18-201.00 Trustwave Holdings: Trustkeeper Hold Harmless Agreement for PCI SurveyVERSION 3.3 US
03NOV1 1
TrustKeeper® Merchant Subscriber Agreement
IMPORTANT: READ THIS MERCHANT SUBSCRIBER AGREEMENT (THE "AGREEMENT")
CAREFULLY BEFORE PROCEEDING.
THIS AGREEMENT IS BETWEEN YOU AND TRUSTWAVE HOLDINGS, INC. FOR THE
TRUSTKEEPER SERVICES SELECTED BY YOU AS PART OF THE ENROLLMENT PROCESS
(THE "TRUSTKEEPER SERVICES").
BY COMPLETING THE ENROLLMENT PROCESS OR CLICKING THE "I ACCEPT" OR "I
AGREE" BUTTON ON THE TRUSTKEEPER SECURE PORTAL, YOU AGREE TO BE BOUND
BY THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT WANT TO BE
BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT, PROMPTLY LOG OFF
THE PORTAL.
For purposes of this Agreement, the words "we", "us", "our" and "Trustwave" mean and refer to
Trustwave Holdings, Inc., a Delaware corporation, its parents, subsidiaries, affiliates and any
agent, including sales agents, independent contractors or assignees that Trustwave may, in its
sole discretion, involve in the sale or provision of the TrustKeeper Services. The words "you",
"your", or "Merchant" refer to the person or entity identified as the merchant during the enrollment
process. The term Payment Card Association or "Association" means Visa, MasterCard, and any
other credit card company (e.g., Discover, American Express, JCB, etc.), similar entity that
facilitates the settlement of credit card transactions, and includes the Payment Card Industry
Security Standards Council ("PCI SSC") for purposes of this Agreement. The term "Acquirer"
means the bank that acquires your credit card or other electronic transactions, and includes any
other third party that arranges for the processing and settlement of your credit card or other
electronic transactions through Associations.
1. Accuracy of Information. You hereby represent and warrant that all information and responses,
including without limitation, Your Merchant Identification Number ("MID") provided by You to
Trustwave are accurate and complete. If there are any changes in your processes, environment,
scanning profile, MID or SAQ responses you shall promptly update the SAQ and scanning profile
information, if applicable. If you receive breach coverage as part of the Trustwave services, You
acknowledge and agree that providing Your accurate and complete MID is solely your
responsibility, and You will not be covered if You provide an inaccurate or incomplete MID.
2. TrustKeeper Services. The TrustKeeper Services are designed to assist you in your efforts to
comply with certain security standards established by the Associations and the PCI SSC related to
transacting business. The TrustKeeper Services consist of two primary components: an online
security questionnaire that you must complete, and electronic vulnerability scanning of your IP
addresses. The descriptions of the specific TrustKeeper Services you selected as part of the
enrollment process are incorporated by reference herein.
3. Fees.
a. You agree to pay the fees for the TrustKeeper Services you selected as shown to you during
the enrollment process, and Trustwave may bill you directly for such fees or assign the billing
b. Applicable fees, if any, do not include, and you shall be solely responsible for, any and all taxes
of whatever nature, including without limitation, withholding taxes or other taxes imposed by
foreign jurisdictions, federal, state and local taxes and surcharges applicable to the services
rendered under this Agreement, excluding taxes based solely on the income of Trustwave.
Trustwave shall not be liable for, and you shall pay directly and indemnify and hold Trustwave
harmless from and against any and all liability for, all such taxes and/or surcharges.
