This Data Processing Addendum ("DPA") is an integral component and forms part of the Agreement between you (the Account Holder) and the applicable Tazapay Contracting Entity ("Tazapay") as determined in accordance with section 2 (Definitions and Interpretation) of the General (Account Holder) Terms and Conditions, delineating the terms and conditions governing the Processing of Personal Data by Tazapay and its Affiliates in connection with the Tazapay Services.
This DPA is designed to comply with applicable DP Laws, including but not limited to the PDPA, the PIPEDA, and such other data protection laws as may apply under the Regional Terms or in jurisdictions where Tazapay's affiliates process Personal Data on Tazapay's behalf. Where Regional Terms apply under section 21 of the General (Account Holder) Terms, this DPA shall be interpreted consistently with the applicable Regional Terms and the Applicable Laws of the relevant jurisdiction.
By entering into the Agreement, you affirm that you have read, comprehended and agree to be bound by the provisions of this DPA. This DPA is legally binding and applies to all Account Holders and Users who access or utilise the Tazapay Services under the Agreement.
We strongly advise you to thoroughly review this DPA, as it comprehensively outlines the terms and conditions governing the Processing of Personal Data in connection with the Tazapay Services under the Agreement. Should you have any inquiries or require further clarification regarding the Processing of Personal Data, please contact us at [email protected].
Capitalised terms not defined herein shall have the meanings assigned to them in the Agreement, including the General (Account Holder) Terms and the applicable Appendices. For definitions specific to this DPA, please refer to Appendix A (Definitions) of this DPA.
Tazapay is committed to Processing Personal Data in strict adherence to applicable DP Laws and regulations. Depending on the specific circumstances, Tazapay may function either as a Data Processor or a Data Controller, each role encompassing distinct responsibilities and purposes.
When acting as a Data Processor, Tazapay Processes Personal Data on behalf of the Account Holder (acting as the Data Controller), and strictly in accordance with the Account Holder's documented Instructions. In this capacity, Tazapay's Processing activities are limited to:
Platform Maintenance: Ensuring the effective operation and servicing of the Tazapay Platform, including the Tazapay Website and Dashboard.
Service Provision: Providing and facilitating access to Tazapay Services as specified in the Agreement, including Payment Gateway, Global Collection Accounts, Payouts, Escrow, Institutional Account, and any other services described in the applicable Appendices.
Transaction Processing: Processing Transactions, Payments, and related financial operations on behalf of Account Holders and their Customers.
As a Data Processor, Tazapay is committed to implementing robust security measures to safeguard Personal Data and ensure compliance with applicable DP Laws.
For the avoidance, Tazapay's role as a Data Processor under this section 1.1 does not limit or affect Tazapay's independent obligations as a Data Controller under section 1.2, including obligations arising under Applicable Laws that require Tazapay to independently determine the purposes and means of Processing.
In certain situations, Tazapay independently determines the purposes and methods of Processing Personal Data, thereby acting as a Data Controller. This occurs when Tazapay Processes data to meet regulatory requirements, enhance service delivery, or protect its operational integrity. Purposes of Processing as a Data Controller include:
Compliance with Legal Obligations: Tazapay Processes Personal Data to fulfil regulatory requirements, including AML screening, KYC and KYB obligations, CDD and ongoing Compliance obligations as set out in section 7 of the General (Account Holder) Terms, Sanctions screening, and responding to lawful requests from Governmental Authorities. Tazapay will not Process Sensitive Data, unless expressly required by law or with explicit consent.
Fraud Detection and Risk Management: Tazapay monitors, detects, and prevents fraudulent Transactions and activities, mitigating risks to its Account Holders, Users, Customers, and Platform, including conducting risk management and compliance reviews as described in the General (Account Holder) Terms.
Service Development: Personal Data is analysed and utilised to enhance Tazapay Services, ensuring they remain effective and relevant to Account Holder and Customer needs.
Operational Efficiency: Tazapay Processes Personal Data to support essential business operations, such as billing, invoicing, Fees, Charges, reconciliation, and customer relationship management as described in section 8 of the General (Account Holder) Terms.
Third-Party Collaboration: Tazapay engages with Service Providers, including Financial Partners, Payment Service Providers, Card Schemes, APM Providers, and other essential entities to ensure seamless service delivery. This includes data sharing as described in section 12 of the General (Account Holder) Terms and section 15 of Appendix 1 (Payment Gateway Terms).
