SLA

Data Processing Agreement

[Last Updated December 20, 2024]

This Data Processing Agreement (“DPA”) is governed by and hereby attached to the Master Service Agreement, Terms of Service, or any other agreement (“Agreement”) executed by and between Mrkter Technologies L.B.O. Ltd., dba as “PayOut” (“Payouts”), and you a customer using the Payouts Services (“Customer”). Each of Payouts and Customer may be referred herein as a “Party” and collectively as the “Parties”.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

WHEREAS, Payouts is the developer and operator of multiple automated payouts solutions, ensuring comprehensive tracking of vendor financial activities, billing account authenticity, tax compliance, all as agreed by the parties in the applicable order form or other ordering documents that are incorporated in the Agreement (“Services”);

WHEREAS, for the purpose of providing the Services, Payouts shall Process Personal Data (as these terms are defined below) on Customer’s behalf, for the limited and specified purposes set forth herein, and subject to the terms and conditions of this DPA; and

Whereas, the Parties desire to supplement this DPA to achieve compliance with the applicable Data Protection Laws and agree on the following:

  1. 1. DEFINITIONS

    1. 1.1. “Adequate Country” is a country that received an adequacy decision from the European Commission, or other applicable data protection authority.
    2. 1.2. The terms “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Information”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, Holder”,Sensitive Data”, “Service Provider”, “Sale” (or “Sell”) and “Share”, “Special Categories of Personal Data” and “Supervisory Authority” and “Targeted Advertising”, shall have their respective meanings under the applicable Data Protection Laws. Further, under this DPA: Data Subject” shall also mean and refer to, under this DPA, a “Consumer”; “Personal Data” shall also mean and refer to “Personal Information” under this DPA; and “Special Categories of Data or Highly Sensitive Data shall also mean and refer to, under this DPA “Sensitive Data”. Capitalized terms not specifically defined under this Agreement shall have their respective meanings under the applicable Data Protection Laws.
    3. 1.3. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) as well as all regulations promulgated thereunder from time to time.
    4. 1.4. “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto.
    5. 1.5. “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.
    6. 1.6. “Customer Data” means Personal Data Processed by Payouts on behalf of Customer for the purpose of providing the Services to Customer, however excluding the Shared Data.
    7. 1.7. “Data Protection Laws” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Data Protection Law and the US Data Protection Laws) as may be amended or superseded from time to time.
    8. 1.8. “Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
    9. 1.9. “DPF Principles” means the Principles and Supplemental Principles available at: https://www.dataprivacyframework.gov/program-articles/Participation-Requirements-Data-Privacy-Framework-(DPF)-Principles; as may be amended, superseded or replaced.
    10. 1.10. “EEA” means the European Economic Area.
    11. 1.11. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
    12. 1.12. “EU Standard Contractual Clauses” or the “EU SCCs” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN
    13. 1.13. “FDBR” means the Florida Digital Bill of Rights S.B 262, Florida Statutes § 501.173 et seq.
    14. 1.14. “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, instructions under this DPA as well as those which are related to depersonalizing, blocking, deletion, making available).
    15. 1.15. “Israeli Data Protection Laws” means the (i) Israeli Privacy Protection Law, 5741-1981 (as amended under Amendment 13); (ii) the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001;  (iii) any amendments or legislation replacing or updating any of the foregoing, and; (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority and other related privacy regulations.
    16. 1.16. “MTCDPA” means the Montana Consumer Data Privacy Act 68th Legislature 2023, S.B. 0384, Montana Code Annotated § 30-14-2801 et seq.
    17. 1.17. “OCDPA” means the Oregon Consumer Data Privacy Act ORS 646A.570-646A.589.
    18. 1.18. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will be considered a Security Incident.
    19. 1.19. “Shared Data” shall mean the Personal Data shared between the parties for the purpose of providing the Services, authentication, KYC checks, etc., if and to the extent applicable under the Agreement, however excluding Customer Data.
    20. 1.20. “Standard Contractual Clauses” shall mean either the EU SCC, the UK SCC or the Swiss SCC.
    21. 1.21. “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.
    22. 1.22. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.
    23. 1.23. “TDPSA” means the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq;
    24. 1.24. “UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
    25. 1.25. ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and the GDPR, as incorporated into UK law as the UK GDPR, as amended (“UK GDPR“), and any other applicable UK data protection laws or regulatory Codes of Conduct or other guidance that may be issued from time to time.
    26. 1.26. “UK SCC” shall mean the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
    27. 1.27. “US Data Protection Laws” means any U.S. federal and state privacy laws in effect which applies to the Processing of Personal Data under this DPA, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, FDBR’, MTCDPA’, OCDPA’, TDPSA’, the UCPA and the VCDPA. All as amended or superseded from time to time and including any implementing regulations and amendments thereto.
    28. 1.28. VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.
  2.  
  3. 2. PROCESSING OF PERSONAL DATA

    1. 2.1. It is hereby agreed by the Parties, that: (i) when Processing Customer Data, the Customer shall be deemed as a data Controller, and Payouts shall be deemed as the data Processor; and (ii) Payouts is the Controller of the Account Information and Platform Usage Data (as defined in the Privacy Policy) which is used to manage the customer relationship, provide support, repair bugs, facilitate security, optimize the user experience, provide maintenance and carry out core business functions such as accounting, billing, and filing taxes. For more information, please see the Payouts Privacy Policy.
    2. 2.2. Further, when Processing Shared Data, both Payouts and Customer are acting as an independent Controller. It is hereby clarified that in no event will the Parties Process the Shared Data as joint Controller.
    3. 2.3. The applicable data sets which are Processed by the Parties under the Agreement, the subject matter and duration of the Processing, are detailed under Annex I.
    4. 2.4. US Data Protection Laws specifications are further detailed in Annex V.
  4.  
  5. 3. PARTIES OBLIGATIONS

    1. 3.1. When Processing Customer Data Payouts shall:
      1. 3.1.1. Process the Customer Data solely for the purpose of providing the Services and in accordance with Customer’s Instructions and in compliance with applicable Data Protection Laws.
      2. 3.1.2. If Payouts becomes aware that it cannot Process Customer Data in accordance with the Instructions due to a legal requirement under any applicable law, Payouts will (i) promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Customer Data) until such time as Customer issues new Instructions with which Payouts is able to comply. If this provision is invoked, Payouts will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing.
      3. 3.1.3. If Payouts reasonably believes that an Instruction infringes applicable Data Protection Law, Payouts shall inform Customer without undue delay, and shall have the right to immediately cease any such Processing activity related to the infringing Instruction. To the extent the infringement was not cured by Customer within 10 days from receiving written notice of the same from Payouts, Payouts shall have the right to terminate its Processing activities under this DPA or terminate the Agreement immediately without providing further notice to Customer.
      4. 3.1.4. Where Payouts receives a request from a Data Subject or a competent Supervisory Authority in respect of the Customer Data Processed by it, Payouts will notify Customer, to the extent permitted under applicable law, as soon as possible, as well as direct the Data Subject or the applicable Supervisory Authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or applicable Supervisory Authority’s request, unless otherwise required under applicable laws. Customer will reimburse Payouts for the commercially reasonable costs arising from this assistance.
      5. 3.1.5. Payouts will implement and maintain appropriate technical and organizational measures to protect the Customer Data from Security Incidents, as described under Annex II to this DPA (“Security Measures“). Notwithstanding any provision to the contrary, Payouts may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
      6. 3.1.6. Payouts shall ensure that individuals who are authorized by Payout to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
      7. 3.1.7. Payouts will notify Customer without undue delay after it becomes aware of any Security Incident and will provide timely information relating to the Security Incident as it becomes known or reasonably requested by Customer. At Customer’s request, Payouts will promptly provide Customer with such reasonable assistance as necessary to enable Customer to comply with its obligations mandated by the applicable Data Protection Laws to notify such Security Incident to competent authorities and/or affected Data Subjects.
      8. 3.1.8. To the extent that the required information is reasonably available to Payouts, and Customer does not otherwise have access to the required information, Payouts will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws.
    2. 3.2. Customer’s obligations as a data Controller of the Customer Data:
      1. 3.2.1. Within the scope of the Agreement and in its use of the Services, Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Customer Data, including its transfer or export to Payouts and the Instructions it issues to Payouts. The Customer shall be exclusively responsible to enable a lawful Processing of Customer Data, including by obtaining any required consent and providing any required disclosures under applicable Data Protection Laws. Customer shall inform Payouts without undue delay if it is not able to comply with its responsibilities under this Section or applicable Data Protection Laws.
      2. 3.2.2. The Parties agree that the Agreement (including this DPA), together with Customer’s use of the Service in accordance with the Agreement, constitute the complete Instructions to Payouts in relation to the Processing of Customer Data, so long as Customer may provide additional Instructions during the term of the Agreement that are consistent with the Agreement, the nature and lawful use of the Services.
      3. 3.2.3. Customer is responsible for independently determining whether the data security provided for in the performance of the Services adequately meets Customer’s obligations under applicable Data Protection Laws. Customer is also responsible to secure its use of the Service, including protecting the security of Customer Data in transit to and from the Services (including to securely backup or encrypt any such Customer Data).
    3. 3.3. Parties’ obligations when Processing Shared Data:
      1. 3.3.1. Each Party shall be individually and separately responsible for complying with the obligations that apply to such Party under applicable Data Protection Law including when issuing Instructions to Payouts.
      2. 3.3.2. In the event Shared Data will include Special Categories of Data, the Parties shall implement specific restrictions and safeguards in order to protect such Special Categories of Personal Data.
      3. 3.3.3. Both Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s, governmental or applicable Supervisory Authority’s request, concerning the Shared Data.
      4. 3.3.4. Each Party shall notify the other Party in the event of a Security Incident involving the Shared Data, immediately and no later than within 48 hours from becoming aware of such. Further, the Parties undertake to cooperate with each other and provide each other with reasonable assistance and information as may be necessary for the containment, investigation, remediation or mitigation of the Security Incident. Each Party shall further notify the other Party if it receives any request by a Supervisory Authority related to such Security Incident.
  6.  
  7. 4. SUB-PROCESSORS

    1. 4.1. Customer acknowledges and agrees that Payouts may engage with third party data Processors (“Sub-Processor”) for the purpose of Processing the Customer Data. Payouts may continue to use those Sub-Processors which Payouts has already appointed as listed under Annex III – Table A, or replace, add, or cease any use of a Sub-Processor, upon providing Customer with 30-days prior notice of the same; providing Customer shall have the right to object to the addition or replacement of certain Sub-Processor on reasonable grounds relating to the protection of Customer Data. If Customer notifies Payouts of such an objection, the Parties will discuss those concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Payouts will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to suspension or termination effective date).
    2. 4.2. Where Payouts engages Sub-Processors, it will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Payouts will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Payouts to breach any of its obligations under this DPA.
    3. 4.3. Payouts further shares certain Shared Data with its financial business partners (“Financial Business Partners”) which process such data as independent data Controllers. Such Financial Business Partners include, without limitation, payment processors, financial institutions such as banks and credit bureaus, collection companies as well as additional financial service providers, all as listed under Annex III -Table B herein below which might be updates from time to time.
  8.  
  9. 5. INTERNATIONAL DATA TRANSFER

    1. 5.1. Subject to Section 5.2 herein below, Customer acknowledges and agree that Payouts may access and Process Customer Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Customer Data may be transferred to and Processed in the United States and to other jurisdictions where Payouts affiliates and Sub-Processors have operations. Wherever Customer Data is transferred outside its country of origin, each Party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
    2. 5.2. Payouts will only transfer Customer Data to those Adequate Countries, unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable Data Protection Laws.
    3. 5.3. In relation to Customer Data that is subject to the EU Data Protection Laws, transfers will be conducted in accordance with the terms under Annex IV to this DPA.
    4. 5.4. In relation to Customer Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with the terms under Annex IV, and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK SCC, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK SCC will be deemed completed with the information set out in the annexes herein below, and Table 4 to the UK SCC will be deemed completed by selecting “neither Party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
    5. 5.5. In relation to Customer Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with the terms under Annex IV, and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
    6. 5.6. In relation to the Shared Data and to the extent acting as a data exporter, each Party as a  data exporter represents, warrants and undertakes that it: (a) has complied with Applicable Data Protection Laws, in respect of the collection, storage, disclosure and transfer of Data to the other party in its capacity as a Data Importer, and (b) except to the extent agreed otherwise in writing, it has provided such disclosures, and obtained any consents, necessary to effect the transfer to and Processing of Data by the other party in its capacity as a data importer, in accordance with and as contemplated by the Agreement and this DPA.
  10.  
  11. 6. AUDIT RIGHTS

    1. 6.1. Payouts shall maintain accurate written records of all Processing activities of any Customer Data carried out under this DPA and shall make such records available to the Customer and applicable Supervisory Authorities upon written request. Such records provided shall be considered Payouts’ Confidential Information and shall be subject to confidentiality obligations under the Agreement.
    2. 6.2. Customer may audit Payouts’ compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001/ISO27701 certification, SOC2 certificate) or a comparable certification or other security certification of an audit conducted by a third-party auditor, within twelve (12) months as of the date of Customer’s request.
    3. 6.3. Alternatively, in the event the records and documentation provided subject to Section 6.1 and 6.2 above are not sufficient for the purpose of demonstrating compliance, Payouts shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Payouts may object to an auditor appointed by the Customer in the event Payouts reasonably believes the auditor is not suitably qualified or is a competitor of Payouts. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Payouts’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.
    4. 6.4. Nothing in this DPA will require Payouts to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Payouts’ customer; (ii) Payouts’ internal accounting or financial information; (iii) any trade secret of Payouts or its affiliates; (iv) any information that, in Payouts’ reasonable opinion, could compromise the security of any Payouts’ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.
  12.  
  13. 7. TERMINATION

    1. 7.1. This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force and effect for as long as Payouts Processes the Customer Data.
    2. 7.2. Following the termination of this DPA, Payouts shall, at the choice of the Customer, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements require that Payouts continues to store Customer Data. Until the Customer Data is deleted or returned, the Parties shall continue to ensure compliance with this DPA.
    3. 7.3. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For clarity, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all the terms and conditions of the Agreement shall remain in full force and effect.
    4.  
  14. ANNEX I

  15. LIST OF PARTIES AND DETAILS OF PROCESSING
  16.  
  17. 1. List of Parties
  18. Data exporter of the Customer Data:
  1. Customer (details are provided in the relevant Agreement/order)
  2. Activities relevant to the data transferred under these Clauses: Receiving the Services as detailed under the Agreements, and with respect to the Shared Data it is Processed in order to conduct certain Know Your Customer (“KYC”) checks mandated under applicable laws.
  3. Role (controller/processor): Controller of Customer Data and Controller of Shared Data.
  4.  
  5. Data importer of Customer Data:
  6. Name: Mrkter Technologies L.B.O. Ltd.
  7. Address: Ha-Sadna’ot St 10, Floor 4, Herzliya, 4673304
  8. Contact person’s name, position and contact details: Noor Qasim, COO, [email protected]
  9. Activities relevant to the data transferred under these Clauses: Providing the Services to the Customer, and with respected to the Shared Data it is Processed in order to conduct certain activities and checks including KYC checks.
  10. Role (controller/processor): Processor of Customer Data and independent Controller of Shared Data.
  11.  
  12. 2. Categories of Data Subjects
  13. With regards to Personal Data Processed under Module I (Controller – Controller) (“Module I”) :
  • ● Customer’s beneficial owners; and
  • ● Other persons whose data is required for KYC and/or onboarding authorization process.
  • With regards to Personal Data Processed under Module II (Controller – Processor) (“Module II”):
  • ● Customer’s vendors or payees.
  • ● Authorized users, i.e., Customer employees. Any data subject whose information is uploaded to the Services by Customer.
  •  
  1. 3. Type of Personal Data
  2. With regards to Personal Data Processed under Module I, such Shared Data might include:
  3. Any data required to conduct KYC (as applicable to each Customer):
    ● KYC information and documentation, including tax identifier, government issued ID (e.g., passport, driver’s license or national ID card) and any information captured on such ID (such as facial images/ photographs);
  • ● name, contact details, address, employment details (company and role) and date of birth;
  • ● ID verification results;
  • ● Information about stock ownership; and
  • ● any other Personal Data required by Payouts in accordance with Payouts’ onboarding procedures and policies.
  • With regards to Personal Data Processed under Modules II, such Customer Data might include:
  • ● transactions conducted;
  • ● financial records such as bank accounts details;
  • ● contact information including address of vendors’ and payees; and
  • ● any other Personal Data required by Payouts in accordance with the Service.
  •  
  1. 4. The frequency of the transfer
  2. With regards to the Processing under Module I: Periodically.
  3. With regards to the Processing under Module II: continuous basis.
  4.  
  5. 5. Nature of the processing and transferring:
  6. Collection, storage, communication, transfer and other Processing operations as necessary for the performance of Payouts’ obligations under the Agreement.
  7.  
  8. 6. Purpose of the processing and transferring:
  9. Providing the Services and/or compliance with regulatory obligations.
  10.  
  11. 7. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
  12. Customer Data and Shared Data shall be retained as required to provide the Services and as required under applicable laws.
  13.  
  14. ANNEX II

  15. TECHNICAL AND ORGANIZATIONAL MEASURES
  16. This Annex II highlights the technical, organizational and physical security measures implemented by Payouts when Processing Personal Data under this DPA:
    1. 1. Provide third-party attestation of static or dynamic application security testing or penetration testing on all software Processing Personal Data, remediate any identified high vulnerabilities prior to delivery to Customer, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Customer’s request;
    2. 2. Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Personal Data;
    3. 3. Oblige its employees, agents or other persons to whom it provides access to Personal Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Personal Data; provide annual training to staff and subcontractors on the security requirements contained herein;
    4. 4. Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Payouts’ systems and services;
    5. 5. Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Personal Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;
    6. 6. Log all individuals’ access to and activities on systems and at facilities containing Personal Data;
    7. 7. For passwords applicable to Payouts’ access, adhere to password policies for standard and privileged accounts consistent with industry best practices; protect both Payouts’ and Customer’s user accounts with access to Personal Data using multi-factor authentication (e.g., using at least two different factors to authenticate such as a password and a security token or certificate);
    8. 8. Store and transmit Personal Data using strong cryptography, consistent with industry best practices, and pseudonymize Personal Data where appropriate;
    9. 9. Ensure that only those  personnel who need to have access to Personal Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. Payouts shall conduct access reviews upon each individual’s scope of responsibility change, Payouts staffing change or other change impacting Payouts’ personnel access to Personal Data;
    10. 10. Maintain a physical security program that is consistent with industry best practices;
    11. 11. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Personal Data is securely erased or destroyed before repurposing or disposal;
    12.  
  1. ANNEX III

    1. LIST OF SUB-PROCESSORS

    1. Table A
  • Name 
  • Server location
  • Description of the processing
  • Transfer mechanism
  • Amazon Web Services (AWS)
  • Europe
  • Hosting
  • DPA + SCC, or if applicable Data Privacy Framework.
  • Freshworks Inc.
  • US
  • Customer support
  • Data Privacy Framework
  • Intercom Inc.
  • US
  • Customer support
  • Data Privacy Framework
  • Atlassian Inc. (Jira)
  • US
  • Support ticketing
  • Data Privacy Framework
  • Auth0, Inc.
  • Europe
  • User authentication
  • DPA + SCC, or if applicable Data Privacy Framework.
  • WithAbound
  • Europe
  • W9 and W8BEN collection & validation for vendors
  • DPA
  • Avalara
  • US
  • Tax compliance software
  •  SCC
    1.  
    2. Table B – Financial Business Partners:
  • Name 
  • Server location
  • Description of the processing
  • Transfer mechanism
  • Airwallex (UK) Limited
  • Singapore
  • KYC information & Onboarding information
  •  SCC
  • Runa.io
  • EU
  • Gift cards
  •  SCC
  • Bridge.xyz
  • US
  • Digital assets
  •  SCC
  1. ANNEX IV