4. IP Scanning; Restrictions.
a. You acknowledge and understand that provision of the TrustKeeper Services will require that
Trustwave access and scan your IP addresses. You hereby grant Trustwave the right to access
and scan the IP addresses, URLS and domain names identified by you during the
enrollment/registration process or provided to Trustwave by an authorized third party (the
"Authorized IP Addresses"). You further agree to provide Trustwave reasonable assistance to
enable such access and scanning. You understand that your failure to provide a complete list of
and complete access to your IP addresses will significantly impair the TrustKeeper Services and
may result in incomplete or inaccurate results.
b. You represent and warrant that you have the full right, power and authority to grant Trustwave
the right to access and scan the Authorized IP Addresses and to perform the TrustKeeper
Services, without violating the rights of any third party. You agree to defend, indemnify and hold
Trustwave harmless from any third party claim that such access was not authorized.
c. You acknowledge and understand that accessing and scanning IP addresses involves inherent
risks, including, without limitation, risks related to system or network performance and availability,
and data corruption.
d. Your use of the TrustKeeper services, portal and reports may only be used for the stated
purposes in this Agreement for Your internal business purposes in accordance with all applicable
laws (including any export control laws); and, You shall limit access to the TrustKeeper portal to
only those employees and/or contractors who have an obligation of confidentiality with Client and
the terms of this agreement and only to those who have a requirement for such access on a "need
to know" basis and You shall be solely responsible for disabling TrustKeeper accounts for those
employees and/or contractors who no longer require access.
e. You shall not copy, disclose, modify, decompile, disassemble, alter, tamper, translate or reverse
engineer any aspects of the TrustKeeper Services or the Trusted Commerce Seal. You shall notify
Trustwave immediately if you know, suspect or have reason to know that You or anyone you have
granted access to the TrustKeeper Services have violated any provision of this Agreement.
f. You assume full responsibility to backup and/or otherwise protect your data against loss,
damage or destruction prior to and during all phases of the TrustKeeper Services, and to take
appropriate measures to respond to any potential adverse impact of the systems or disruption of
service. You agree that Trustwave will not be liable for any damages attributable to the
TrustKeeper Services, except and to the extent caused by Trustwave's gross negligence or willful
misconduct.
5. Association Compliance. You acknowledge and agree that your use of the TrustKeeper
Services does not guarantee your compliance with any of the rules or security standards
TrustKeeper Services does not guarantee the security of your IP addresses or that your systems
are secure from unauthorized access. You are responsible for establishing and maintaining your
own security policies and procedures, and for compliance with the Association rules and security
standards, including any obligation to notify an Association and/or your Acquirer of any suspected
breach of your systems or any suspicious transactions or fraudulent activity. You are responsible
for any fines or penalties imposed by any Association or your Acquirer. In the event of a suspected
breach of your systems or any suspicious transactions or fraudulent activity, you authorize
Trustwave to share the details of any questionnaire or compliance report with the Associations
and/or your Acquirer, and at the direction of you, the Association, or your Acquirer grant Trustwave
the right to access and perform a scan of the IP addresses identified within your profile. You agree
and authorize payment for the additional scan. You further agree to cooperate with an
investigation into such matter to include complying with Association and Acquirer requirements
which includes, but is not limited to, mitigation efforts to contain any unauthorized release of
cardholder data, completing additional questionnaires and authorize any third party (ies) hosting
your systems to grant access to the investigators.
6. Trusted Commerce® Seal License, Use &Restrictions. In the event that you utilize the Trusted
Commerce Seal, ("Seal") the following shall apply:
a. License Grant. Subject to the terms and conditions set forth herein, Trustwave grants to You a
nonexclusive, non-transferable, non-sublicenseable license during the term of this Agreement to
(a) in accordance with the Seal installation instructions provided by Trustwave, download, install
and display on each page of Your Website a single copy of the Seal; and (b) use the Seal solely
for the purpose of identifying You and Your Website as a Trustwave customer in accordance with
the terms of this Agreement and the Trustwave services provided to You.
b. Restrictions. You are prohibited from (a) using the Seal in any manner other than provided in
the HTML code as downloaded from Trustwave's TrustKeeper website, (b) from copying, altering
or otherwise reproducing, storing or displaying the Seal image, or any altered version substantially
similar to the Seal, in any manner other than the unaltered inclusion of the HTML code as
downloaded from Trustwave's TrustKeeper website, (c) from using the Seal on any web pages not
associated with the Trustwave services specifically linked to the Trustwave's TrustKeeper account
from which the HTML was downloaded, (d) deploying, posting, or otherwise display the Seal on
any website, system, URL, or the like that has not been scanned by Trustwave, (e) using any
reproduction or facsimile image of the Seal, (f) using or providing the Seal to or for any other party,
and (g) blocking, altering, or otherwise manipulating the Seal code or related HTML links to
prevent or modify communication with the Seal server.
