Vista Payments

Effective from 9 October 2025

Vista Payments Terms

Agreement Framework

The Vista Payments Agreement comprises the Agreement (as defined below), as amended by the terms set out in these Vista Payments Terms.

The Parties acknowledge that the term “Agreement” refers to the applicable agreement currently in force between Client and Vista governing Vista’s provision of services to Client, which may include one of the following:

• Master License Agreement;

• License Agreement for Veezi Software;

• Vista Subscription Agreement; or

• Vista Cloud Agreement

For the purposes of Vista Payments, the Agreement is amended to incorporate by reference:

• Any order form entered into between you (the “Client”) and the Vista entity specified on the order form relating to the provision of Vista Payments (“Order Form”); and

• The “Terms” comprising:

o These Vista Payments Terms;

o The Vista Payments Device Terms; and

o The Vista Payments Data Processing Annex.

Vista may update or modify these Terms at any time, in its reasonable discretion. Any changes will become effective upon posting the updated Terms on Vista’s website or by providing notice to Client by other reasonable means. By continuing to use Vista Payments (as defined below) after the updated Terms become effective, Client agrees to be bound by the revised Terms. If Client does not agree to the updated Terms, it should cease using Vista Payments.

Background

Vista provides services, including software-as-a-service, that supports businesses to (among other things) sell cinema tickets, vouchers, and food and beverages both online and in-venue (“Vista Services”).

Vista has integrated the Vista Services with those provided by Adyen N.V and/or its affiliates (“Adyen”). Adyen provides payment processing and acquiring services for both online (aka Card Not Present (“CNP”)) and in-venue (aka Point of Sale (“POS”)) transactions (such services, the “Adyen Services”). The integration of the Adyen Services into the Vista Services means that Vista is able to provide Clients the ability to complete sales of goods and services to its customers, both CNP and at POS, through the Vista Services (“Vista Payments”).

In order to comply with regulatory and Scheme Rule (as defined in the Adyen – Client Agreement) requirements, Adyen is required to have a direct contractual relationship with Client, and to: (i) perform the payment processing and acquiring services, (ii) perform Know Your Customer (KYC) and Anti-Money Laundering and Anti-Terrorist Financing (AML) verifications; and (iii) perform second-line support (collectively, the “Adyen Vista Payments Services”).

It is, however, the intention of both Adyen and Vista that with respect to Client, the commercial relationship, customer service relationship (including first line technical support), risk management and account management will, as much as practical and as allowed under applicable laws and Scheme Rules, be with Vista (the “Vista Payments Services”); provided, however, that the Vista Payments Services do not include any of the Adyen Vista Payments Services.

For a visual explanation of these relationships, please see the diagram in Annex 1.

Relationship between Adyen & Client

The Adyen Vista Payments Services are subject to and exclusively governed by the Adyen for Platforms Terms and Conditions (located at https://www.adyen.com/legal/terms-and-conditions-adyen-for-platforms), which is a separate agreement between Adyen and Client, and any other agreement or understanding between Adyen and Client (collectively, the “Adyen – Client Agreement”). Such Adyen Client Agreement excludes the Payment Device Terms of Service, as terms and conditions for payment devices shall be exclusively governed by the Vista Payments Device Terms.

For the avoidance of doubt, Vista is not a party to the Adyen – Client Agreement, but Client acknowledges that: (i) any representation, warranty, covenant or obligation, including any indemnification obligation, made by Client to Adyen is also made by Customer to Vista and Vista has the right to enforce such representation, warranty, covenant and obligation against Client; and (ii) any disclaimer, limitation on liability or other restriction made for the benefit of Adyen is also made for the benefit of Vista and Vista has the right to enforce such disclaimer, limitation on liability or other restriction for Vista’s own benefit.

Adyen, and not Vista, is solely responsible for the provision of the Adyen Vista Payments Services. Vista has no responsibility for and expressly disclaims any and all damages and liabilities for Adyen’s provision or failure to provide the Adyen Vista Payments Services or Adyen’s breach of any of obligations with respect to Client, including any breach of the Adyen – Client Agreement.

VistaPayments Services

In relation to the Vista Payments Services, the parties agree as follows:

Framework and Communication: Client agrees that it will not communicate directly with Adyen unless requested by Vista, and acknowledges that communication from Adyen to Client will also occur via Vista. For the avoidance of doubt, this means that notices from either party under the Adyen - Client Agreement will be passed by Vista to Client or Adyen, as applicable.

Enrollment: Prior to Client’s enrollment in the Vista Payments Services, Client must be approved by both Vista and Adyen. Client will provide to Vista and/or Adyen all information required to confirm that Client meets requirements under applicable law, including the Scheme Rules and Know-Your-Customer requirements, and consents to Vista sharing this information with Adyen, who may in turn share it with Scheme Owners and/or Acquirers as necessary for the purpose of obtaining permission to provide the relevant Payment Methods to Client.