In its role as a Data Controller, Tazapay may collaborate with its Affiliates. Each Tazapay Entity is independently responsible for its Processing activities as a separate Data Controller. Where one Tazapay entity transfers Personal Data to another for Processing, such transfer shall be governed by this DPA and appropriate intercompany arrangements.
In both roles, Tazapay adheres to stringent data protection principles, ensuring that all Processing activities are conducted lawfully, fairly, and transparently. Where the Agreement requires Tazapay to share Personal Data with third parties (including Service Providers, Card Schemes, and Payment Method Providers as described in sections 12 of the General (Account Holder) Terms, such sharing shall be conducted in accordance with this DPA and applicable DP Laws. With a focus on security, accountability and compliance, Tazapay strives to maintain the trust and confidence of its Account Holders while upholding its legal and regulatory responsibilities.
Tazapay processes Personal Data of its Account Holders, Users, Customers, and Beneficiaries strictly as necessary to deliver the Tazapay Services. The categories of Personal Data processed by Tazapay may include, but are not limited to: payment account details, bank account details, billing and shipping addresses, names, order information (such as date, time, amount, and product or service descriptions), device IDs, email addresses, IP addresses and locations, order IDs, payment card details, tax IDs and tax status, unique customer identifiers, Available Balance information, and identity information including government-issued documents (e.g., national IDs, driver's licences, and passports).
In connection with CDD and KYC/KYB obligations under section 7 of the General (Account Holder) Terms, Tazapay may additionally process corporate registration data, beneficial ownership information, director and shareholder details, and such other information as may be required for Compliance purposes.
Tazapay limits data collection to what is required for the specified purposes and implements anonymisation or pseudonymisation wherever feasible, consistent with the Privacy Policy.
Both parties shall comply with applicable DP Laws in their respective roles as Data Controller or Data Processor. Each party is independently responsible for ensuring that its Processing of Personal Data under the Agreement is lawful, fair, and transparent.
Where Tazapay acts as a Data Processor, it shall Process Personal Data only in accordance with the Account Holder's documented Instructions and applicable DP Laws. Where Tazapay acts as a Data Controller, it shall independently ensure compliance with DP Laws applicable to its Processing activities.
Both parties shall cooperate in good faith to ensure compliance with applicable DP Laws, including assisting each other in responding to Data Subject requests, regulatory inquiries, and Data Incidents, consistent with the obligations set out in sections 14 and 16 of the General (Account Holder) Terms.
In the event of a Data Incident, the affected party shall:
notify the other party without undue delay, and in any event within the timeframes required by applicable DP Laws; and
provide reasonable assistance in investigating, mitigating, and remediating the Data Incident, including cooperating with regulatory authorities where required.
The notification obligations in this section are without prejudice to Tazapay's rights under section 14 (Suspension, Termination, and Remedial Action) of the General (Account Holder) Terms, including the right to suspend or terminate access to the Tazapay Services in response to a security incident or breach.
Both parties shall maintain records of Data Incidents, including the facts relating to the incident, its effects, and the remedial action taken, in accordance with applicable DP Laws.
When acting as a Data Processor, Tazapay shall Process Personal Data only on documented Instructions from the Account Holder (as the Data Controller, where applicable), unless Processing is required by Applicable Laws to which Tazapay is subject, in which case Tazapay shall inform the Account Holder of that legal requirement before Processing, unless prohibited by law from doing so.
Tazapay shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
the pseudonymisation and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing; and
such other measures as may be required under the PDPA, PIPEDA, or other applicable DP Laws.
Tazapay may engage Sub-processors to Process Personal Data on its behalf in connection with the Tazapay Services, subject to the following conditions:
Engagement of Sub-Processors
Tazapay shall enter into written agreements with each Sub-processor that impose data protection obligations no less protective than those set out in this DPA. The Account Holder provides general authorisation for Tazapay to engage Sub-processors, subject to the notification and objection mechanism described below.
Sub-Processor Obligations
Each Sub-processor agreement shall require the Sub-processor to implement appropriate technical and organisational measures to protect Personal Data and to Process Personal Data only in accordance with Tazapay's documented Instructions.
Sub Processor Notification and Obligations
Tazapay shall maintain an up-to-date list of Sub-processors and shall notify the Account Holder of any intended changes concerning the addition or replacement of Sub-processors, giving the Account Holder reasonable opportunity to object to such changes. If the Account Holder reasonably objects on data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Account Holder may terminate the affected Tazapay Services in accordance with the Agreement.