c. Use. In the event Your volume of Seal views on your Website exceeds Trustwave's acceptable
use as determined solely by Trustwave, Trustwave reserves the right to require you to host the
Seal on your Website in accordance with instructions to be provided by Trustwave if you desire to
continue to display the Seal. Trustwave will provide no less than ten (10) days written or electronic
notice of the requirement for you to host the Seal. After such period, Trustwave may cease
displaying the Seal on Your behalf and this Seal license will be terminated or suspended until such
time as you host the Seal on Your Website, in accordance with instructions provided by
d. Web Host Representations and Warranties. Web Host represents and warrants to Trustwave
and anyone who relies on its customer's Seal that: (a) it has the authority of its customer to enter
into this Agreement on such customer's behalf and to provide customer's information to Trustwave
subject to Trustwave's privacy policy, (b) it shall procure its customer's compliance with the terms
and conditions of this Agreement, (c) any customer information it provides in the application or
enrollment process for a Service or Seal shall be the exact information provided to it by such
customer, (d) any Web Host information it provides in the application or enrollment process for a
Service or Seal (including any domain name or e-mail address) is accurate and true and does not
infringe the Intellectual Property Rights of any third parties; (e) it will use its customer's Seal in
accordance with this Agreement only, and (f) it shall not allow any website it hosts to display a
Seal or any Trustwave intellectual property unless such website is licensed to do so.
e. Authorized Use of Information &Privacy Matters. The Seal may indicate which Trustwave
Services You have purchased. You agree that Trustwave may place in Your Seal certain
information that You provide during application or enrollment, or in relation to the provision of the
Trustwave Service. You understand that by placing the Seal on Your Website, Trustwave shall
have the right to capture use and disclose IP address (which does not include any personally -
identifiable information) of visitors to Your Website. Trustwave shall use and disclose such
information only for the purposes of (i) preparing reports about the use of the Trusted Commerce
Seal that may be provided to customers, potential customers and the general public, (ii) improving
the utility of the Seal or creating new services, or (iii) complying with a court order, law or
requirement of any government agency. For information on the processing of personally -
identifiable data, You should review Trustwave's Privacy Policy which is accessible from
Trustwave's website. Furthermore, You authorize Trustwave to list Your name, logo, and url
bearing the Seal on Trustwave's website and in other forms of communications, such as press
releases and emails to the public, indicating You are a Trustwave customer and Seal user.
7. Confidential Information &Authorized Disclosure. Use of and access to the TrusKeeper Services
is provided on a restricted access and confidential basis and any and all information, processes
and other documentation related to the TrustKeeper Services is and shall be considered
Trustwave Confidential Information. Your information provided to Trustwave during use of the
TrustKeeper Services shall be considered Your Confidential Information. Each party agrees that it
shall not disclosure the other party confidential information to a third party without the other party's
written permission. Notwithstanding, Trustwave is contractually bound to provide Your compliance
reports, SAQ results, scanning reports, attestation of compliance, work papers, notes, information
and materials related to and supporting the TrustKeeper Services, this Agreement and any
amendments to the PCI SSC, Your Acquirer, if applicable, and the Payment Card Associations. As
such, You authorize TRUSTWAVE to release all such compliance reports, work papers, notes,
information and materials related to and supporting the Services, this Agreement and any
amendments to the Your merchant acquiring bank, PCI SSC, and the Payment Card Associations.
Furthermore, You authorize Trustwave to disclose such information to Your processor and the
third party sponsor(s) for Your TrustKeeper Services and their and your point of sale payment
application integration partners, resellers and service providers.
