Data Processing Agreement
This Data Processing Agreement (the “DPA”) is entered into between Actisas OÜ, a private limited company incorporated under the laws of the Republic of Estonia, with registered address at Harju County, Tallinn, Kesklinna District, Ravi Street 2, 10134, Estonia, registration code 16787203 (the “Processor”), and the legal entity that has entered into a White Label Solution Agreement with the Processor (the “Controller”).
This DPA is incorporated into, and forms an integral part of, the White Label Solution Agreement between the Parties (the “Principal Agreement”). In the event of any conflict between this DPA and the Principal Agreement in respect of the processing of personal data, this DPA prevails. In the event of any conflict between this DPA and the Standard Contractual Clauses referenced in clause 9, the Standard Contractual Clauses prevail.
1. Definitions
“Applicable Data Protection Law” — Regulation (EU) 2016/679 (the “GDPR”), Regulation 2018/1725 (where applicable), national laws implementing or supplementing the GDPR (including the Estonian Personal Data Protection Act), the UK General Data Protection Regulation and the UK Data Protection Act 2018 (where the Controller is established in the United Kingdom), and any successor, supplementing or replacement legislation, in each case as amended from time to time.
“User Personal Data” — the personal data processed by the Processor on behalf of the Controller in connection with the Principal Agreement, as further described in Annex 1.
“Standard Contractual Clauses” or “SCCs” — the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
“UK Addendum” — the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner and laid before Parliament on 2 February 2022.
“Sub-processor” — any third party engaged by the Processor to process User Personal Data on behalf of the Controller.
2. Roles of the Parties
2.1. As between the Parties, the Controller is the controller and the Processor is the processor in respect of User Personal Data processed in connection with the Principal Agreement.
2.2. In respect of certain processing activities relating to the BIN Sponsorship Chain - including regulatory reporting, fraud monitoring, sanctions screening, scheme compliance, AML compliance and dispute handling - the Processor and/or entities forming part of the BIN Sponsorship Chain may act as controllers in their own right.
2.3. Each Party is responsible for its own compliance with Applicable Data Protection Law.
3. Subject Matter and Details of Processing
3.1. The subject matter, nature, purpose, duration of processing, types of personal data and categories of data subjects are set out in Annex 1.
3.2. The Processor shall process User Personal Data only on documented instructions from the Controller, as set out in the Principal Agreement, in this DPA, or as otherwise agreed in writing, save where required to do so by Union or Member State law.
3.3. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
4. Controller Obligations
4.1. The Controller warrants that it has all necessary rights, lawful bases and notices in place; has provided all transparency information required under Articles 13 and 14 GDPR; has performed any required data protection impact assessments; and shall not instruct the Processor to process Personal Data in breach of Applicable Data Protection Law.
5. Processor Obligations
5.1. The Processor shall: process User Personal Data only on documented instructions; ensure persons authorised to process are bound by confidentiality obligations; implement appropriate technical and organisational measures (Annex 2); assist the Controller in fulfilling obligations under Articles 32-36 GDPR; and at the choice of the Controller, delete or return all User Personal Data upon termination.
5.2. The Processor shall not engage in marketing or secondary use of User Personal Data save as required to perform its obligations under the Principal Agreement or by applicable law.
6. Sub-processors
6.1. The Controller grants the Processor a general written authorisation to engage Sub-processors. Current Sub-processors are listed in Annex 3.
6.2. The Processor shall notify the Controller of any intended addition or replacement of Sub-processors no less than fifteen (15) calendar days before such change takes effect. The Controller may object within ten (10) calendar days on reasonable data protection grounds.
6.3. The Processor shall enter into a written agreement with each Sub-processor on terms providing protection no less than those set out in this DPA.
6.4. The Processor shall remain fully liable for the performance of each Sub-processor's obligations.
6.5. The Controller acknowledges that the identity of entities forming part of the BIN Sponsorship Chain is confidential. The Processor shall abstractly identify categories of such entities and describe the nature of their processing in Annex 1.
7. Data Subject Rights
7.1. The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Chapter III GDPR.
7.2. If the Processor receives a request directly from a data subject, it shall promptly forward the request to the Controller and shall not respond directly save to confirm receipt, unless authorised or required by law.
8. Personal Data Breach
8.1. The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting User Personal Data.
8.2. Such notification shall include the information described in Article 33(3) GDPR to the extent then known.
8.3. The Processor shall cooperate with the Controller in investigation, mitigation and remediation of the breach.
9. International Transfers
9.1. The Controller acknowledges that User Personal Data will be transferred to entities forming part of the BIN Sponsorship Chain, including entities located outside the EEA, UK and Switzerland.
9.2. Where the Processor transfers User Personal Data to a Sub-processor in a third country without an adequacy decision, the Processor shall ensure an appropriate transfer mechanism is in place, including SCCs or the UK Addendum as applicable.
9.3. Where required, the Parties enter into the Standard Contractual Clauses (Module Two: Controller to Processor) by reference, governed by the laws of Estonia with jurisdiction in the courts of Estonia.
10. Audit
10.1. The Processor shall make available information reasonably necessary to demonstrate compliance with Article 28 GDPR, on reasonable written request and not more than once per calendar year (save in case of a personal data breach).
