Olo Data Protection Addendum
Last Updated: June 26, 2024
This Olo Data Protection Addendum (“Data Protection Addendum”) is entered into between the entity accessing or using Olo Pay (“Customer”) and Olo Inc. (“Olo”) in connection with the provision of Card Present Services (defined below) to Customer under any existing, written and currently valid agreement (collectively, “Agreement”). This Data Protection Addendum is hereby incorporated by reference into the Agreement.
We reserve the right to modify this Data Protection Addendum at any time. If we make material changes to this Data Protection Addendum, we will notify you by updating the date of this Data Proection Addendum. The current version of this Data Protection Addendum will always be posted at this page. All capitalized terms not otherwise defined in this Data Protection Addendum will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this Data Protection Addendum and the Agreement, this Data Protection Addendum will govern.
Customer and Olo agree as follows:
1. Definitions
“Card Data” means a cardholder’s account number, expiration date and verification code.
“Card Present Services” means the payment processing service and any associated solutions and products enabling Customer to accept payment from End Users with respect to card present or point of sale transactions through the Licensed Applications and to receive disbursement of amounts owed to Customer for sales of products through the Services.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations.
"Customer Security Incident" means (i) a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that is collected or maintained by Customer, or transmitted to Olo, in relation to the Card Present Services, or (ii) any act or omission that compromises the physical, technical or administrative safeguards implemented by Customer in Processing Personal Data for the Card Present Services or otherwise related to its use of the Card Present Services.
"Controller" means an entity which determines the purpose and means of the Processing of Personal Data. “Controller” has the same meaning as “Business,” as that term is defined under CCPA.
"Data Protection Law" means all data protection laws applicable to the Processing of Personal Data under this Data Protection Addendum, including local, state and national laws and/or regulations as well as industry self-regulations, including PCI-DSS.
"Data Subject" means the person to whom Personal Data relates. “Data subject” has the same meaning as “Consumer,” as that term is defined under Data Protection Law.
“Olo Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Olo or Olo’s processors in relation to the Card Present Services.
"Personal Data" means (i) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject, or (ii) as that term or a similar term is defined under Data Protection Law.
“PCI-DSS” means the Payment Card Industry Data Security Standard version 4.0 and any subsequent versions as issued by the PCI Security Standards Council during the term of the Agreement.
"Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including, but not limited to, accessing, collecting, recording, organizing, structuring, using, storing, transferring, retaining, disclosing, selling, sharing, deleting, and destroying Personal Data.
2. Privacy and Security Obligations
2.1 Scope and Roles of the Parties
Customer is a Controller and Olo is a Controller, to the extent that Data Protection Law applies to the Processing of Personal Data for Card Present Services.
2.2 Relationship to the Agreement
This Data Protection Addendum, Sections 8 and 9 of the Master Services Agreement, the API Terms of Use and the Olo Pay Terms & Conditions Addendum constitute the entire agreement between the parties with respect to privacy and security obligations for the Card Present Services. For the avoidance of doubt, Section 4.4 of the Master Services Agreement, the Olo Data Processing Addendum and the Olo Security Policy are not applicable to the Card Present Services.
2.3 Compliance with Law
Each of the parties will comply with Data Protection Law and Operating Regulations in their role as Controllers.
2.4 Olo Privacy Notice
Customer shall provide its End Users with a privacy notice that (i) meets the requirements of Data Protection Law, (ii) includes a clear explanation that Olo is Processing Personal Data as a Controller in relation to the Card Present Services, and (iii) includes the following link to Olo’s Privacy Notice. Upon reasonable request, Olo will provide assistance to Customer with the disclosure in Customer’s privacy notice about Olo’s Processing activities for the Card Present Services. Customer shall make any updates to its privacy notice regarding Olo’s Processing activities as reasonably requested by Olo.
2.5 Customer Security & PCI Obligations
2.5.1 Customer has implemented and shall maintain a written information security program, including appropriate policies, procedures and risk assessments, designed to protect systems, devices and data from unauthorized access, acquisition or disclosure, destruction, alteration, accidental loss, misuse or damage. Customer shall evaluate the effectiveness of its information security program and its security measures regularly (at least annually) and promptly make adjustments as reasonably warranted by the results of such evaluation. Customer shall provide copies of its security policies to Olo upon reasonable, written request.
2.5.2 Customer shall implement administrative, physical and technical safeguards designed to protect systems, devices and data from unauthorized access, acquisition or disclosure, destruction, alteration, accidental loss, misuse or damage that are no less rigorous than industry standard practices and comply with Data Protection Law.
2.5.3 Customer shall comply with all security requirements in the API Terms of Use, which may be updated from time to time.
2.5.4 Customer shall not attempt to, and will not assist or knowingly permit any third party to: (i) copy, reproduce, distribute, republish, download, display, modify, disassemble, decompile, reverse engineer or create derivative works of the Card Present Services, (ii) use Customer’s access to the Card Present Services to assist Customer or a third party, in building a competing or similar website, application or service, or (iii) provide access to the Card Present Services to an unauthorized third party by any means, including but not limited to the sharing of login information or credentials.