Client represents and warrants that: (a) the information submitted in connection with the enrollment process is complete, truthful and accurate, and (b) if any such information later becomes incomplete, untruthful or inaccurate, Client will notify Vista of the changed information. Any such changed information may mean that Vista and/or Adyen suspend or terminate access to Vista Payments. Client will provide Vista with at least three (3) business days prior written notice of any change in their company details, which Client consents to Vista sharing with Adyen.

Integration: Vista will be responsible for integrating the Adyen Services with the Vista Services generally and as it relates to Client, including setting up and managing the settings and configurations for Client within the Adyen platform. Client may under no circumstances adjust these settings and configurations without Vista’s express permission, and Vista will have no liability for events arising from settings or configurations adjusted by Client.

Vista is Authorized Representative of Client. Client hereby designates Vista as its authorized representative in connection with Vista Payments, including but not limited to submitting binding settlement instructions to Adyen on behalf of Client. Client authorizes Vista to access, process and use Client’s data in connection with Vista Payments and for the purposes outlined in the Agreement, Order Form and/or these Terms, and acknowledges that this may also include processing by Adyen.

Fraud Control: All transactions processed via Vista Payments will be screened by Adyen fraud control tool(s) (“Fraud Control Tool”). Vista may on behalf of Client configure the scoring values for the Fraud Control Tool to determine how the Fraud Control Tool will judge transactions. Vista disclaims all liability associated with the failure or inaccuracy of the Fraud Control Tool, including any failure or inaccuracy arising from the configuration of the scoring values for the Fraud Control Tool as well as any decision Client makes or any direction it follows with respect to the Fraud Control Tool.

Merchant of Record: Unless otherwise agreed with Vista, Client is the merchant of record for all transactions processed through Vista Payments, will ensure it is registered with the Scheme Owners as such, and is fully responsible for compliance with all applicable Scheme Rules, laws and regulations pursuant to such position.

Taxes: Client is solely responsible for all tax obligations on its products and/or services sold through Vista Payments and will defend, hold harmless and indemnify Vista from any taxes or levies due on any of Client’s products or services and any costs or damages related to such taxes. Client expressly agrees that this provision, including the indemnity, supersedes any allocation of liability between Vista and Client under the Adyen - Client Agreement.

Payments & Fees

Transaction Funds. Unless otherwise communicated by Vista, Vista will direct Adyen to deposit Client’s payment transactions processed through Vista Payments (“Transaction Funds”) which Adyen settles into Client’s virtual account (less applicable deductions (see below)) directly to Client’s designated bank account. Vista will have no responsibility for the timely settlement or deposit of funds to Client.

Deductions will include: (i) all applicable fees set out in the Order Form (“Fees”); (ii) any other deductions made known to Client by Vista (including but not limited to payments for terminals, reversals, refunds and chargebacks); and/or (iii) amounts required to maintain any Reserve (see below).

Reserve. Adyen and/or Vista may designate an amount of funds that is held by Vista and/or Adyen in a separate reserve account (a “Reserve”) to secure the performance of Client’s obligations under these Vista Payments Terms and the Adyen – Client Agreement.

A Reserve may not be required if Client meets certain financial criteria and commits to providing required financial information on a regular basis, as communicated by Vista. Notwithstanding the above, if there is a material change in Client’s financial standing, Vista and/or Adyen may apply a Reserve on written notice to Client.

Where Adyen holds the Reserve, Client expressly acknowledges that Vista takes no responsibility for the collection or management of such Reserve.

Where Vista holds the Reserve, the Reserve level will be in an amount as reasonably determined by Vista to cover potential losses, based on financial statements reasonably requested by Vista on a regular basis which must be supplied by Client without undue delay. The Reserve level may, in Vista’s sole reasonable discretion, need to be changed over time. Vista will maintain the Reserve level by adding or deducting funds in each settlement of Transaction Funds. If there aren’t sufficient Transaction Funds for this, Client agrees to immediately transfer funds to maintain the Reserve level. Client authorizes Vista to make any withdrawals or debits from the Reserve, without prior notice to Client, to collect amounts that are due for payment by the Client.

Client grants Vista a security interest in and lien on any and all funds held in any Reserve, whether held by Adyen or Vista. Client will execute any additional documentation required to create or perfect Vista’s security interest in any funds in the Reserve. This security interest survives for as long as Vista or Adyen holds funds in the Reserve.

Upon the earlier of the: (i) termination or expiration of these Terms; (ii) date that the processing of Transactions is stopped; or (iii) date the Reserve is no longer required, the Reserve will be released in monthly portions (typically over a period of six (6) months) until the full Reserve is released or, where applicable, applied to Chargebacks, Fines, fraud claims or unpaid fees due by Client.

Scheme Rules

Client agrees that it will be solely responsible for fines levied by Scheme Owners for Client’s violation of the Scheme Rules. Where Vista becomes aware of and/or receives notice of a potential exposure to a fine related to Client, Client will provide all reasonable co-operation to help investigate the relevant circumstances and remedy the relevant violation.

Security

The  Client’s payment data shall be encrypted and processed securely through  Adyen’s infrastructure. Vista takes no responsibility for such encryption and  security. Neither Vista nor Adyen shall store sensitive payment credentials  beyond regulatory requirements.

Uptime

Uptime of the Payment Interface (as defined in the Adyen – Client Agreement), as well as maintenance, are managed under the Adyen - Client Agreement, and Vista specifically disclaims any responsibility in relation to such uptime and maintenance commitments. Client must immediately notify Vista of any downtime of the Payment Interface which it experiences and provide all reasonably requested co-operation in investigating and resolving any such downtime.

Term and Termination

These Terms shall remain in force and binding on the Parties so long as there is an applicable Order Form in place between them, unless terminated in accordance with the below. These Terms shall automatically terminate in the event that the Adyen - Client Agreement or the Agreement is terminated for any reason.

At any time during the Term, Vista may: (i) terminate any Order Form with immediate effect; and/or (ii) suspend access to the Vista Payments Services with immediate effect, for the following reasons: (a) Adyen ceases to deliver all or part of the Adyen Services to either Client or Vista; (b) a threat to the technical security or technical integrity of the Vista Payments Service; (c) Client’s breach or violation of applicable law, including the Scheme Rules, or any contractual obligation, including a breach of the Adyen – Client Agreement; (d) any suspected or actual breach by Client of these Vista Payments Terms; or (e) an Acquirer or Scheme Owner suspends provision of all or part of their offering to Vista or Adyen blocks Vista’s access to a payment method.

If the Vista Payments Services are suspended, Vista may charge a re-activation fee to reinstate the Vista Payments Services.

Warranties

In addition to those warranties noted elsewhere in these Terms or provided under the Agreement, Client represents and warrants that it shall:

• Comply with the Adyen-Client Agreement and all applicable laws;

• Only use the Vista Payments Services for payment of those Client products and/or services agreed with Vista to be offered through Vista’s Services, and not for any use contained on Adyen’s prohibited use list (as updated from time to time): https://www.adyen.com/legal/list-restricted-prohibited;

• Not engage in fraudulent, misleading, or illegal transactions, including unauthorized attempts to circumvent payment rules and security protocols;

• Take full responsibility for any customer disputes and make its contact information for raising such disputes visible to customers;

• Implement appropriate security measures to protect customer data and payment information, adhering to industry best practices; and

• When the “Account Updater” service is enabled, ensure a valid legal ground for, and provide sufficient information to the shopper about, the requested payment details.

Liability & Indemnity

Third Party Liability: Vista will only be liable for its own acts or omissions and not for acts or omissions of third parties, including Adyen, Scheme Owners and Acquirers or for events or activities originating outside the Vista Services (such as internet disturbances or malfunctions in third party systems), except in case such events were caused by the willful misconduct or gross negligence of Vista. Client expressly agrees that it shall not join Vista in any claim or proceeding it may initiate against Adyen, however arising, related to Adyen’s role in Vista Payments, or performance of the Adyen Services or Adyen Vista Payments Services.

Limitation of Liability: To the maximum extent permitted by applicable law, the aggregate liability of Vista under these Vista Payments Terms to Client for breach of contract, tort or under any other legal theory in any calendar year is limited to an amount equal to the Fees actually received for the Vista Payments Services by Vista from Client in the six (6) months immediately preceding the event which gave rise to the liability in question. To the maximum extent permitted by applicable law, Vista will not be liable for any special, indirect, or consequential damages (including any loss of profit, business, contracts, revenues or anticipated savings, or damage to good name) as a result of breach of contract, tort or under any other legal theory.

Indemnity: Client will indemnify, defend and hold harmless Vista, Vista Affiliates and their respective directors, officers, employees and representatives, from and against any and all losses, charges or fines arising out of: (i) breach of any of the Client’s obligations under these Vista Payments Terms, applicable law, the Scheme Rules, or the Adyen-Client Agreement; (ii) any Client act or omission related to Vista Payments (including but not limited to fraudulent transactions); (iii) any fines applied to Adyen or Vista by Scheme Owners connected with Client’s violation of the Scheme Rules; and/or (iv) any disputes or legal proceedings initiated by Client’s customers or regulatory authorities related to Client’s use of Vista Payments.

Audits

Vista may undertake compliance audits once per calendar year upon five (5) days’ written notice. At any time, where Vista has identified a reasonable concern regarding Client’s compliance with these Terms, Vista may conduct an additional audit on five (5) days’ notice. Audits shall be conducted so as to minimise disruption to Client’s business operations. Client will provide reasonable access to personnel, systems and records necessary to verify compliance.

Marketing

Vista may use the Client’s name and logo on its website and in marketing materials indicating that Client is using Vista Payments.

Governing Law

These Terms are governed by the governing law of the Agreement, and any disputes or claims related to the subject matter of these terms shall exclusively be dealt with pursuant to the dispute resolution provisions of the Agreement.

Annex 1

Vista Payment Device Terms

Background

For POS Transactions, unless otherwise agreed with Vista Client must use payment terminals or other payment processing devices provided by Adyen to Client via Vista (each a Payment Device) to submit transactions for processing by Adyen. Client must comply with these Payment Device Terms.  

All capitalized terms not defined herein are as defined in the Vista Payments Terms, the Adyen – Client Agreement, or the Agreement. Vista may update or modify these Payment Device Terms at any time, in its reasonable discretion. Any changes will be effective upon posting the updated Payment Device Terms on Vista’s website or by providing notice to Client by other reasonable means. By continuing to use the Payment Device(s) after the updated Terms become effective, Client agrees to be bound by the revised Payment Device Terms. If Client does not agree to the updated Payment Device Terms, it should cease using the Payment Device(s).

Pricing

The sales price for each Payment Device, as documented in the Order Form, includes the following:

• Payment Device hardware equipped with the relevant Payment Device Software (as defined below), Adyen key, basic functionality testing, and secure packaging;

• Cables and initial supplies necessary to operate the Payment Device;

• Registration of the Payment Devices in the Client’s account under the Vista Payments Services;

• Shipment to one designated address per country via standard courier delivery services;

• Sub-License to use Adyen’s Payment Device Software to access the Vista Payments Services;

• Support for the Payment Device Software installed on the Payment Devices; and

• Support for additional services provided for Payment Devices.

The sales price for each Payment Device excludes the following:

• Out-of-scope Replacement Services (see below);

• Optional value added services (see below);

• Optional accessories and additional supplies; and

• Federal, state, and local sales, use, excise or similar taxes or tax-like charges.

Ordering and  Shipping

Vista will place orders with Adyen for the volume and types of devices agreed with Client. Vista will have no liability for Adyen’s delayed delivery, or incomplete or inaccurate orders. Delivery lead times communicated by Adyen's carrier are based on estimates and not guaranteed. In case of any carrier delay, Client will cooperate with Vista and/or Adyen to resolve such delay.

Vista will invoice Client for Payment Devices or deduct from Transaction Funds, as set out in the Order Form. Invoices must be paid in accordance with the Agreement, unless otherwise communicated by Vista, and will include shipping related costs where applicable. Client may be required to provide Vista and/or Adyen with its sales tax identity number for the relevant territory in order for accurate sales taxes to be applied.

Payment Devices will be delivered DDP (IncoTerms 2020) directly from Adyen (or its local selling entity) to the address(es) provided by Client. Title and risk of loss for Payment Devices pass to Client upon delivery. Client must ensure such addresses are accurate and accepts responsibility and any additional costs resulting from incorrect addresses or Client’s inability to accept delivery (however arising). The shipping address cannot be changed once the Payment Devices are in transit.

Upon the expiration or termination of the Vista Payments Terms and/or the Adyen – Client Agreement for any reason, Client will promptly return the Payment Devices to Adyen in accordance with the instructions provided by Vista and/or Adyen.

Device Misuse  and Integration

Client must ensure proper use of Payment Devices in accordance with the applicable specifications, usage instructions, technical requirements, guidelines, and documentation set out in these terms and any documentation provided from Adyen via Vista. Neither Vista nor Adyen will be responsible for disruptions to Transaction using the Payment Device(s) and/or performance issues resulting from Payment Device misuse and/or erroneous integration by Client.

Replacement  Service

Client may be entitled to have a defective Payment Device (excluding accessories) replaced with a refurbished Payment Device of the same model type (Replacement Service) if the Payment Device has a hardware defect which means it cannot be used to submit Transactions, or otherwise materially fails to function (as determined in Adyen’s discretion) (Eligible Device).

Requesting Replacement Service. Client must contact Vista to request the Replacement Service for an Eligible Device. Vista shall forward such request to Adyen, and takes no responsibility for Adyen’s timely replacement of such Eligible Device or any decision by Adyen to decline a replacement in a particular instance.

Scope of Service. Eligible Devices may not be covered by the Replacement Services if: (i) they have reached their end-of-life (EOL) date, or (ii) they are no longer PCI PTS compliant. If Adyen ceases to support the Replacement Service for a specific Payment Device, Vista will forward notice of such change to Client promptly after receiving such notice from Adyen.

Adyen will examine the defective Payment Device to establish the cause of the reported defect. If the defect is confirmed and the Payment Device is determined to be an Eligible Device, there will be no additional charges for Client. Additional costs, which shall be invoiced by Vista, may arise if:

• the defects discovered are considered out-of-scope by Adyen (see below), Client will be charged out-of-scope repair costs; or

• a defect cannot be confirmed, Client will be charged Adyen’s costs for the investigation.

Out-of-scope defects include:

• Changes, repairs, modification or amendments to or tampering with the Payment Device by parties other than Adyen (or any attempt to do so);

• Use of Payment Devices with improper consumables, accessories, or devices not provided by Adyen;

• Exposure to undue external conditions (e.g., contact with water, temperature outside operating conditions, oxidation, dropping the device);

• Improper use or use outside of Adyen's operating instructions for the Payment Device;

• Power supply defects caused by use of Payment Device with improper voltage and/or after improper charging;

• Missing parts not returned by Client or damaged plastics;

• Issues that Client could have resolved by updating or enabling updates of the Payment Device software; and

• Failures of the Payment Device’s rechargeable battery through improper use by Client.

Delivery and Return of replacement and defective Payment Devices. If the request for Replacement Service is approved, Adyen will ship the replacement directly to Client, and include in the shipment instructions for returning (at Adyen’s expense) the defective Payment Device. The defective Payment Device must be returned within two (2) weeks of receiving the replacement Payment Device, otherwise, Client may be charged a fee (which will be invoiced to Client by Vista).

Payment Device Software

Adyen provides and maintains the Payment Device software (Payment Device Software) and a Terminal API that allows Client’s Payment Devices to connect to the Adyen platform to submit Transactions to Adyen.

Updates. Adyen will make updates, patches and releases available from time to time for the Payment Device Software for all supported Payment Devices, which may include emergency updates to repair urgent issues. The Payment Device Software updates will either be:

• remotely and automatically loaded to the supported Payment Devices by Adyen. In this case, a pre-release version of the Payment Device Software may be uploaded to a maximum of 2% of Client’s Payment Devices. To enable updates, Client should connect the Payment Device to the internet for at least one 24 hour period each quarter; or

• loaded to the supported Payment Devices based on a schedule determined by Client. Such schedule must require updates at least every six (6) months.

Adyen may mandate certain Terminal API updates by a certain deadline. Client must implement each mandatory Terminal API update within the required period, or within thirty (30) days from the date of Adyen’s notification (via Vista) if no deadline is provided. Adyen reserves the right to block Client’s use of a Terminal API if it suspects any malicious activity.

In the case of Android Payment Devices, Adyen will be responsible for ensuring that the Android Operating System (OS) installed on the Payment Device is regularly updated to reflect the latest security patches. Such updates will be promptly implemented to maintain the security and integrity of Android Payment Devices. If Client chooses to install third-party applications on any Payment Device provided and/or approved by Adyen, Client accepts full responsibility and liability for consequences arising from use of such applications.

Software Support. Adyen reserves the right to disable specific Payment Device Software from processing Transactions, deprecate specific Payment Device Software, or deprecate specific Terminal API versions from processing Transactions in its discretion. Where Adyen deprecates specific Payment Device Software or Terminal API versions, Client must upgrade its Payment Devices to the latest available version.

If Adyen discontinues support of certain Payment Device Software, Vista will forward notice of such change to Client promptly after receiving such notice from Adyen. Credits may be available if Adyen discontinues support for Payment Device Software within three (3) years of Client’s purchase of an affected Payment Device.

Support  Responsibilities

First Line Support. Client will provide first-line support for the Payment Devices, including:

• General triage and troubleshooting with respect to the Payment Device:

• Client network issues;

• Hardware and accessory issues;

• Basic account and Payment Device configuration;

• Theft, fraud, or misplacement issues;

• Transaction support (troubleshooting with regard to particular Transactions);

• Payment statuses: refunds and refusal reasons;

• Payment retries; and

• Ability to perform payments over the phone in case of network outage.

End User and Onsite Support. Client must:

• Be available to accept delivery of Payment Devices at the designated address during regular business hours;

• In the event of damage that potentially affects functionality or security (such as a broken casing, screen, or keypad), loss, theft, or destruction of a Payment Device, immediately inform Vista (including the serial number of the Payment Device and relevant contact individuals), and in no event later than 24 hours after discovery of the incident. As soon as possible but no later than five (5) business days after discovery of the incident, Client will provide Adyen (via Vista) with a complete description of the details of the incident and summarize all efforts undertaken or planned to investigate the incident and secure the information and Payment Devices at issue; and

• Install and configure Payment Devices on site (including connecting to cash registers) in accordance with the instructions provided for the Payment Device.

Second Line Support. Client’s support team can, at no additional charge, contact Vista's second-line support helpdesk in case of an issue occurring in with a Payment Device which cannot be resolved by First Line Support using the documentation and tools provided by Vista and/or Adyen.

Client  Obligations

To access and use Vista Payments when operating and using the Payment Device, Client must:

• Ensure that the Payment Device is kept and operated in a suitable environment, used only for the Transactions for which it is designed, and operated in a proper manner;

• Make no alteration to the Payment Device and not remove any component(s) from the Payment Device without the prior written consent of Vista and/or Adyen;

• Permit Adyen or its duly authorized representative to inspect the Payment Device at all reasonable times, subject to reasonable notice and during reasonable working hours at the relevant location;

• Not allow any third party to use the Payment Device or submit Transactions via the Payment Device on behalf of a third party without the prior written consent of Vista and/or Adyen. The Payment Device may only be used by Client to submit Transactions to Adyen in its own name and for the business it registered for when entering into the Adyen – Client Agreement;

• Comply with the relevant usage manuals for the Payment Devices and the Adyen POS Services in general as published on Adyen Docs, including in particular:

• The Payment Device manual,

• The Network Requirements manual for Payment Devices to ensure IP connectivity for the Payment Devices to enable their proper functioning, and

• The Payment Security manual which provides guidelines to assist Client in the safe and secure use of the Payment Device and POS Services;

• Comply with PCI DSS security requirements when handling and using Payment Devices and, upon Adyen's request, fill out Self-Assessment Questionnaires ('SAQs') prescribed by the Scheme Owners under applicable PCI DSS regulations to confirm such compliance; and

• Follow the Scheme Rules in operating the Payment Devices to submit Transactions.

Additional  Services

The following additional services are offered by Adyen to Client in relation to the use of Payment Devices. Any pricing for such additional services is set out in the Order Form.

Cellular Connection and Data. Payment Devices can only be used with SIM cards that are supplied by Adyen. SIM cards will be provided at no cost with specific models of Payment Device, and remotely activated by Adyen. Cellular traffic for Transaction processing and actions such as configuration updates are free of charge. For Android Payment Devices that use cellular data for any non-Adyen applications, Client must purchase data bundles to match their expected data consumption for these applications. Connection speed may be reduced or cellular traffic blocked if data bundles are exceeded, and Adyen retains the right to disable the SIM card. Neither Vista nor Adyen will be liable for any additional costs as a result of excessive data usage. Upon termination of Agreement, all SIM cards will be deactivated and must be returned by Client to Adyen in accordance with the instructions provided by Vista and/or Adyen.

Terminal Cloud Services. Cloud services will be provided alongside Payment Devices at no extra cost, enabling communication over the internet between Client’s application and the Payment Device (Terminal Cloud Services). Client must maintain a stable internet connection so that the Terminal Cloud Services function correctly, allowing Client to: initiate payments and/or Refunds on the Payment Device, receive updates on Transaction status, check Payment Device connection status, and receive data to generate receipts for each Transaction. Vista and Client shall work together to integrate the Terminal Cloud Services.

Dynamic Currency Conversion. Client may offer Dynamic Currency Conversion (DCC), giving Shoppers the opportunity to pay a Transaction either in Client’s local currency or in the currency of the Shopper’s Card. Where it is necessary to convert a sum from one currency to another, including DCC, a currency exchange rate is applied. The conversion rate and fee charged to the Shopper will be shared on the Payment Device before the payment is processed and also confirmed on the Shopper’s sales receipt. The fees for DCC will be charged to the Shopper unless otherwise agreed and Client will receive Settlement in the currency of the original Transaction. In case of a Chargeback on a DCC Transaction, the fee charged may need to be returned. Adyen will process any Chargeback or Refunds using the same currency as the original Transaction and will use the latest conversion rates. Neither Adyen nor Vista will be liable for any differences in the event that currency exchange rate differs between date of original purchase and Chargeback or Refund.

Offline Payments. Payment Devices will by default process all Transactions online only and connectivity issues to the Scheme Owner or Card Issuer will mean the Transaction is declined. Client may configure Payment Devices to also accept Transactions offline. If it does so, Client accepts that:

• Transactions may be approved before Shopper funds are received, making it possible that Client will not receive the funds for the goods and/or services purchased by the Shopper;

• there is a higher risk that card fraud goes undetected;

• any Transaction for an amount exceeding the limit set by Client for offline Transactions will always require online processing only or will be declined in case of connectivity issues;

• Transactions authorized offline will be stored on the Payment Device and forwarded to the Scheme Owner and Card Issuer when the Payment Device is online;

• Transactions that were authorized offline may fail to be Captured, which could result in no Settlement to Client. Neither Vista nor Adyen accept any responsibility for any failed Captures or the defense of Chargebacks and/or disputes in respect of Transactions authorized offline; and

• it accepts full liability for, and shall indemnify and hold Vista and Adyen harmless from, any third party claims in respect of the associated risks regarding Chargebacks, disputes and Capture/Settlement failures.

Manual Keyed Entry. Client may choose to enable Manual Keyed Entry (MKE) on the Payment Devices in accordance with guidelines provided Vista and/or Adyen. Client accepts full liability and shall indemnify and hold Vista and Adyen harmless from any third-party claims in respect of Chargebacks and fraud regarding Transactions executed through the use of MKE.

Mail Order/Telephone Order. If approved, Client may choose to enable activation of Mail Order/Telephone Order (MO/TO) Transactions on the Payment Device whereby payments can be processed remotely by keying in the Card details on the Payment Device while the Card is not present. Client also has the option to enable MO/TO Refunds via the Payment Device. In both scenarios, Client accepts full liability and shall indemnify and hold Vista and Adyen harmless from any third-party claims in respect of Chargebacks and fraud regarding Transactions executed through the use of MO/TO. Client warrants that it will comply with the Scheme Rules and PCI DSS requirements applicable to MO/TO Transactions.

Tipping. Client may elect to enable tipping features on Payment Devices allowing Shoppers to add gratuity to payments made to Client (Tipping). Neither Vista nor Adyen are responsible if the tip amount is ultimately declined by the Shopper’s Issuer.

Cashback. Client may elect to enable the cashback feature on Payment Devices, allowing Shoppers to withdraw cash from their account either in connection with a purchase or without a purchase (Cashback). Client understands that withdrawing cash from a digital Payment Method bears a heightened risk and, as a result, Vista and/or Adyen may require additional information from Client to ensure the Cashback feature is not used for undesired cash handling. Client is responsible for ensuring the cash is delivered to a Shopper with the intention of using the cash in an appropriate way. This requires amongst other things, training of in-store personnel. Neither Vista nor Adyen is responsible for any claims, harm, or damage that may result from Client providing Cashback.  

Gift Cards and Stored Value Cards. Client may elect to process Transactions using stored value cards, including gift cards and mall cards. In order to enable this feature, Client must have a direct contract with the card provider and comply with all regulatory and tax requirements in the country where the card was issued. Client assumes responsibility for the balance on the stored value card, as well as for refunding the amount or issuing new stored value cards to shoppers for returned items. Client should make sure that any PIN is securely provided to customers at the point of purchase.

Incremental Authorisation. Client may elect to increment the payment that has been pre-authorized on the Payment Device if the cost of the provided product or service is not available at the moment of performing the Transaction in-store. Client must inform the Shopper that the incremental adjustment may be performed. Neither Vista nor Adyen will be responsible for the full amount of the Transaction in the event that incremented amount is ultimately rejected by issuers and/or Scheme Owners.

Bypass PIN. Where allowed by Scheme Rules and Applicable Law, Client may elect to enable Bypass PIN features on its Payment Devices. Bypassing the PIN and moving to another Card Verification Method increases the risk of fraud on a Transaction and should therefore only be used where Client trusts a Shopper. Neither Vista nor Adyen will be liable for any unauthorized and/or fraudulent Transactions, which Client must resolve by contacting its Issuer.

Surcharge. Where allowed under Applicable Law, Client may enable the Surcharge feature on Payment Devices, allowing Client to pass Payment Method, interchange fees and/or scheme fees over to Shoppers as a surcharge. Client must ensure that Surcharge is permitted and offered in compliance with all Applicable Laws.

SoftPOS Services. Software point of sale services (SoftPOS Services) may be made available as a Payment Method in countries supported by Adyen. SoftPOS providers, who are considered Scheme Owners, may change the technical characteristics, legal terms and conditions, and/or the acceptance criteria for SoftPOS Services at any time. Should Client disagree with such change(s), it should discontinue use of the SoftPOS Services. Any obligations owed by Client to Scheme Owners shall apply equally to the relevant SoftPOS provider. Any terms and conditions or usage guidelines required by SoftPOS providers, whether shared directly by such provider, Adyen, or Vista shall be considered Scheme Rules. Client acknowledges and accepts that Adyen and/or Vista may be required to enforce the SoftPOS Scheme Rules on behalf of SoftPOS providers from time to time. SoftPOS providers may, in their sole discretion, suspend or discontinue the SoftPOS Services (or require Adyen and/or Vista to do the same) with or without cause. Client shall hold Vista and Adyen harmless from any claims or actions for damages arising therefrom.

Vista Payment Data Processing Terms

Client’s use of the Services is subject to the Agreement (as defined in the Vista Payments Terms) including the data processing terms incorporated therein, the Vista Payments Order Form, the Vista Payments Terms and the Vista Payments Device Terms, together with the terms set out in this Vista Payments Data Processing Terms Annex (“Vista Payments Data Processing Terms”).  

By executing the Vista Payments Order Form or otherwise accessing and using Vista Payments, the Client agrees to be bound by these Vista Payments Data Processing Terms. Any capitalised terms used but not otherwise defined below have the meaning given to those terms in the Vista Payments Terms or the Agreement.

Data Processing Terms  Framework

Where the Agreement in place between Client and Vista is a License Agreement for Veezi Software, Vista Cloud Agreement or Vista Subscription Agreement, the data processing terms set out in that Agreement shall be supplemented by incorporating these Vista Payments Data Processing Terms by reference.  

Where the Agreement in place between Client and Vista relating to Vista’s provision of services to Client is a Master License Agreement: (a) the Vista Cloud Data Processing Terms available at https://cloud.vista.co/vista-data-processing-terms shall be incorporated into the Agreement by reference as if references to “Vista Cloud Services” were references to the applicable Vista services, and shall supersede any existing data processing terms in that Agreement; and (b) such Vista Cloud Data Processing Terms shall be supplemented by incorporating these Vista Payments Data Processing Terms by reference

Except as expressly modified by these Vista Payments Data Processing Terms, the terms of the Agreement (including any data processing terms incorporated therein) shall continue to apply in full force and effect.

Vista may update or modify these Vista Payments Data Processing Terms at any time in accordance with the Vista Payments Terms.

Purpose of Processing

Personal Data will be Processed by Vista and its Sub-Processors, including Adyen N.V. and Adyen New Zealand Limited (together “Adyen”), for the purpose of delivering Vista Payments to Client.  This includes activities such as payment processing, fraud detection and prevention, chargeback management, compliance with legal obligations, and related support and reporting services, as necessary for the performance of the Agreement.

