Additional Integration Requirements


This page provides an overview of additional integration requirements for merchants using Affirm. It covers various aspects of the integration and integration process, including:

Please review the sections below for further details.


Your (“Merchant”) use of the Services (the “Integration”) should follow these documents and Affirm’s instructions. Any capitalized terms not defined here will have the meanings given to them in the agreement between Merchant and Affirm.

Scheduled Maintenance

Affirm may apply upgrades, patches, bug fixes, or other maintenance to the Services (“Maintenance”). Merchant will follow any maintenance requirements provided by Affirm. Additionally, Merchant will promptly notify Affirm of, and assist Affirm in diagnosing, any failure or other impediment to Merchant’s use of the Services.

Capacity Planning Notification

Merchant will notify Affirm as early as reasonably possible of any anticipated substantial increase in Merchant’s or Merchant’s customers’ use of the Services and will provide estimates of anticipated demand upon Affirm’s request. Upon further request by Affirm, Merchant will promptly provide Affirm with aggregated and anonymized data regarding past and anticipated volume through the Services, including pageview volumes for webpages that host Affirm promotional messaging, overall transaction volumes, and Affirm transaction volumes (including average daily transaction volumes, daily impression volume peaks, and hourly impression volume peaks), as applicable. All information provided by Merchant under this Section will be considered Merchant Confidential Information. Merchant will not use the Services for high-frequency internal Merchant testing or load testing.

Information Security

Merchant will encrypt all Affirm Confidential Information, including Personal Data in-transit, and will encrypt all Personal Data both at rest and in-transit with industry-standard encryption methods and algorithms, such as AES-256 and the two most recent, non-deprecated versions of TLS, respectively.

Merchant will not transmit any unencrypted Personal Data over the internet or a wireless network, and will not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and only if the mobile computing device is protected by industry standard encryption.

Merchant will ensure that the following requirements are met:

  • (a) Merchant’s connectivity to Affirm’s information systems and all attempts at the same will be only through Affirm’s security gateways/firewalls and only through Affirm’s authorized security procedures, which can be obtained from Affirm’s Information Security Department
  • (b) Merchant will not access, and will not permit unauthorized persons or entities to access, Affirm’s information systems without Affirm’s express written authorization, and any such actual or attempted access will be consistent with Affirm’s authorization
  • (c) Any private API keys or other material provided to Merchant for the purpose of Merchant authenticating to Affirm’s information systems will constitute Confidential Information and will be protected as such.
  • (d) Merchant will take appropriate measures to ensure that Merchant’s information systems which connect to Affirm’s information systems, and anything provided to Affirm, do not contain any computer code, programs, mechanisms, or programming devices designed to, or that would, enable the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of the Affirm’s services or information systems, and Merchant will immediately notify Affirm upon detection of any vulnerabilities thereto.