2.5.5 Customer shall take all reasonable measures to ensure appropriate safeguards and protections for login information and credentials. Company shall be solely responsible for any acts or omissions of an unauthorized party resulting from such third party’s access to the Card Present Services.
2.5.6 Customer shall comply with any reasonable requirement made by Olo or any relevant Acquirer concerning Customer’s security measures.
2.5.7 Customer shall comply with PCI-DSS and other applicable payment card issuer regulatory requirements (including reporting obligations) in handling and using systems, devices and data, including Payment Terminals and Card Data. Customer shall not capture and/or hold any Card Data unless expressly permitted under Payment Card Industry standards.
2.5.8 If Customer uses Point-to-Point Encryption (P2PE), Customer must implement and comply with all requirements in the P2PE Instruction Manual, currently available at https://www.adyen.com/legal/p2pe-instruction-manual.
2.5.9 Customer shall comply with requests to provide Olo with up-to-date copies of applicable PCI Self-Assessment Questionnaires, Attestation of Compliance documentation and related PCI artifacts.
2.5.10 If Customer engages a Subcontractor with whom data subject to Payment Card Industry standards will be shared, Customer must require by written contract that the Subcontractor meet or exceed PCI-DSS requirements and acknowledge that the Subcontractor is responsible for the security of the data it stores, transmits or processes on behalf of Customer.
2.6. Olo Security & PCI Obligations
2.6.1 Olo has implemented and will maintain a written information security program, including appropriate policies, procedures and risk assessments, designed to protect systems, devices and data for the Card Present Services from unauthorized access, acquisition or disclosure, destruction, alteration, accidental loss, misuse or damage. Olo will regularly (at least annually) evaluate the effectiveness of its information security program and security measures and promptly make adjustments as reasonably warranted by the results of such evaluation.
2.6.2 Olo will implement administrative, physical and technical safeguards designed to protect Personal Data from unauthorized access, acquisition or disclosure, destruction, alteration, accidental loss, misuse or damage that are appropriate to the nature of the Personal Data and comply with Data Protection Law.
2.6.3 Olo will take reasonable measures to provide a secure payment system and will comply with PCI-DSS and other applicable payment card issuer regulatory requirements, including the reporting obligations, with respect to the Card Present Services.
2.6.4 Olo will validate its PCI-DSS compliance as required by PCI-DSS requirements and the Operating Regulations.
2.7 Regulatory Requests
Customer shall reasonably assist Olo in complying with any regulatory compliance requests received by Olo or the Acquirer.
2.8 Customer Security Incident/Olo Security Incident.
2.8.1 If there is (i) a Customer Security Incident involving Personal Data or the systems or devices used for Card Present Services, or (ii) unauthorized use of an account credentials associated with the Card Present Services, Customer shall notify Olo as soon as possible by emailing Olo at security@olo.com.
2.8.2 In the event of a Customer Security Incident, Customer will: (i) cooperate with Olo to mitigate any harm and provide all reasonably requested information, (ii) take all steps reasonably necessary to isolate, investigate and remediate the effects of such occurrence, (iii) ensure the protection of End Users affected or likely to be affected by such occurrence, (iv) take steps to prevent the re-occurrence, and (v) comply with applicable laws.
2.8.3 In the event of an Olo Security Incident, Olo will notify Customer by email of such incident. Olo will (i) cooperate with Customer to mitigate any harm, (ii) take reasonably necessary steps to isolate, investigate and remediate the effects of such occurrence, and (iii) provide information to Customer to enable Customer to make notifications to End Users and regulators (if required).
2.8.4 Customer shall be responsible for making any notifications of a Customer Security Incident or Olo Security Incident required by Data Protection Law to End Users and regulators. Customer shall not inform any third party about a Customer Security Incident or Olo Security Incident without obtaining Olo’s written consent, except as required by applicable law. Notwithstanding any limitations of liability in the Agreement, Customer will promptly and fully reimburse Olo for all reasonable and documented costs incurred by Olo in addressing and responding to any Customer Security Incident, including any audit conducted in response to such incident.
2.9 Audit
2.9.1 Olo shall have the right to audit the Customer’s security and privacy program to ensure compliance with the requirements of this Data Protection Addendum, the Agreement, the API Terms of Use, the Operating Regulations and PCI-DSS. This audit may consist of questionnaires, informational requests and on-site audits. Olo will provide at least seven (7) days written notice of its request to conduct an audit of the Customer; provided, however, Olo shall only be required to provide twenty-four (24) hours advance notice of an audit in the case of suspected fraud, unlawful or prohibited transactions, security concerns or a Customer Security Incident.
2.9.2 The audit may be conducted by a third-party auditor provided such auditor is not a competitor of Customer and the auditor is subject to confidentiality terms no less protective than the confidentiality terms in the Agreement.
3. General Provisions
3.1 Third-Party Beneficiaries
Customer’s subsidiaries and affiliates are intended third-party beneficiaries of this Data Protection Addendum.
3.2 Noncompliance; Remedies
Except as provided in Section 2.8.4, each of the party’s remedies, including those of its subsidiaries and affiliates, with respect to any breach by the other party of this Data Protection Addendum, and the overall aggregate liability of each of the parties arising out of, or in connection with this Data Protection Addendum, shall be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement.