�����Ƶapp

Data Protection Agreement

Transaction Network Services Inc. and Affiliates (collectively, “�����Ƶapp”) and Customer and Affiliates (if included under the Agreements) (collectively, “Customer”) agree to the terms of this Data Protection Agreement (“DPA”) which sets forth their obligations with respect to the processing and security of Personal Data subject to Data Protection Requirements in connection with the Services offered by �����Ƶapp to Customer under the Agreements (collectively, �����Ƶapp and Customer are the “Parties”). This DPA is deemed incorporated into Customer’s agreements executed with �����Ƶapp (collectively, the “Agreement(s)”). In the event of any conflict or inconsistency between the terms of this DPA and any other terms in the Agreements, this DPA shall prevail.

1. Definitions

Capitalized terms used but not defined in this DPA will have the meanings provided in the Agreements. The following defined terms are used in this DPA:

1.1 “A�ڴھ��������ٱ�” means (i) in the case of �����Ƶapp, any entity controlled by �����Ƶapp, Inc. and (ii) in the case of Customer, any entity controlled by Customer. For purposes of the preceding sentence, “control” means the direct or indirect ownership of more than 50% of the voting interests of an entity.

1.2 “C�������DZ�����” means a holder of a debit, credit or other payment card who is the relevant data subject in relation to Cardholder related Transactional Data.

1.3 “Data Protection Requirements” means, with respect to each Party, any applicable laws, regulations, and other legally binding requirements relating to the processing of Personal Data (as may be amended, supplemented or replaced from time to time) that applies to that Party in connection with the performance of its obligations or the conduct of its business under the relevant Agreement.

1.4 “E����” means the European Economic Area.

1.5 “E��” means the European Union.

1.6 “G�ٱʸ�” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation), as amended, replaced, or superseded.

1.7 “Local EU/EEA/Switzerland Data Protection Laws” means any legislation or regulation implementing the GDPR.

1.8 “Personal Data” means personal information that identifies and/or can be used to identify an individual, or as further defined by applicable Data Protection Requirements. For the purposes of this DPA, it includes only Customer personal information which is supplied to or accessed by �����Ƶapp or its Subprocessors in order to provide the Services under the Agreements.

1.9 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.10 “Restricted Transfer” means any Transfer where applicable Data Protection Requirements require the Parties to demonstrate adequate protection using a contractual instrument or other means, including (for example) a cross-border Transfer to a recipient in a country that does not provide adequate protection for the data.

1.11 ��ٱ�����������” means all services that Customer requests �����Ƶapp to perform under the Agreements that involves Processing of Personal Data.

1.12 “Standard Contractual Clauses” or ��ٰ���” means the standard contractual clauses for the Transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and implemented by the European Commission decision 2021/914, dated 4 June 2021, including Module I (“Controller to Controller SCCs”), Module II (“Controller to Processor SCCs”), and Module III (“Processor to Processor SCCs”).

1.13 ��ٳܲ�����dz�������ǰ�” means (i) �����Ƶapp Affiliates, and (ii) third parties engaged by �����Ƶapp or �����Ƶapp Affiliates, that process Personal Data in connection with the Services in accordance with this DPA.

1.14 “�����Ƶapp Group Systems and Infrastructure” shall be as defined in the Agreement or where not defined means any systems, connections, equipment or other infrastructure which is owned or operated by �����Ƶapp and which are used by �����Ƶapp in connection with either (a) the provision of Services, (b) access to the Network and/or (c) the receipt, transmission, storage and/or any other processing of Transactional Data or other Customer data.

1.15 “�����Ƶapp Group Information Security Management System” or “�����Ƶapp Group ISMS” shall be as defined in the Agreement, or where note defined, means the Global Information Security Management System (ISMS) Charter which is adopted and maintained by �����Ƶapp and its relevant Affiliates (�����Ƶapp Group) in relation to the operation of �����Ƶapp Group businesses and the provision of the Services and Network (and associated �����Ƶapp Group Systems and Infrastructure).

1.16 “�����Ƶapp Group Security Measures” means the relevant detailed technical and organizational security controls, processes and procedures as documented in the individual �����Ƶapp Group ISMS and the associated programs and underlying security policies.

1.17 “Third Party Acquirers and Payment Card Processors” means relevant card schemes, banks, acquirers or other similar third party processors who are appointed by the Customer or relevant Third Party Service End User to authorise, settle or otherwise process the relevant Transactions and related Cardholder related Transactional Data;

1.18 “Third Party Service End User” means merchant, retailer or other third party customer of the Customer and/or its relevant Affiliate(s) who use the Services to process their respective Transactional Data.

1.19 “Third Party Telecom and IT Products and Services” means telecommunications networks and services, data centre or co-location services and other telecommunication and IT infrastructure, services and facilities which form part of the Services, the Dedicated Connections, the Network and/or any �����Ƶapp Group Systems and Infrastructure, including (a) the hosting of �����Ƶapp Group Systems and Infrastructure at third party data centre locations (and relating services)and/or (b) Dedicated Connections or similar communication circuits which form part of the Services or the Network.