  2. EU INTERNATIONAL TRANSFERS AND SCC
  1. 1. The Parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
  2. 2. Module I of the Standard Contractual Clauses shall apply where the transfer is effectuated between the Customer and Payouts as an independent Controllers of the Shared Data.
  3. 3. Module II of the Standard Contractual Clauses shall apply where the transfer is effectuated between the Customer as data Controller of the Customer Data and Payouts as the data Processor of the Customer Data.
  4. 4. The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Payouts (as Data Importer), the following shall apply:
    1. a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
    2. b) In Clause 9 (applicable to Module II only), option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-Processor changes shall be as set forth in the Sub-Processing Section of the DPA.
    3. c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
    4. d) In Clause 13, the Supervisory Authority as indicated in Annex I. Section C., shall act as competent Supervisory Authority.
    5. e) In Clause 17, option 1 shall apply. The Parties agree that the EU Standard Contractual Clauses shall be governed by the laws of Ireland.
    6. f) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
  5. 5. Annex I of this DPA serves as Annex II of the EU Standard Contractual Clauses.
  6. 6. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the EU Standard Contractual Clauses.
  7. 7. Annex I Section D. of this DPA (List of Sub-Processors) serves as Annex III of the EU Standard Contractual Clauses.
  8.  
  9. ANNEX V

  10. US ADDENDUM
  11. This US Addendum (“US Addendum”) provides additional specification applicable to US Data Protection Laws. All terms used but not defined in this US Addendum shall have the meaning set forth in the DPA or the applicable US Data Protection Law.
  1. 1. Payouts shall not (i) sell or share the Personal Data; (ii) retain, use or disclose the Personal Data for any purpose other than for the limited purpose of providing the Services; or (iii) combine the Personal Data that it Processes on behalf of the Company with other Personal Data it receives or collects from, or on behalf of, another entity or customer, expect as otherwise permitted by the applicable US Data Protection Law.
  2. 2. Payouts agrees to notify the Customer if it determines that it can no longer meet its obligations under this US Addendum or US Data Protection Law.
  3. 3. Payouts shall assist the Customer in respect of Consumer request to limit the use of Sensitive Personal Information, and provide necessary assistance and procures that its subcontractors will provide assistance as Customer may reasonably request, where applicable, in connection with any obligation to respond to requests for exercising the rights of a Consumer under the applicable US Data Protection Law. The Service Provider shall (i) promptly notify the Company; (ii) only act upon the Company’s instructions; and (iii) make available to the Company all needed information which is necessary to demonstrate compliance.
  4. 4. Each Party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The Parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. Payouts technical measures are detailed under Annex II above.
  5. 5. In addition to the Audit rights provided the DPA, under US Data Protection Laws and subject to Customer’s consent, Payouts may, alternately, in response to Customer’s on-premise audit request, initiate a third-party auditor to verify Payouts’ compliance with its obligations under this US Data Protection Laws. During such audit, Payouts will make available to the third-party auditor all information necessary to demonstrate such compliance.
  6. 6. Each Party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data, as such term is defined under the applicable US Data Protection Law.
  7. 7. Payouts acknowledges and confirms that it does not receive or Process any Personal Information as consideration for any Services it provides to the Customer.
  8. 8. Payouts certifies that it understands the rules, requirements and definitions of the applicable US Data Protection Law and agrees to refrain from Selling any Personal Data.
  • Products
  • Use cases
  • Company
  • Resources
  • Pricing