Categories of Data

The types of Personal Data to be Processed by Vista and its Sub-Processors (including Adyen) for the purpose of delivering Vista Payments to Client include, but are not limited to, those categories listed in the Agreement, as well as the following:

Payment details: cardholder name, encrypted card number, expiry date, encrypted CVC, bank account number, BIC, and bank name.  (Note: card details are encrypted in accordance with PCI-DSS requirements.)

Fraud detection data: device fingerprint, persistent cookie, shopper reference, browser language, basket info, delivery method, and shopper country.

Chargeback data: any data uploaded by the Client to support chargeback defence.

AML/KYC data (Processed by Adyen as a Controller - see below): business contact information and identity verification data.

Roles and  Responsibilities

When Processing Personal Data for the purposes of supplying Vista Payments – excluding those Processing activities where Adyen acts as an independent Controller (see below) - Vista acts as a Processor and Adyen acts as Vista’s Sub-Processor.  This includes activities such as payment processing, chargeback handling, refunds and reporting, performed in accordance with Client’s instructions.

Adyen acts as an independent Controller when Processing Personal Data for purposes including: fraud detection and risk assessments under Adyen’s Score Service; compliance reporting; performance of Know Your Customer (“KYC”) and Anti-Money Laundering / Anti-Terrorist Financing (“AML”) verifications; and other Processing required to comply with Adyen’s legal obligations.  Where Adyen acts as a Controller, it Processes Client Data in accordance with its own Privacy Statement, available at: https://www.adyen.com/privacy-policy.

Sub-Processor Engagement

Vista may engage Sub-Processors, including Adyen and its further Sub-Processors, to deliver Vista Payments.  The list of current further Sub-Processors used by Adyen is set out on Adyen’s Sub-Processor page at https://www.adyen.com/legal/list-of-adyen-subprocessors (“Adyen Sub-Processors”) and Client may subscribe to updates of such list by using the form on that webpage. In all other respects, the terms set out in the Agreement (including the data processing terms therein) regarding the appointment of Sub-Processors shall continue to apply.

International Transfers

Client authorises the transfer of Personal Data to Adyen and the Adyen Sub-Processors for the purposes of providing Vista Payments.  Where such transfers involve EU, Swiss or UK Client Personal Data being transferred outside of the Protected Area, they shall be governed by the Standard Contractual Clauses and, where applicable, the UK Addendum.  For these transfers, Adyen shall act as the ‘data exporter’ and the relevant Adyen Sub-Processor as the ‘data importer’.

Security Measures

Vista shall ensure that Adyen, when acting as its Sub-Processor for the purpose of delivering Vista Payments, implements appropriate technical and organisational measures to protect Personal Data.  These measures include, but are not limited to, PCI DSS Level 1 compliance, SOC 2 Type 2 audits, encryption, pseudonymisation, access controls, and incident response protocols.  A summary of Adyen’s security program is available to the Client upon request to Vista.

Retention and Deletion

Adyen retains transaction-related Personal Data for a period of seven (7) years in accordance with its legal obligations under Dutch law and applicable scheme rules.  Client acknowledges that such data may not be deleted upon request where retention is required by law or necessary for compliance, fraud prevention or dispute resolution.  Where deletion is not feasible, Adyen shall ensure that such Personal Data is securely archived and not Processed for any other purpose.

Audit and Reporting

Vista shall ensure that Adyen, when acting as its Sub-Processor for the purpose of delivering Vista Payments, provides annual ISAE3402/SOC 2 and PCI DSS audit reports, which shall satisfy Vista’s and Client’s audit rights under Article 28(3)(h) of the GDPR.  Upon written request, Vista shall make these reports available to Client.  Where Client has a reasonable and substantiated concern regarding Adyen’s compliance with applicable data protection obligations, the Client may request additional offsite audit access and related information, subject to reasonable notice and appropriate confidentiality obligations.

Indemnity and Liability

Notwithstanding anything to the contrary in the Agreement (including any data processing terms therein), Client shall indemnify and hold Vista harmless from and against all liabilities, damages, costs and expenses (including reasonable legal fees) arising from any third party claim (including by Adyen or any Data Subject, or a Supervisory Authority) to the extent such claim results from Vista’s or Adyen’s Processing of Personal Data in accordance with Client’s instructions, where such instructions infringe applicable Data Protection Laws or the rights of a Data Subject.  For clarity, this indemnity shall apply without limitation and is not subject to any liability cap or exclusion of liability that may otherwise apply under the Agreement.  

Except as expressly modified above, the indemnity and liability provisions set out in the Agreement shall continue to apply to Vista’s Processing of Personal Data for the purposes of delivering Vista Payments to Client.

Hierarchy

In the event of inconsistencies between the provisions of these Vista Payments Data Processing Terms and the provisions of the Agreement, the provisions of these Vista Payments Data Processing Terms shall prevail.