1.20 “T�����Բ������پ��Dz�” means payment card, financial or other transactional related data packet containing Transactional Data of the Customer or (where applicable) a Third Party Service End User which is transmitted or otherwise processed as part of the Services.

1.21 “Transactional Data” means any Cardholder, financial or other transaction orientated data relating to a Transaction which is transmitted or otherwise processed by �����Ƶapp as part of the provision or use of the Services and which contains Personal Data relating to a Data Subject;

1.22 “T�����Բ��ڱ��” means to disclose or otherwise make Personal Data available to a third party (including to any Subprocessor), either by physical movement of the Personal Data, or by enabling access to the Personal Data by other means if such access is regulated under Data Protection Requirements.

1.23 “Valid Transfer Mechanism” means a data Transfer mechanism permitted by Data Protection Requirements as a lawful basis for performing a Restricted Transfer of Personal Data.

1.24 The terms “Payment Card Industry Data Security Standard” (or “PCI DSS”), “PCI DSS Attestation(s) of Compliance”, “PCI DSS Certification(s)”, “PCI Certification Date”, “PCI DSS QSA”, and “PCI SSC” shall be as defined in the Agreement.

1.25 Lower case terms used but not defined in this DPA, such as “processing”, “controller”, “processor”, “supervisory authority”, “third country” and “”special categories of personal data” have the same meaning as set forth in the Data Protection Requirements.

2. Nature of Data Processing

2.1 Processing to Provide Customer the Services

This DPA applies to all Services agreed with the Customer in the relevant applicable Agreement.

For clarity, the DPA terms apply only to the processing of Personal Data in environments controlled by or accessed by �����Ƶapp and �����Ƶapp’s Subprocessors.

2.2 Nature and Details of Processing

The nature and details of processing are set forth in Attachment 1 to this DPA.

2.3 Respective Roles and Responsibilities

1. �����Ƶapp as Processor
   1. Customer and �����Ƶapp agree that Customer is the controller of Personal Data and �����Ƶapp is the processor of such data.
   2. �����Ƶapp will use and otherwise process Personal Data only (i) to provide Customer the Services and in accordance with Customer’s documented instructions, (ii) in accordance with the terms and conditions in this DPA, and (iii) in compliance with Data Protection Requirements.
   3. Customer agrees that this DPA and the Agreements, along with the user notices and the product documentation related to the changes notified to the Customer as part as the provision of the Services and/or as materialised by Customer’s use of the Services, are Customer’s complete documented instructions to �����Ƶapp for the processing of Personal Data. Customer may provide further instructions during the performance of the Services, and �����Ƶapp will use reasonable efforts to follow any other Customer instructions, as long as they are (i) consistent with the terms and scope of the Agreements and this DPA, (ii) required by Data Protection Requirements, (iii) technically feasible, and (iv) do not require changes to the performance of the Services. �����Ƶapp will promptly notify Customer if, in �����Ƶapp’s opinion, the instructions given by Customer for processing violate any Data Protection Requirement or if �����Ƶapp is unable to follow Customer’s instructions for processing Personal Data.
   4. If Customer is a processor, Customer warrants that its processing instructions as set out in the Agreements and this DPA, including its authorizations to �����Ƶapp for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant controller. Customer shall be solely responsible for forwarding any notifications received from �����Ƶapp to the relevant controller where appropriate.
2. �����Ƶapp as Controller. Notwithstanding anything in the Agreement or this DPA to the contrary and as permitted by Data Protection Requirements, Customer authorizes �����Ƶapp to further process Personal Data for the following limited business purposes which are incidental to the provision of the Services:
   1. detecting security incidents, and protecting against malicious, deceptive, fraudulent, or illegal activity;
   2. internal operational activities such as responding to data subject requests, auditing Customer as authorized under the Agreements to confirm usage quantities, improving functionality, and processing required for legal or regulatory compliance; and
   3. contract management, payment processing, billing and account management, compensation (e.g., calculating �����Ƶapp employee commissions and partner incentives), internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy), and business development purposes and such other purposes as set out in �����Ƶapp’s global data privacy policy.

�����Ƶapp will comply with its obligations, as an independent data controller, under the Data Protection Requirements for such uses. In addition, as with all processing under this DPA, processing for business operations remains subject to �����Ƶapp’s confidentiality obligations and security commitments under this DPA and the Agreements.

3. Subprocessors

3.1 Right to Use Subprocessors

Customer acknowledges and agrees that �����Ƶapp may use Subprocessors in connection with the provision of the Services, subject to the terms and conditions of this Section 3.

3.2 Subprocessor List

�����Ƶapp has identified a list of authorised Subprocessors in Attachment 3 and/or in the relevant Agreement. Upon Customer’s request, �����Ƶapp shall make available any updates.

3.3 Subprocessor Requirements

When engaging any Subprocessor, �����Ƶapp will:

1. evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection to establish that it is capable of providing the level of protection of Personal Data required by this DPA;
2. ensure via a written agreement that:
   1. the Subprocessor may access and use Personal Data only to deliver the services �����Ƶapp has retained them to provide and is prohibited from using Personal Data for any other purpose; and
   2. that Subprocessor provides for, in substance, the same data protection obligations as those binding �����Ƶapp under this DPA (including obligations for Restricted Transfers set out in Attachment 3); and
3. oversee the Subprocessors to ensure that these contractual obligations are met. Where a Subprocessor fails to fulfill its data protection obligations, �����Ƶapp shall remain fully liable to the Customer for the performance of that Subprocessor’s obligations in accordance with the terms of this DPA.

