Parties to this Agreement to achieve a high degree of efficiency in their professional relationship, to their mutual benefit;


NOW, THEREFORE, the Parties hereto agree as follows:

1. Conditions precedent


1.1. The following shall be the condition precedent for Solid to start rendering the Services:


1.1. The Company has integrated with Solid through the Technical Solution;


1.2. The Company successfully underwent the verification and due diligence processes, by providing the Company Information requested by Solid.


1.3. The Company has concluded the respective agreement with the Acquirer(s), pursuant to which all payments made by the End Users will be processed by the Acquirer (and/or other third-party service providers, if applicable) with the use of the Technical Solution;


1.4. The Company granted the Acquirer and other third-party service providers (if any) an irrevocable consent (for the term of the Agreement) to provide Solid with information regarding Company's Transactions made through the Technical Solution;



1.2. If the Company becomes incompliant with any of the conditions precedent set out in clause 1.1, Solid shall have the right to suspend rendering Services until the Company is compliant again.


1.3. In consideration of the Fees and subject to the Company’s conformity with the Agreement, Solid shall render Services as set out in this Agreement.

2. Services


2.1. The Services shall be provided by Solid in its sole discretion. Solid has a discretion to use either Acquirer or other third-party service providers involved (if any) in order to render Services.


2.2. Solid may render any of the Services, if agreed in Schedule A to this Agreement.


2.3. The change in Applicable Laws may affect Solid's ability to provide and Company’s ability to receive the Services.


2.4. The Company acknowledges that Card Schemes may impose Limits from time to time. The Company shall not exceed the Limits. If the Company exceeds any Limit, Solid has the right, in its sole discretion, to suspend the Services.


2.5. Solid is authorised to suspend rendering the Services as necessary to conduct maintenance, upgrade, repair and/or provide other necessary attention to Solid's Technical Solution, servers or equipment. Solid will have reasonable discretion to determine when to suspend Services and shall give the 5 days e-mail written notice on such suspension.


2.6. Without derogating from any other right available to Solid under this Agreement, Applicable Laws or otherwise, on the basis of risk management considerations or where required to comply with the Applicable Law Solid, in its sole discretion, has the right to suspend the Services in any jurisdiction at any time and for any period of time.


2.7. Solid reserves the right to use third-party service providers in rendering any of the Services to the Company. Solid shall exercise reasonable care while choosing the provider. Solid accepts no liability for the provision of the Services by any third party.

3. Fees


3.1. The Company shall pay the Fees defined in Schedule A to the Agreement. The Fees shall be confirmed by an invoice (or an electronic invoice) issued by Solid on a monthly basis. The net Fees due shall be paid by the Company to Solid’s bank account stipulated in the invoice within ten (10) calendar days of receiving the invoice.


3.2. Solid shall have the right, for its sole discretion, to issue the invoice to Company if the Fees exceed USD 10,000 (or an equivalent). This does not restrict Solid to issue the invoice at the end of the month as per clause 3.1.


3.3. Alternatively to the payment of the Fees under clause 3.1, Company may authorise the Acquirer to deduct the Fees in favour of Solid under the respective agreement with the Acquirer. The Company shall inform Solid on such authorisation. The Fees shall be then paid within the time limits stipulated in clause 3.1. If Company cancels the authorisation for the Acquirer’s withdrawal, Solid shall have the right to invoice the Company under the clause 3.1.


3.4. In case invoice is over thirty (30) days past due, there will be a 10% late-payment fee in favour of Solid. Solid also will be entitled at any time to suspend providing Services or apply to the Acquirers (and/or other relevant third parties involved) with instructions to debit the Company's bank account for repayment of any sums that are due and owing by the Company to Solid, and the Company irrevocably authorises its financial institution to accept such instructions.


3.5. All fees payable to Solid under this Agreement are exclusive of value added tax and any additional or other taxes, charges or duties which may be imposed in connection with any and all payments made or due hereunder and shall, if applicable, be borne by the Company. In case value added tax or any other sales tax is or becomes chargeable (retroactively or going forward) in accordance with applicable laws, Solid shall add such amount to the Fees accordingly.


3.6. Any fees or amounts paid by the Company, whether directly or by way of set-off, deduction or otherwise, to Acquirers or other third-party service providers, shall not affect nor derogate from Company's obligation to pay all the Fees due to Solid hereunder.


3.7. Any repayment of funds to the End User for the execution of the Transaction (as a result of the Chargeback or otherwise) is subject to the following terms: 

a. the Company is solely responsible for repayment of funds, on the terms indicated in the agreement with the Acquirer (and/or other service providers (if any)); and 


b. the Fees charged by Solid in relation to execution of such Transaction is not to be returned to the Company.


3.8. The Company shall meet all costs associated with its compliance with the Applicable Law.

4. Amendments


4.1. Solid shall have the right, upon a three (3) day notice, to change any of the Services if:

a. Company requests so;


b. The changes are made at the Card Scheme(s) and/or Acquirers' request; 


c. The changes are imposed upon Solid under the Applicable Law;


d. The change is required on the basis of risk management considerations of Solid;


e. Company fails to fulfil its obligations under the Agreement.


4.2. Solid shall have the right, upon a ten (10) day notice, to change any provision of the Agreement, including but not limited, with regards to Clause 3 of the Agreement, if:

a. The changes are made at the Card Scheme(s) and/or Acquirers' request;


b. The changes are imposed upon Solid under the Applicable Law;


c. The change is required on the basis of risk management considerations of Solid;


d. Company fails to fulfil its obligations under the Agreement.


4.3. If the Company does not accept the changes prescribed in clause 4.2 of the Agreement, it has the right to terminate the Agreement before the new provisions enter into force. After the said term, the new changes are considered accepted and in force.

5. Prohibited Actions


5.1. It is prohibited to the Company to:


5.1.1. Use the Services in a way that infringes Applicable Laws, good practices, rights of third parties, or the policies of the Acquirers.


5.1.2. Use the Services only to handle the Transactions on the websites and in IT environments previously approved by Solid.


5.1.3. Utilize H2H payment flow without notifying Solid and being compliant with the PCI DSS. The Company assumes full responsibility in the event of total or partial non-compliance with the PCI DSS.


5.1.4. Fail to protect the data relating to its End Users, which is collected and stored by the Company against unauthorised access. The Company shall immediately notify Solid if the Company reasonably believes that there has been any security breach including but not limited to instances of unauthorised access or attempt to access Transaction data or sensitive End-User data, where there is a suspected or confirmed damage, loss or theft of Transaction data or sensitive End-User data. The Company shall co-operate with and assist Solid, at Company’s expense, in identifying and resolving compliance issues with regard to all Applicable Laws and regulations, including, but not limited to, all applicable rules of Card Schemes.


5.1.5. Conduct activity or use the Services in a way that may result in complaints, disputes, charges, penalties and other burdens to Solid or the third parties.


5.1.6. Take actions or omissions that may expose Solid to credit risk, risk of fraud, breach of duties related to anti-money laundering and terrorist financing or other statutory obligations or a sudden increase of risk (assessed under the procedures adopted by Solid based on the Company Information and other information available).


5.1.7. Take any actions, as a result of which the Technical Solution or any part of Solid's infrastructure will be negatively affected.


5.1.8. Engage in misleading or deceptive conduct nor to use Services itself or permit others to use the Services for any improper, immoral, or unlawful purposes.


5.1.9. Use, disclose, sell or disseminate any cardholder information obtained in connection with the Transactions (including the names, addresses and card account numbers of the Cardholders) except for purposes of authorising, completing and settling Transactions and resolving any Chargebacks, retrieval requests or similar issues, other than pursuant to a court or governmental agency request or order.


5.1.10. To withdraw integration with the Technical Solution. 


5.1.11. To fail to maintain the following information on its websites:

a. privacy policy (End Users’ personal data protection policy), including information on the transfer of personal data of the End Users to Solid in connection with the performance of the Transaction;


b. information on settlement currency, any Fees, including those for delivery, packaging, and taxes;


c. after ordering by the End User and successful authorisation of the Transaction – the Company should inform the End User about it in written or electronic form in accordance with the information received from Solid; and


d. any other information required by the Applicable Law, in particular regarding provision of services by electronic means, distance sale, and consumer law.

