Data Processing Addendum

Capitalised terms not defined in this DPA have the meaning given to them in the Terms of Service. “Applicable Data Protection Laws” means the EU GDPR, UK GDPR, Swiss FADP, the California Consumer Privacy Act/CPRA, the Brazilian LGPD, and any other data protection or privacy law applicable to the Processor’s activities under the agreement.

The Processor processes personal data on behalf of the Controller solely to provide the Services. The categories of data subjects, types of personal data, and processing operations are set out in Annex I of the EU Standard Contractual Clauses incorporated into this DPA.

Processing continues for the term of the agreement and any agreed tail period. The nature of processing is the operation of multi-tenant payment infrastructure, including routing, observability, fraud screening, dispute handling, and analytics in support of the Services.

• Process personal data only on documented instructions from the Controller, including with regard to international transfers.
• Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organisational security measures set out in Annex II.
• Assist the Controller in fulfilling obligations to respond to data subject rights requests and DPIA consultations.
• Make available all information necessary to demonstrate compliance with this DPA.

The Controller authorises the engagement of the sub-processors listed below. Marseille UPG will provide at least 30 days’ notice before adding or replacing a sub-processor and the Controller may object on reasonable, demonstrable grounds.

Where personal data is transferred outside the EEA, UK or Switzerland, the parties agree that the EU Standard Contractual Clauses 2021/914 (Module 2: Controller-to-Processor) and the UK IDTA v1.0 are incorporated by reference and apply to such transfers. The parties agree on the United Kingdom (ICO) as the supervisory authority.

Annex II is summarised below; full controls and certifications are available on request and described on the Security page.

• ISO/IEC 27001:2022 certified Information Security Management System.
• SOC 2 Type II reports refreshed annually with continuous control monitoring.
• PCI DSS Level 1 service provider, AoC available under NDA.
• Encryption at rest (AES-256) and in transit (TLS 1.3 minimum, modern ciphers only).
• Network segmentation, least-privilege IAM, mandatory MFA and hardware-key SSO for admin access.
• Quarterly external penetration tests and continuous internal red-teaming.

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising the data subject’s rights under Applicable Data Protection Laws.

The Processor will notify the Controller without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Controller data, and will provide information necessary for the Controller to comply with its notification obligations.

The Controller may audit compliance with this DPA once per twelve-month period. Audits are typically satisfied through provision of the Processor’s SOC 2 Type II report, ISO 27001 certificate and PCI Attestation of Compliance. On-site audits may be conducted on reasonable prior notice and during business hours, subject to confidentiality undertakings.

On termination of the Services, and at the choice of the Controller, the Processor will delete or return all personal data processed on behalf of the Controller, except where retention is required by Applicable Data Protection Laws.