3.4 Objection Right

From time to time, �����Ƶapp may engage new Subprocessors. �����Ƶapp will give Customer reasonable advance notice of any new Subprocessor to provide Customer with an opportunity to object to the use of such new Subprocessor. If Customer objects on reasonable grounds under Data Protection Requirements to a new Subprocessor in writing, and �����Ƶapp is unable to resolve that objection in a reasonable amount of time, then Customer may, as its sole and exclusive remedy, terminate those aspects of the Service which cannot be provided by �����Ƶapp without the use of the new Subprocessor, by providing written notice of termination. Customer must also include an explanation of the grounds for non-approval together with the termination notice, in order to permit �����Ƶapp to re-evaluate any such new Subprocessor based on those concerns. Any termination under this Section shall be deemed to be without fault by either Party and shall be subject to the terms of the Agreement. In the event of such termination, �����Ƶapp shall refund Customer any unused, prepaid Fees for the applicable Service.

3.5 Emergency Replacement

�����Ƶapp may replace a Subprocessor without advance notice where the reason for the change is outside of �����Ƶapp’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, �����Ƶapp will inform Customer of the replacement Subprocessor as soon as possible following its appointment. Customer’s objection and termination right in Section 3.4 applies accordingly.

3.6 Third Party Telecom and IT Suppliers

The Customer acknowledges that �����Ƶapp is an electronic communication service provider and as such is reliant on third party telecommunication or other IT suppliers (in particular electronic network providers operating telecommunication networks) for the provision of, or access to Third Party Telecom and IT Products and Services which either (a) form part of the Services and/or �����Ƶapp Group Systems and Infrastructure and/or (b) are used by �����Ƶapp. The Customer agrees that �����Ƶapp shall be permitted to subcontract any of the relevant components of the Services, Network and/or �����Ƶapp Group Systems and Infrastructure (which incorporate Third Party Telecom and IT Products and Services) to relevant third party telecommunications provider PROVIDED THAT any associated Processing of relevant Personal Data within any associated Transactions is undertaken by �����Ƶapp or authorised Sub-processors.

4. Security

4.1 Data Security

1. �����Ƶapp has implemented and will maintain appropriate technical and organizational security measures designed to protect Personal Data against any Personal Data Breach (e.g., encryption, access control, confidentiality obligations, etc.), as described in Attachment 2 to this DPA.
2. Parties acknowledge and agree that (taking into account the state of the art, the costs of implementation, context of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons) the technical and organizational measures implemented and maintained by �����Ƶapp provide a level of security appropriate to the risk and in compliance with applicable Data Protection Requirements.
3. Customer has implemented and will maintain appropriate technical and organizational security measures (i) designed to ensure the security of the Personal Data for components that Customer provides or controls. Customer must notify �����Ƶapp promptly about any possible misuse of its authentication credentials or any security incident related to the Services of which it becomes aware.
4. Customer is responsible for independently reviewing and confirming whether the Services will meet Customer’s obligations under Data Protection Requirements.

4.2 Confidentiality

�����Ƶapp will ensure that those engaged by �����Ƶapp in the processing of Personal Data will (i) process such data only on instructions from Customer, and (ii) be obligated to maintain the confidentiality and security of such data even after their engagement ends. �����Ƶapp shall provide periodic and mandatory data privacy and security training and awareness to its employees with access to Personal Data in accordance with applicable Data Protection Requirements and industry standards.

4.3 Personal Data Breach Notification

If �����Ƶapp becomes aware of a Personal Data Breach affecting Customer’s Personal Data processed by �����Ƶapp, �����Ƶapp will, without undue delay:

1. notify Customer of the Personal Data Breach;
2. investigate the Personal Data Breach and provide Customer with detailed information about the Personal Data Breach as such information becomes known to �����Ƶapp; and
3. take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.

Customer is responsible for complying with its obligations under Data Protection Requirements for fulfilling any third party notification obligations related to a Personal Data Breach. �����Ƶapp’s notification of, or response to, a Personal Data Breach under this Section is not an acknowledgement by �����Ƶapp of any fault or liability with respect to the Personal Data Breach.

5. Audit

5.1 Proactive Audit

�����Ƶapp will conduct audits of its security controls applied to processing Personal Data, as follows: each audit will be performed (i) according to the rules of the official accreditation body for each applicable control standard or framework and (ii) by qualified, independent, third party security auditors at �����Ƶapp’s selection and expense. Each audit will result in either (i) the generation of an audit report , or (ii) a resulting certificate which �����Ƶapp will make available to Customer upon reasonable request. Such reports are �����Ƶapp’s Confidential Information and subject to non-disclosure and distribution limitations of �����Ƶapp and the auditor.