10.2. Such information may take the form of certifications under recognised standards, summaries of third-party audit reports, or responses to a written questionnaire.
10.3. Where such information is insufficient, the Controller may conduct an audit on not less than thirty (30) days' written notice, at the Controller's expense, during normal business hours and in a manner not unreasonably interfering with the Processor's operations.
11. Deletion / Return of Personal Data
11.1. Upon termination of the Principal Agreement, the Processor shall, at the choice of the Controller (communicated within thirty (30) days of termination), delete or return all User Personal Data and delete existing copies, save where retention is required by applicable law or scheme rules.
11.2. Failing any choice within thirty (30) days, the Processor may delete the User Personal Data.
11.3. The Processor shall confirm deletion in writing upon request.
12. Liability
12.1. The liability of each Party under this DPA shall be subject to the limitations and exclusions set out in the Principal Agreement, save where prohibited by Applicable Data Protection Law.
13. Term and Termination
13.1. This DPA enters into force on the Effective Date and remains in force for so long as the Processor processes User Personal Data on behalf of the Controller.
13.2. Clauses 5(b), 8, 11 and 12 survive termination of this DPA.
14. Miscellaneous
14.1. Updates. The Processor may amend this DPA by publishing a new version at https://payca.vc/dpa, with not less than fifteen (15) calendar days' notice of material amendments.
14.2. Severability. If any provision is held invalid or unenforceable, the remaining provisions continue in full force.
14.3. Governing law. This DPA is governed by the laws of the Republic of Estonia. Disputes shall be submitted to the exclusive jurisdiction of the Harju County Court.
Annex 1 — Description of Processing
| Subject matter | Issuance and lifecycle management of virtual tokenised payment cards, including card issuance, top-ups, transaction authorisation, settlement, monitoring, fraud prevention, sanctions screening, AML compliance, dispute handling, and customer support. |
| Nature | Collection, recording, organisation, structuring, storage, retrieval, use, disclosure by transmission, restriction, erasure or destruction of User Personal Data. |
| Purpose | (i) Provision of White Label Solution services; (ii) card issuance and lifecycle management; (iii) compliance with Card Program Rules, Scheme Rules and applicable law; (iv) fraud prevention, sanctions screening and AML compliance; (v) regulatory and scheme reporting; (vi) dispute resolution. |
| Duration | Duration of the Principal Agreement plus retention periods required by applicable law (not less than five (5) years following closure of the User relationship for AML records). |
| Data subjects | Users (natural persons to whom cards are issued); authorised representatives of the Controller; in limited cases, beneficiaries of payments. |
Categories of User Personal Data
| Category | Examples |
|---|---|
| Identification data | Full name, date of birth, nationality, government-issued ID number, ID document images |
| Contact data | Residential address, email address, phone number |
| Biometric data | Face capture (selfie) for identity verification |
| Financial data | Card number (PAN, generally tokenised), expiry, CVV, transaction records, top-up records, balances |
| Device and technical data | IP address, device identifier, log-in records, tokenisation references for Apple Pay / Google Pay |
| Behavioural data | Transaction patterns, geolocation (transaction level), risk score |
| Sanctions and AML screening data | Results of sanctions, PEP and adverse-media screening |
Annex 2 — Technical and Organisational Measures
Access control
Role-based access control (RBAC); multi-factor authentication for administrative access; centralised identity and access management; joiner-mover-leaver procedure with prompt revocation.
Encryption
Encryption in transit using TLS 1.2 or higher; encryption at rest using AES-256 or equivalent; tokenisation of card numbers (PAN) per PCI-DSS; key management with separation of duties.
Physical security
Data centres operated by ISO/IEC 27001-certified or equivalent cloud providers; physical access controls and visitor logs.
Network security
Firewall and network segmentation; intrusion detection and prevention; DDoS protection; regular vulnerability scanning and penetration testing.
Application security
Secure software development life-cycle; dependency vulnerability management; web application firewall; API authentication and rate limiting.
Operational security
Centralised logging and monitoring; incident response procedure; patch management; backup and disaster-recovery procedures.
Personnel
Background checks where permitted; confidentiality undertakings; regular data-protection and information-security training.
Governance
Information-security policies subject to periodic review; designated data protection responsibility; risk assessments and DPIAs where required; vendor due-diligence for Sub-processors.
Continuity
Regular backups stored separately from production; documented business-continuity and disaster-recovery plans; periodic testing of recovery procedures.
Annex 3 — List of Authorised Sub-processors
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting and infrastructure | Hosting of the Platform, databases, application servers | EEA (primary) |
| BIN Sponsorship Chain — regulated card issuer (US) | Card issuance, processing, settlement, scheme membership | United States |
| BIN Sponsorship Chain — program manager (APAC) | Card issuance, processing, settlement, scheme membership | Hong Kong / Singapore |
| KYC and identity verification provider | Customer due diligence, identity verification, biometric matching | EEA |
| Blockchain analytics provider | Stablecoin source-of-funds screening, wallet risk scoring | EEA / international |
| Transaction monitoring / AML provider | Transaction monitoring, sanctions screening, PEP screening | EEA |
| Email and communications provider | Operational email, notifications | EEA / US |
| Customer support tooling provider | Ticketing, communications with Controller | EEA / US |
| Auditors, legal and tax advisors | Audit, advisory, regulatory reporting | EEA |