6. Standard Clauses


6.1. The Standard Clauses, available at Solid Standard Clauses are the integral part of this Agreement and the Company by signing the Agreement or the Schedule A to this Agreement acknowledges and accepts them.

7. Personal data protection


7.1. The Company attests that it is the Data Controller of personal data within the meaning of the Data Protection Laws and Solid will be acting as a Data Processor in respect of the personal data that is the subject of this Agreement.


7.2. The Company agrees to receive commercial and marketing information from Solid.


7.3. The Data Controller entrusts to the Data Processor the processing of personal data within the meaning of the Data Protection Laws for and on behalf of the Data Controller.


7.4. Personal data processing shall be entrusted to the Data Processor for a period of the performance of the Agreement and the purpose of its performance.


7.5. Categories of personal data that will be processed by the Data Processor for and on behalf of the Data Controller include only End User’s data. The types of personal data which will be processed by Solid under this Agreement may include:

a. name;


b. date of birth;


c. phone number;


d. IP address;


e. email address;


f. postal address; and


g. data concerning transactions and payments, including, but not limited to, card transaction data.


7.6. The scope of personal data processing shall include the following operations performed on the personal data: collecting, recording, storing, transferring, preparing, amending, making the data available, profiling with the use of personal data, deleting personal data both in paper form, as well as in the IT systems required for the provision of Services and for other purposes as may be required from time to time.


7.7. Some or all of personal data may be processed by Sub-Processors.


7.8. Data Controller hereby grants general written authorization to Data Processor to engage additional or replace existing Sub-Processors for the processing of the personal data under the Agreement. Upon request of the Data Controller, the Data Processor will provide a list of such Sub-Processors.


7.9. The Data Processor undertakes to ensure the security of personal data entrusted for personal data processing, and in particular:


7.9.1. undertakes to process personal data in accordance with the Data Protection Laws, in particular, to formulate and apply appropriate documentation and procedures for personal data processing, as well as technical, informational and legal security measures, as required by the provisions of the law, including inter alia:

a. the pseudonymisation and encryption of personal data;


b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;


c. the ability to restore the availability and access to personal data in a timely manner in the event of technical problems or any other incident;


d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of personal data processing.


7.9.2. undertakes to take measures, before starting to process personal data, for securing the personal data, as referred to in the Data Protection Laws.


7.9.3. shall only admit the people for personal data processing who shall be authorised by the Data Processor to process personal data.


7.9.4. represents that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


7.9.5. shall keep records of persons authorised for personal data processing.


7.9.6. shall immediately inform the Data Controller of any instance of any breach, whatsoever, of the security of personal data entrusted to the Data Processor and processed on the basis of this Agreement.


7.9.7. shall not use the personal data entrusted to it under this Agreement for any purposes other than those provided for in this Agreement and, in particular, not to make such data available, in any form, to unauthorised third parties.


7.9.8. shall grant the Data Controller, on its request, any necessary information on all personal data stored by the Data Processor.


7.10. In terms of documentation supporting compliance with subsection 8.8, it is agreed that the Data Processors attestation of compliance with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) is sufficient.


7.11. The Data Processor warrants that:


7.11.1. It will process personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organisation.


7.11.2. It will respect the conditions for engaging other data processors.


7.11.3. To the extent possible and taking into account the nature of personal data processing and the information available to the Data Processor, it will assist the Data Controller in ensuring compliance with the obligations imposed on Data Controller by the Data Protection Laws.


7.11.4. It will make available to the Data Controller all information necessary to demonstrate compliance with the obligations imposed on Data Controller under the Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller; it will also immediately inform the Data Controller if, in its opinion, an instruction of the Data Controller infringes provisions of the Data Protection Laws.


7.12. The Data Processor or its representative shall maintain a record (in writing or electronic form) of all categories of processing activities carried out on behalf of the Data Controller, containing: 


7.12.1. The name and contact details of the Data Processor or its Subprocessors and of the Data Controller, and, where applicable, of the Data Controller's or the Data Processor's representative, and the data protection officer; and (b) the categories of personal data processing carried out on behalf of the Data Controller.


7.12.2. Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and including, where applicable, the documentation of suitable safeguards.


7.12.3. Where possible, a general description of the technical and organisational security measures.