8. Term and Termination.
a. This Agreement will commence immediately upon your clicking on the "I Accept" or "I Agree"
button and shall continue for a period of one year (the "Initial Term"). Following the expiration of
the Initial Term, this Agreement shall automatically renew for successive one year periods (each a
"Renewal Term"), unless one party gives the other party written notice of termination at least 60
days prior to the end of the Initial Term or any Renewal Term.
b. This Agreement may be terminated at any time: (i) by either party in the event that the other
materially breaches any term or condition of this Agreement and fails to cure such breach within
thirty (30) days of written notice of such breach from the non -breaching party; (ii) by Trustwave if
Merchant fails to pay any amount due within ten (10) business days; or (iii) by either party upon
written notice to the other after the filing by the other of any petition in bankruptcy or for
reorganization or debt consolidation under the federal bankruptcy laws or under any comparable
law, or upon the other party's making of an assignment of its assets for the benefit of creditors, or
upon the application of the other party for the appointment of a receiver or trustee of its assets.
c. Termination of this Agreement shall not affect your obligation to pay for services rendered or
obligations due and owing under this Agreement prior to termination.
d. If any payment is not received when due, Trustwave reserves the right to disable Your access
to the TrustKeeper portal and/or other services.
e. Upon termination or expiration of this Agreement, You shall immediately cease displaying and
using the Seal and permanently remove the Seal from any servers on which it is installed.
9. Compliance With Laws. You shall comply fully with the requirements of all applicable federal,
state, local laws and regulations. Furthermore, you are solely responsible for monitoring legal
developments applicable to the operation of your business, interpreting applicable laws and
regulations, determining the requirements for compliance with all applicable laws and regulations,
and maintaining an on-going compliance program.
10. Proprietary Rights. You acknowledge and agree that, as between TRUSTWAVE and You, all
right, title and interest in and to the TrustKeeper portal and its contents, the TrustKeeper Scanning
Solution, the Trusted Commerce Seal, any part thereof, and other TRUSTWAVE proprietary
processes and solutions included in the services under this agreement, all patents, trademarks
copyrights, trade secrets and all other intellectual property rights therein and thereto, and all
copies thereof, in whatever form, including any written documentation shall at all times be and
remain solely with TRUSTWAVE.
11. Limitation of Liability; Disclaimer of Warranties.
a. NOTWITHSTANDING ANY PROVISION IN THIS AGREEMENT TO THE CONTRARY,
TRUSTWAVE'S CUMULATIVE AGGREGATE LIABILITY FOR ANY LOSSES, CLAIMS, SUITS,
CONTROVERSIES, BREACHES, OR DAMAGES ARISING OUT OF OR RELATED TO THIS
AGREEMENT FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF
ACTION OR LEGAL THEORY, SHALL BE LIMITED TO THE ACTUAL DAMAGES SUFFERED
BY MERCHANT AND, IN ANY EVENT, SHALL NOT EXCEED THE LESSER OF (I) THE
AMOUNT OF FEES PAID BY MERCHANT TO TRUSTWAVE OR ITS AUTHORIZED SALES
AGENT FOR SERVICES UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTHS
b. IN NO EVENT SHALL EITHER PARTY, THEIR AFFILIATES, OR ANY OF THEIR OFFICERS,
DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE FOR LOST PROFITS, LOST BUSINESS
OPPORTUNITIES, LOST REVENUES, EXEMPLARY, PUNITIVE, SPECIAL, INCIDENTAL,
INDIRECT OR CONSEQUENTIAL DAMAGES, EACH OF WHICH IS HEREBY EXCLUDED BY
AGREEMENT OF THE PARTIES REGARDLESS OF WHETHER SUCH DAMAGES WERE
FORESEEABLE OR WHETHER EITHER PARTY OR ANY ENTITY HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
c. THIS AGREEMENT IS A SERVICE AGREEMENT, AND EXCEPT AS EXPRESSLY
PROVIDED IN THIS AGREEMENT, TRUSTWAVE DISCLAIMS ALL OTHER
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, ANY WARRANTIES REGARDING QUALITY, SUITABILITY, MERCHANTABILITY,
OR FITNESS FOR A PARTICULAR PURPOSE (IRRESPECTIVE OF ANY COURSE OF
DEALING, CUSTOM OR USAGE OF TRADE) OF ANY SERVICES OR ANY GOODS PROVIDED
INCIDENTAL TO THE SERVICES PROVIDED UNDER THIS AGREEMENT.
d. You acknowledge and agree that the provisions and limitations of this section are essential to
this Agreement and that absent them, Trustwave would not have entered into this Agreement.
