Data Processing Agreement

1. Definitions

"Controller" means the Merchant, who determines the purposes and means of processing personal data through the PayServ platform.

"Processor" means PAYSERV LLC, which processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in applicable data protection legislation, including the GDPR, CCPA, and equivalent regulations.

"Processing" means any operation performed on personal data, including collection, storage, routing, transmission, and deletion.

2. Nature & Purpose of Processing

PayServ processes personal data on behalf of Merchants solely for the purpose of providing the PayServ platform services, including: routing payment transaction requests to downstream PSPs; storing encrypted PSP credentials on behalf of Merchants; generating and transmitting webhook event data; and providing transaction analytics and audit logs.

PayServ does not process raw cardholder data (PAN, CVV, expiry). Card data is captured exclusively within PSP-controlled Hosted Fields (iFrame-isolated SDKs served from PSP CDNs) and never transits PayServ infrastructure.

3. Data Subjects

The categories of data subjects whose personal data may be processed include: the Merchant's end customers (payers), to the limited extent their transaction metadata (not card data) flows through PayServ's routing layer; and the Merchant's authorised employees and API users who access the PayServ dashboard or API.

4. Processor Obligations

PayServ, as Processor, shall: (a) process personal data only on documented instructions from the Merchant (Controller); (b) ensure that authorised personnel are subject to confidentiality obligations; (c) implement appropriate technical and organisational security measures; (d) assist the Controller in meeting data subject rights obligations; (e) delete or return personal data at the end of the service relationship; and (f) provide all information necessary to demonstrate compliance with this DPA.

5. Sub-Processors

PayServ uses the following categories of sub-processors: cloud infrastructure providers (e.g. AWS) for hosting and storage; email and communication service providers for transactional notifications; and analytics providers for platform performance monitoring.

PayServ will notify Merchants of any intended changes to sub-processors with at least 14 days prior notice, giving Merchants the opportunity to object.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or other regulated jurisdictions, PayServ will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent mechanisms under applicable law.

7. Security Measures

PayServ implements the following technical and organisational security measures: TLS 1.3 encryption for all data in transit; AES-256-GCM encryption for credentials and sensitive data at rest; role-based access controls with principle of least privilege; regular security audits and penetration testing; incident response and breach notification procedures; and a SOC 2-aligned security programme.

8. Breach Notification

In the event of a personal data breach affecting Merchant data, PayServ will notify the Merchant without undue delay and in any case within 72 hours of becoming aware of the breach, providing: the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences; and the measures taken or proposed to address the breach.

9. Contact

For data processing enquiries, DPA requests, or to exercise data subject rights, contact: privacy@payserv.com or write to PAYSERV LLC, Attn: Data Protection Officer.