Legal

Data Processing Agreement.

How we process data on behalf of business clients.

This Data Processing Agreement (DPA) governs Paype's processing of personal data on behalf of business account holders. This DPA is incorporated into the Paype Terms of Service for all business accounts.

1. Definitions

  • "Controller" means the business account holder who determines the purposes and means of processing.
  • "Processor" means Paype, processing data on the Controller's instructions.
  • "Personal Data" means information relating to an identified or identifiable natural person.
  • "Processing" means any operation on personal data.
  • "Sub-processor" means a third party engaged by Paype to process personal data.
  • "Data Subject" means the individual to whom personal data relates.
  • "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

2. Roles and Responsibilities

2.1 Paype as Processor

For end-customer data processed to execute transactions and provide Paype's services, Paype acts as a Processor. Paype processes this data on the documented instructions of the business account holder (Controller).

2.2 Paype as Independent Controller

Paype acts as an independent Controller for processing required to fulfill Paype's own legal obligations: KYC/KYB verification, AML screening, sanctions screening, SAR filing, regulatory reporting, and fraud prevention.

2.3 Controller Responsibilities

The Controller is responsible for:

  • Having a lawful basis for processing
  • Providing required notices to Data Subjects
  • Obtaining necessary consents
  • Responding to Data Subject rights requests
  • Ensuring instructions to Paype comply with applicable law

3. Processing Details

3.1 Subject Matter

Payment transaction processing, account management, compliance screening, fraud prevention, and customer support.

3.2 Duration

For the term of the business account plus any post-termination retention required by law.

3.3 Nature and Purpose

Processing necessary to provide Paype's payment services as described in the Terms of Service.

3.4 Data Categories

  • Identity data: Name, date of birth, government ID
  • Contact data: Email, phone, address
  • Financial data: Transaction amounts, currencies, counterparties
  • Technical data: IP address, device information
  • Compliance data: KYC status, risk scores, screening results

3.5 Data Subjects

The Controller's end-customers whose transactions are processed through Paype.

4. Paype's Obligations

4.1 Process on Instructions

Paype processes personal data only on the Controller's documented instructions, unless required by law.

4.2 Confidentiality

Paype ensures that personnel authorized to process personal data are bound by confidentiality obligations.

4.3 Security

Paype implements technical and organizational measures appropriate to the risk: encryption in transit and at rest, access controls, logging, regular testing, and incident response procedures.

4.4 Sub-processors

Paype may engage sub-processors. A current list is available on request. Paype notifies the Controller of new sub-processors and gives the Controller an opportunity to object. Sub-processors are bound by data protection obligations no less protective than this DPA.

4.5 Data Subject Rights

Paype assists the Controller in responding to Data Subject requests to the extent possible. Paype notifies the Controller of any Data Subject request received directly.

4.6 Security Incident Notification

Paype notifies the Controller without undue delay (and no later than 72 hours) after becoming aware of a Security Incident affecting the Controller's end-customer data.

4.7 Data Return or Deletion

Upon termination, Paype deletes or returns all personal data to the Controller, unless retention is required by law (BSA/AML records must be retained 5 years).

4.8 Audit

Paype makes available information necessary to demonstrate compliance with this DPA. The Controller may audit Paype's compliance once per year, at the Controller's expense, with 30 days' notice, during business hours, and subject to Paype's security and confidentiality requirements.

5. International Transfers

Paype processes data in the United States. Personal data transferred outside the US to banking partners or sub-processors is subject to contractual safeguards consistent with this DPA.

6. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

7. Term and Termination

This DPA continues until the business account is terminated and all personal data has been returned or deleted, subject to legal retention requirements.

8. Governing Law

This DPA is governed by Montana law.

★★★★★ Trustpilot
Open account NO OPENING FEES — NO ACCOUNT MAINTENANCE FEES — NO APP STORE REQUIRED —