12. Communications.
a. You agree to accept communications from Trustwave via email and in written form.
13. General.
a. All notices hereunder shall be in writing and shall be deemed given when personally delivered,
or when sent by facsimile transmission with receipt confirmed, one day after being sent by a
reputable overnight courier, or three business days after being mailed by certified mail, return
receipt requested, in each case directed: (i) if to Merchant, to the address shown during the
enrollment process and/or by way of posting on the TrustKeeper service portal; (ii) if to Trustwave,
70 W. Madison St., Suite 1050, Chicago, IL 60602, Attention: Legal Department; or (iii) to such
other addresses for each party as specified by such party in a notice given to the other party.
b. The parties agree that they are acting hereunder as independent contractors and that nothing
contained in this Agreement shall be deemed or construed by the parties hereto, or any third party,
to create the relationship of agency, partnership or joint venture between the parties. No party to
this Agreement has, and shall not hold itself out as having, any authority to enter into any contract
or create any obligation or liability on behalf of, in the name of, or binding upon the other parties.
c. Neither party may assign, delegate nor otherwise transfer the rights or obligations associated
with this Agreement, in whole or in part, without the prior written consent of the other party;
provided however, no written consent shall be required to assign this Agreement to any parent or
the wholly owned subsidiary of the party. Furthermore, no written consent shall be required for
Trustwave to assign this Agreement to its successor as a result of a merger, acquisition, sale,
transfer or other disposition of all or substantially all of its assets. Subject to the foregoing, this
Agreement will bind and inure to the benefit of the parties, their respective successors and
permitted assigns.
d. Trustwave may subcontract with one or more affiliates or third parties to provide any service
required to be provided by Trustwave hereunder, provided that no such use of subcontractors
e. This Agreement constitutes the complete and exclusive statement of the agreement between
the parties, and supersedes and merges all prior proposals and all other agreements, whether oral
or written, between the parties relating to the subject matter hereof. Any documents of Merchant or
Trustwave referring to such party's terms and conditions, such as vendor manuals, codes of
conduct, requests for proposals, purchase orders or invoices that are not expressly contained or
incorporated herein, or are contrary to the terms and conditions contained herein, shall not be
binding upon the parties. No change, modification, or waiver of any term or condition of the
Agreement shall be valid unless in writing signed by each party. Notwithstanding, Trustwave may
update this Agreement in the event that the PCI Data Security Standard, or other applicable
standards are changed or updated. For purposes of this section, an electronic or "click-wrap"
notice intended to modify or amend this Agreement and which you click "I Accept" or "I Agree" or
otherwise accept through an electronic process, shall constitute a writing as required herein. The
waiver or failure of either party to exercise any right provided for in this Agreement shall not be
deemed a waiver of any further or future right under this Agreement.
f. If any of the terms, or portions thereof, of this Agreement are invalid or unenforceable under any
applicable statute or rule of law, the court shall reform the Agreement to include an enforceable
term as close to the intent of the original term as possible; all other terms shall remain unchanged.
g. This Agreement shall be construed and governed in accordance with the laws of the State of
Delaware, excluding its conflict of law provisions. Any litigation arising out of or related to this
Agreement shall be commenced and maintained exclusively in the state or federal courts sitting in
Illinois.
h. Neither party will be liable to the other under this Agreement if delayed or prevented from
performance by causes beyond its control including, but not limited to, fires, floods, strikes, acts of
God, war, insurrection, governmental restrictions, or other causes of a like or different nature
beyond the control of such party.
i. Trustwave and Merchant irrevocably waive any and all rights they may have to a trial by jury in
any judicial proceeding involving any claim relating to this agreement.
j. Nothing herein expressed or implied is intended to or shall be construed to confer upon or give
any person or entity, other than the parties hereto and their respective successors and permitted
assigns, any rights or remedies under or by reason of this Agreement.