5.2 Supplemental Audit

1. Customer may audit �����Ƶapp’s compliance with Data Protection Requirements and this DPA, including auditing any of the IT security practices and applicable control environments as specified in the �����Ƶapp Group ISMS, in accordance with the process outlined in this Section 5.2, only if:
   1. �����Ƶapp has not provided sufficient evidence of its compliance with the technical and organizational measures described in Section 4.1 of this DPA through the report referenced in Section 5.1 above, or, if applicable, any other audit reports or other information �����Ƶapp makes generally available to its customers;
   2. a Personal Data Breach has occurred;
   3. �����Ƶapp has notified Customer that it is subject to a government access request as set forth in Section I.3. of Attachment 3 to this DPA;
   4. an audit is formally requested by Customer’s data protection authority; or
   5. mandatory Data Protection Requirement conferring Customer a direct audit right (and provided that Customer shall only audit once in any 12-month period unless mandatory Data Protection Requirements requires more frequent audits).
2. Before the commencement of an audit, Customer and �����Ƶapp will mutually agree upon the scope, timing, duration, fees, control and evidence requirements. Customer may use an independent accredited third party audit firm to perform the audit on its behalf, provided the third party auditor is mutually agreed to by Customer and �����Ƶapp (which shall not include any third party auditors who are either a competitor of �����Ƶapp or not suitably qualified or independent). Customer agrees that the audit will be conducted without unreasonably interfering with �����Ƶapp’s (or �����Ƶapp’s Subprocessor’s) business activities, during regular business hours with reasonable advance notice, and subject to �����Ƶapp’s (or the applicable Subprocessor’s) security policies and confidentiality procedures. Where on-site audits of physical data centers, systems, or facilities are not permitted, �����Ƶapp will work with Customer (and Subprocessor if applicable) to reach a mutually agreeable resolution sufficient to provide information necessary for Customer to comply with audit requirements under the applicable Data Protection Requirements. Neither Customer, nor the auditor, shall have access to any data from �����Ƶapp’s other customers or to �����Ƶapp systems or facilities not involved in the Services provided to Customer. Customer shall provide the results of any audit to �����Ƶapp.
3. Customer is responsible for all costs and fees related to the audit, including all reasonable costs and fees �����Ƶapp expends for the audit and any costs and fees �����Ƶapp incurs from any Subprocessor where the audit involves a Subprocessor, unless such audit reveals a material breach by �����Ƶapp of this DPA, in which case �����Ƶapp shall bear its own expenses of that audit.

6. Data Subject Rights and Third Party Disclosure

6.1 Data Subject Rights

Taking into account the nature of the processing and the applicable Service, �����Ƶapp will make available to Customer, in a manner consistent with the functionality of the Services and �����Ƶapp’s role as a processor of Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the Data Protection Requirements. If �����Ƶapp receives a request from Customer’s data subject to exercise a right in connection with a Service for which �����Ƶapp is a data processor, �����Ƶapp will promptly notify Customer (where the data subject has provided information to identify the Customer) and shall not respond to such request itself but instead ask the data subject to redirect its request to Customer. Customer will be responsible for responding to any such request including by using the functionality of the Services. �����Ƶapp shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.

6.2 Disclosure of Personal Data

�����Ƶapp will not disclose or provide access to any Personal Data except: (i) as Customer directs; (ii) as described in this DPA; or (iii) as required by law, and in any event in accordance with the applicable Data Protection Requirements.

7. Data Retention and Deletion

7.1 Return or Deletion

At the choice of Customer, �����Ƶapp shall delete or return all Personal Data to the Customer after the termination or expiration of Customer’s Agreement in accordance with the �����Ƶapp Group ISMS and delete existing copies unless required by law to retain. Where �����Ƶapp is required to continue any processing of Personal Data following the expiration or termination of Customer’s Agreement, the terms and conditions of this DPA shall continue to apply to such Personal Data until deleted or returned as set out above. For the avoidance of doubt, �����Ƶapp’s obligations in this paragraph do not apply to Personal Data stored by the Customer on Customer systems / equipment.

8. Data Transfers

8.1 General Obligation

The Parties shall comply with any Transfer obligations required by the Data Protection Requirements, including but not limited to executing any additional contractual language for Restricted Data Transfers and/or implementing a Valid Transfer Mechanism.

8.2 Customer Responsibility

Customer is responsible for ensuring that Transfers of Personal Data under this DPA are permissible under Data Protection Requirements, and that any necessary contractual measures and security assessments or registrations/permits, if any are required under Data Protection Requirements, have been completed before Customer provides such Personal Data to �����Ƶapp for Transfer. In addition, Customer is solely responsible for (i) determining whether the Service is appropriate under Data Protection Requirements for Customer’s needs, (ii) ensuring that all Personal Data which it supplies or discloses to �����Ƶapp has been obtained and Transferred lawfully (if any authorizations or consents of data subjects are required for such processing of Personal Data by �����Ƶapp, Customer is responsible for obtaining any such consents directly from the data subjects), and (ii) completing any assessments, obtaining approvals, and registering databases with authorities that are necessary under applicable Data Protection Requirements.

8.3 Cross-Border Transfers

Customer authorizes cross-border Transfers of Personal Data to countries in which �����Ƶapp or its Subprocessors operate to provide the Services. Additional terms including applicable Valid Transfer Mechanisms for Restricted Transfers are set forth in Attachment 3. If a supervisory authority or court determines that any Valid Transfer Mechanism is no longer an appropriate basis for Restricted Transfers, �����Ƶapp and Customer shall promptly use reasonable efforts to take all steps necessary to demonstrate adequate protection for the impacted Personal Data using another approved mechanism or instrument.

8.4 Notwithstanding Clause 8.3, the Customer acknowledges and agrees that as part of the use of the Payment Market Services, the Customer or any Third Party Service End User may require the transmission or other Processing of payment of Cardholder related Transactional Data or other Customer data to either (i) a relevant host or other system of Third Party Acquirers and Payment Card Processors or (ii) relevant host or other system of the Customer, Customer Affiliate or Third Party Service End User located in a third country. The Customer and (where applicable) Third Party Service End User consent to such Processing and the Customer agrees that the Customer and (where applicable) Third Party Service End User are responsible for the compliance of the Data Protection Laws in relation to the associated international transfer.

9. Limitation of Liability

The Parties agree that the total liability of each Party and its Affiliates arising out of or in connection with this DPA, whether based on breach of contract, tort or otherwise, is, as between the Parties (including Affiliates), subject to the applicable provisions on limitation of liability in the master agreement referenced by the applicable order form. For the avoidance of doubt, the limitation of liability in this Section does not apply to or limit in any way the rights or remedies of a data subject provided by the Data Protection Requirements.

10. General

10.1 Governing Law

This DPA is governed by and enforced in accordance with the choice of law set forth in the master agreement referenced by the applicable order form, unless a separate choice of law is identified in Attachment 3 which shall control over the choice of law in such master agreement for this DPA. If translations are available, the English language version of this DPA and its Attachments shall control.

10.2 Amendments

1. �����Ƶapp may update or amend this DPA from time to time to reflect changes in Data Protection Requirements or �����Ƶapp’s data processing practices, provided that any such update or amendment does not materially reduce the overall level of data protection afforded to Personal Data under this DPA. Updated versions of this DPA shall be published at the URL designated by �����Ƶapp (or such successor URL as �����Ƶapp may notify to Customer from time to time) and shall apply to all Agreements entered into or renewed on or after the date of publication.
2. �����Ƶapp shall use reasonable efforts to notify Customer of material updates to this DPA. Customer’s continued use of the Services following such notification shall constitute acceptance of the updated DPA.
3. If an amendment to this DPA is required a specific Customer requirement or a regulatory direction applicable to Customer, both Parties will work together in good faith to promptly agree mutually acceptable revisions.

10.3 Assistance

�����Ƶapp shall provide reasonable assistance to Customer at Customer’s request by providing generally available information relating to the Services to extent such information is needed by Customer in connection with Customer’s conducting and documenting data protection impact assessments, prior consultation with a regulator, and/or complying with Customer’s obligations under applicable Data Protection Requirements.

10.4 Compliance with Laws; Regulatory Changes.

1. Each Party shall comply with its obligations under applicable Data Protection Requirements. Each Party must use reasonable efforts to stay informed of the legal and regulatory requirements for its applicable responsibilities under this DPA.
2. To the extent there is a material change in Data Protection Requirements or a future government requirement or obligation that prohibits �����Ƶapp from providing its Services in any country or jurisdiction without material modification, �����Ƶapp will provide advance notice to Customer and use commercially reasonable efforts to modify its Service to comply with the change in Data Protection Requirement or future government requirement or obligation. �����Ƶapp shall notify Customer if �����Ƶapp can no longer meet its obligations under applicable Data Protection Requirements.

10.5 Records of Processing

Each Party is responsible for its compliance with its documentation requirements under Data Protection Requirements, in particular maintaining records of processing where required under Data Protection Requirements. Each Party shall reasonably assist the other Party in such documentation requirements, to the extent such Party does not otherwise have access to the relevant information and to the extent such information is available to the other Party.

10.6 How to Contact �����Ƶapp

�����Ƶapp Global Data Privacy Officer
Transaction Network Services (UK) Limited
80 Clerkenwell Road
London EC1M 5RJ
England
Privacy@�����Ƶapp.com

10.7 �����Ƶapp entity

Please note that the contracting �����Ƶapp entity under the Agreements may be a different entity to Transaction Network Services Inc, in which case the �����Ƶapp Affiliate that is party to the Agreement is also a party to this DPA.

ATTACHMENT 1 – Nature and Details of Processing

ATTACHMENT 2

Technical and Organizational Security Measures

�����Ƶapp Group Security Measures

1. �����Ƶapp Group Security Measures

�����Ƶapp has implemented and maintains �����Ƶapp Group Security Measures in connection with (a) the provision of the Services under the Agreement and/or (b) any access or associated use of any Network or other �����Ƶapp Group Systems and Infrastructure, as outlined in this Attachment, which the Parties agree are the appropriate technical and organisational measures to ensure a level of security appropriate to the risk that are presented by the Processing by �����Ƶapp as part of the provision of the Services, including in particular the risks associated with any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to Personal Data. �����Ƶapp regularly monitors compliance with these measures.

2. Updates to the �����Ƶapp Group Security Measures

�����Ƶapp applies the technical and organizational security measures described in the �����Ƶapp Group Security Measures to �����Ƶapp’s entire customer base receiving the same Service. Customer acknowledges that the technical and organizational security measures described in the �����Ƶapp Group Security Measures are subject to technical progress and development, and that �����Ƶapp may update or modify the measure from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.

3. Customer Premises

The �����Ƶapp Group Security Measures applies only to the extent that the Services are performed on or from �����Ƶapp premises. In the case where �����Ƶapp is performing Services on the Customer’s premises and �����Ƶapp is given access to Customer’s systems and data, �����Ƶapp shall comply with Customer’s reasonable administrative, technical, and physical conditions to protect such data and guard against unauthorized access. In connection with any access to Customer’s system and data, Customer shall be responsible for providing �����Ƶapp personnel with user authorizations and passwords to access its systems and revoking such authorizations and terminating such access, as Customer deems appropriate. Customer shall not grant �����Ƶapp access to Customer systems or personal information (of Customer or any third party) unless such access is essential for the performance of the Services.

4. �����Ƶapp Group ISMS Charter and underlying �����Ƶapp ISMS Security Policies

4.1 �����Ƶapp has established and shall maintain the �����Ƶapp Group ISMS which shall utilize the international standard ISO/IEC 27001-27002 control objectives. Each control is supported with policy, standards, technology and controls activities as documented in the �����Ƶapp ISMS and �����Ƶapp Information Security Policies that form part of the �����Ƶapp ISMS Charter and relevant guard-at-the-gate enforcement of control points which emphasize and support the requirements for establishing, implementing, deploying, monitoring, reviewing, maintaining, updating and improving the �����Ƶapp Group ISMS.

4.2 The following are lists of the �����Ƶapp ISMS Policies as at the date of this Agreement:

4.3 The above List of the �����Ƶapp ISMS Policies may change from time to time and an up-to-date List shall be provided upon written request.

4.4 �����Ƶapp shall comply with the �����Ƶapp Group ISMS at all times when (a) providing the Services and �����Ƶapp Group Systems and Infrastructure and (b) performing its other obligations under the Service Agreement.

4.5 The parties acknowledge and agree that the �����Ƶapp ISMS Charter and underlying �����Ƶapp ISMS and �����Ƶapp Information Security Policies are subject to review and change. Where �����Ƶapp update and publish a revised version of the �����Ƶapp ISMS Charter and/or any of the underlying �����Ƶapp ISMS and �����Ƶapp Information Security Policies, the Customer shall comply with the relevant revised versions of the corresponding revised document(s) which form part of the �����Ƶapp ISMS Charter.

4.6 Upon written request, a copy of the �����Ƶapp ISMS Charter will be made available for inspection at the relevant �����Ƶapp Site PROVIDED THAT the Customer acknowledges the contents of the �����Ƶapp ISMS Charter are Confidential Information and subject to the confidentiality undertakings in the Agreement.

5. Additional technical and organisational security measures relating to PAYMENT Markets Cardholder Data

5.1 Where the relevant Personal Data is payment cardholder related Transactional Data, �����Ƶapp agree to comply with PCI DSS in relation to (a) the Services, (b) the relevant environment(s) (including without limitation any Equipment and relevant �����Ƶapp Group Systems and Infrastructure) in which the relevant Services operate and/or (c) the security of payment cardholder related Transactional Data that is processed as part of the provision of the Services to the Customer.

5.2 �����Ƶapp shall procure that the �����Ƶapp Group maintain corresponding PCI DSS Certification(s) in relation to the relevant environments in which the relevant Services operate during the term of the Service Agreement (including without limitation the appointment of a PCI QSA to undertake the relevant PCI assessment of each environment annually) and otherwise maintaining compliance with PCI DSS during the term of the Service Agreement).

5.3 Where any changes to the criteria of PCI DSS are introduced by PCI SSC during any twelve (12) month period from the relevant date of the corresponding PCI DSS Certification(s), the Customer agrees that �����Ƶapp shall only be obligated to comply during the remainder of that applicable twelve (12) month compliance period with the version of PCI DSS that applied to the corresponding environment(s) in which the Services operate Standards as of the relevant PCI Certification Date of such environments.

5.4 The relevant changes to the PCI DSS or (where applicable) any other PCI Security Standards (as outlined in paragraph 3.3 of this Schedule 3) shall only apply to subsequent PCI DSS Certification(s) of the corresponding environment in which the Services operate and corresponding PCI DSS Attestation(s) of Compliance relating thereto.

5.5 Any changes to the criteria of PCI DSS that are introduced by PCI SSC during the term of the Service Agreement and which effect either (a) Services and/or (b) the environment(s) in which the Services operate shall be implemented in accordance with the relevant �����Ƶapp Group change control procedure.

5.6 As part of its obligations under this paragraph, �����Ƶapp will ensure that the �����Ƶapp Group ISMS Charter and underlying �����Ƶapp ISMS and �����Ƶapp Information Security Policies meet the requirements of PCI DSS.

6. Upon written request, �����Ƶapp and (where applicable) �����Ƶapp Affiliate shall provide the contact details for the person(s) responsible for (a) �����Ƶapp ISMS Charter and information security in the �����Ƶapp Group and/or (b) compliance with PCI DSS.

ATTACHMENT 3 – Additional Jurisdictional Terms and Restricted Transfers

This Attachment 3 sets forth additional jurisdiction-specific terms and conditions applicable to the processing of Personal Data, including obligations for Restricted Transfers, in connection with �����Ƶapp’s provision of Services to Customer under the Agreements.

I. Europe

1. Applicable Laws

For Restricted Transfers of Personal Data out of the EU/EEA, GDPR and Local EU/EEA/Switzerland Data Protection Laws are expressly included in the definition of Data Protection Requirements.

2. Valid Transfer Mechanism

1. SCCs. For this DPA, in connection with �����Ƶapp’s provision of the Services, the Parties agree to enter into, as applicable: (i) the Controller to Controller SCCs for Restricted Transfers of Personal Data from a Customer established in the EU/EEA, as a data controller, to an �����Ƶapp entity established in a country outside the EU/EEA, as a data controller; (ii) the Controller to Processor SCCs for Restricted Transfers of Personal Data from a Customer established in the EU/EEA, as a data controller, to an �����Ƶapp entity established in a country outside the EU/EEA, as a data processor; and/or (iii) the Processor to Processor SCCs for Restricted Transfers of Personal Data from a Customer established in the EU/EEA, as a data processor, to an �����Ƶapp entity established in a country outside the EU/EEA, as a data processor; with the selections identified in Section I.2.b. below (as applicable). If Data Protection Laws require the Parties to execute the SCCs as a separate agreement, the Parties shall promptly execute such SCCs.
2. SCCs Selections. The following selections, clarifications, and additions are made to the SCCs:

c. EU-US Data Privacy Framework. �����Ƶapp is certified to the EU-US Data Privacy Framework, including UK and Swiss extensions. The EU-US Data Privacy Framework will supplement and not replace �����Ƶapp’s use of the SCCs as the Valid Transfer Mechanism for Restricted Transfers of Personal Data outside of the EU/EEA.

3. Government Access Requests

In the event that �����Ƶapp receives any legally binding requests for the disclosure of Personal Data issued by a public authority, or any direct access requests to Personal Data by a public authority, �����Ƶapp will, as permitted by law, attempt to redirect such request to Customer. If �����Ƶapp cannot redirect to Customer, then �����Ƶapp will (i) reject the request unless required by law to comply, (ii) challenge such requests where the request conflicts with applicable law, is overbroad, or other appropriate objection applies, (iii) promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so, (iv) if compelled to do so, disclose only the minimum amount of Personal Data necessary to satisfy the request, and (v) if permitted by the laws of the country of destination, at Customer’s written request (not more than once annually for the duration of the Agreements), provide Customer with as much relevant information as possible on the requests for disclosure received.

4. Supplementary Measures

To further mitigate the risk that Restricted Transfers of Personal Data out of the EU/EEA are not provided an adequate level of protection, �����Ƶapp implements (and requires its Subprocessors to implement) supplementary measures to the SCCs to help ensure an adequate level of protection is provided to Personal Data in all applicable jurisdictions. These supplementary measures provide additional safeguards in consideration of the Court of Justice of the European Union Schrems II ruling of 16 July 2020 (Case C-311/18) and applicable guidance on best practices relating to the Data Protection Requirements. �����Ƶapp considers these supplementary measures to be appropriate in the circumstances taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons to ensure an adequate level of protection for Restricted Transfers of Personal Data out of the EU/EEA. These supplementary measures include, as applicable, the following technical, contractual, and organizational measures:

1. Technical Measures: Enhanced technical safeguards as described in the �����Ƶapp Group ISMS, including where applicable, but not limited to, encryption in transit and at rest, encryption key management, pseudonymization, access controls, intrusion detection and prevention, incident response, change management controls, retention, business continuity management, and third party risk management. �����Ƶapp conducts regular security assessments and audits of the technical security measures it has implemented and updates the �����Ƶapp Group ISMS accordingly.
2. Contractual Measures: Specific contractual safeguards as described in the DPA, including but not limited to, �����Ƶapp’s commitments for responding to data subject rights requests and government access requests, flow down of data protection obligations to Subprocessors (including obligations with respect to handling government access requests), and enhanced audit rights granted to Customer.
3. Organizational Measures: Additional organizational measures as described in �����Ƶapp’s internal policies, processes, and training materials, including but not limited to:
   1. Internal policies and practices in place designed to verify that the data Transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Transferred;
   2. Conducting data protection impact assessments and data mapping on a per-product basis;
   3. Regular review and assessment of legal requirements of recipient countries, including applicability of data access rights by public authorities;
   4. Trainings for related employees on data protection obligations and �����Ƶapp policies, which is periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EU/EEA;
   5. Regular review of the validity and applicability of data Transfer mechanisms, and take steps when needed to implement, update or improve the mechanism;
   6. Adoption of internal policies addressing, without limitation, allocation of responsibilities for Transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access Personal Data;
   7. Continued implementation of the accountability principle, including but not limited to, where applicable, the adoption of strict and granular data access and confidentiality policies and best practices, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures; and
   8. Adoption of strict data security and data privacy policies, based on international standards and industry practices with due regard to the state of the art, in accordance with the risk of the categories of data processed.
4. Regular review of Supplementary Measures: Each Party shall establish a process for ongoing monitoring and review of the implemented measures to ensure their effectiveness and compliance with applicable Data Protection Requirements. This process shall include periodic assessments, audits, and reviews of the Transfer operations and related safeguards.

II. Switzerland

1. Additional Terms for Processing of Swiss Personal Data

For Transfers that are exclusively subject to the Swiss Federal Act of 19 June 1992 on Data Protection, as amended, including the Ordinance thereto (“F���ٱ�”) the Parties wish to clarify that (i) references to EU member states in the SCCs shall not be interpreted in such a way that data subjects in Switzerland are excluded from exercising their rights at their habitual residence in Switzerland, (ii) the SCCs also apply to the Transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under the FADP until the FADP is amended to no longer apply to a legal entity; (iii) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority; and (iv) references to the GDPR in the SCCs shall also include the reference to the equivalent provisions of the FADP (as amended or replaced).

III. United Kingdom (“UK”)

1. Applicable Laws

For Restricted Transfers of Personal Data out of the UK, the General Data Protection Regulation as incorporated into UK law by the UK Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, (each as amended, replaced, or superseded) is expressly included in the definition of Data Protection Requirements.

2. Restricted Transfers of Personal Data out of the UK

For this DPA, the Parties agree to enter into the UK Addendum, where applicable, for Restricted Transfers of Personal Data from a Customer established in the UK, as a data controller, to an �����Ƶapp entity established in a country outside the UK, as a data processor, in connection with �����Ƶapp’s provision of the Services. The “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, in force 21 March 2022, as well as any applicable variation thereof adopted by the Parties or any other data protection clauses later approved by the UK data protection authority for the Transfer of Personal Data to third countries.

3. UK Addendum and Selections

Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in the table in Section I.2.b. of this Attachment 3 above, and the option “Importer” shall be deemed checked in Table 4 of the UK Addendum. The start date of the UK Addendum (as set out in Table 2) shall be the effective date of this DPA.

IV. United States (“US”)

1. Applicable Laws

Where applicable, the following laws, regulations, and other legal requirements relating to data protection and data security in the United States, including the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“C��ʴ�/��ʸ鴡”), Cal. Civ. Code §§ 1798.00, et seq., its implementing regulations, and similar laws passed in other states as they become effective, including but not limited to the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, as amended, replaced, or superseded (collectively, the “US Data Protection Requirements”), are expressly included in the definition of Data Protection Requirements. “Business Purpose,” “Commercial Purpose,” “Consumer,” “Deidentified,” “Process,” “Sell,” “Service Provider,” and “Share” have the meanings ascribed to them under applicable US Data Protection Requirements.

2. Additional Terms for Processing of US Personal Data

For any processing of Personal Data subject to US Data Protection Requirements, the following additional terms shall apply:

1. Customer and �����Ƶapp agree that Customer is the business and �����Ƶapp is the Service Provider. As required by applicable US Data Protection Requirements, with respect to Personal Data received from Customer under the Agreements, �����Ƶapp agrees it will not, unless otherwise permitted by US Data Protection Requirements or the Agreements: (a) Sell or Share the Personal Data; or (b) retain, use, or disclose the Personal Data for any purpose other than for the Business Purpose(s) specified in the Agreements, including retaining, using, or disclosing the Personal Data for a Commercial Purpose other than providing the Services specified in the Agreements; or (c) retain, use, or disclose the Personal Data outside of the direct business relationship between Customer and �����Ƶapp; or (d) combine Personal Data received pursuant to the Agreement with Personal Data received from or on behalf of another person(s), or collected from �����Ƶapp’s own interactions with Consumers, provided that �����Ƶapp may combine Personal Data to perform any Business Purpose as defined in applicable US Data Protection Requirements.
2. As authorized by applicable US Data Protection Requirements, upon written notice to �����Ƶapp, Customer may take reasonable and appropriate steps to stop and remediate the unauthorized use of Personal Data.
3. �����Ƶapp certifies that it understands and will comply with the requirements and restrictions set forth in this DPA.

V. General

1. Order of Precedence

In the event of any conflict or inconsistency between the terms of this Attachment 3 and the DPA, the terms in this Attachment 3 shall prevail. Notwithstanding the foregoing, certain rights and obligations described in this Attachment 3 may be more fully explained in the DPA. For example, the SCCs described in Section I.2.a.of this Attachment 3 provide a Customer audit right, and Section 5 of the DPA describes the process for how �����Ƶapp implements the audit right for its Customers.

2. Alternative Transfer Mechanisms

�����Ƶapp reserves the right to modify the Valid Transfer Mechanism for Restricted Transfers of Personal Data to the extent such modification is (i) compliant with Data Protection Requirements, (ii) commercially reasonable, and (iii) provides a substantially similar level of data protection. If �����Ƶapp implements a different valid legal mechanism for Restricted Transfers of Personal Data, �����Ƶapp shall provide notice to Customer and will make any necessary modifications to the DPA available in advance through Customer’s account in �����Ƶapp Support portal or alternative equivalent methods.

Updated: April 2026