India Sub-Processor Disclosure
Where Personal Data is Processed by a Sub-processor located in India, Tazapay shall ensure that appropriate contractual safeguards are in place and that the Sub-processor complies with applicable Indian data protection laws, including any requirements under the Digital Personal Data Protection Act, 2023, as applicable.
In the event of a Personal Data Breach, Tazapay (as a Data Processor) shall:
notify the Account Holder without undue delay after becoming aware of a Personal Data Breach;
provide sufficient information to enable the Account Holder to meet any obligation to report or inform Data Subjects of the Personal Data Breach under applicable DP Laws;
cooperate with the Account Holder and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach;
take reasonable steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach; and
maintain records of Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.
Upon termination or expiry of the Agreement, Tazapay shall, at the Account Holder's choice, delete or return all Personal Data Processed on behalf of the Account Holder, unless Applicable Laws require storage of the Personal Data. This obligation is subject to the data retention requirements set out in the Privacy Policy and applicable DP Laws.
Tazapay may retain Personal Data to the extent required by Applicable Laws, including for compliance with AML, KYC, tax, and regulatory obligations, provided that such retained data continues to be protected in accordance with this DPA.
Tazapay shall be liable for damage caused by Processing only where it has not complied with obligations of applicable DP Laws specifically directed to Data Processors or where it has acted outside or contrary to lawful Instructions of the Account Holder. The limitations of liability set out in section 11 of the General (Account Holder) Terms shall apply to this DPA.
Where the Account Holder acts as the Data Controller and Tazapay acts as the Data Processor, the Account Holder shall have the following rights and obligations:
The Account Holder shall ensure that its Instructions to Tazapay for the Processing of Personal Data comply with applicable DP Laws. The Account Holder is responsible for ensuring the lawfulness of the Processing it instructs Tazapay to perform.
The Account Holder shall provide documented Instructions to Tazapay regarding the Processing of Personal Data. Such Instructions may be provided through the Tazapay Dashboard, Tazapay API, or written communication. Tazapay shall Process Personal Data only in accordance with such documented Instructions, unless required to do so by Applicable Laws.
The Account Holder shall be responsible for responding to Data Subject requests, including requests for access, rectification, erasure, restriction of Processing, data portability, and objection to Processing. Tazapay shall assist the Account Holder by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Account Holder's obligation to respond to such requests.
Where a DPIA is required under applicable DP Laws, the Account Holder shall conduct such assessment and Tazapay shall provide reasonable assistance to the Account Holder in conducting the DPIA, taking into account the nature of Processing and the information available to Tazapay.
The Account Holder shall maintain records of Processing activities carried out on its behalf by Tazapay, as required under applicable DP Laws. Tazapay shall make available to the Account Holder all information necessary to demonstrate compliance with the obligations laid down in this DPA.
The Account Holder shall:
ensure that it has obtained all necessary consents, authorisations, and legal bases required under applicable DP Laws for the Processing of Personal Data by Tazapay;
ensure that Personal Data provided to Tazapay is accurate, complete, and up to date;
inform Tazapay without undue delay if any Personal Data provided to Tazapay is inaccurate or incomplete; and
comply with all applicable DP Laws in relation to the Personal Data it provides to Tazapay, including ensuring appropriate transparency notices are provided to Data Subjects.
When Tazapay acts as a Data Controller, it shall comply with the following obligations:
Tazapay shall comply with all applicable DP Laws in its capacity as a Data Controller, including ensuring that all Processing activities have a valid legal basis and are conducted in accordance with the principles of data protection.
Tazapay shall ensure transparency in its Processing activities by maintaining and publishing a Privacy Policy that describes the categories of Personal Data collected, the purposes of Processing, the legal bases relied upon, data retention periods, and the rights of Data Subjects.
Tazapay shall respond to and facilitate the exercise of Data Subject rights under applicable DP Laws, including rights of access, rectification, erasure, restriction of Processing, data portability, and objection to Processing, in accordance with the Privacy Policy.
Tazapay shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.
Tazapay shall ensure that Personal Data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed. Tazapay shall take reasonable steps to ensure that Personal Data is accurate and, where necessary, kept up to date.
Tazapay shall be responsible for and be able to demonstrate compliance with applicable DP Laws, including by maintaining records of Processing activities, conducting DPIAs where required, and cooperating with supervisory authorities.
Where the Account Holder transfers Personal Data to Tazapay across borders, the Account Holder shall ensure that such transfer complies with applicable DP Laws, including by ensuring that an appropriate Data Transfer Mechanism is in place. The Account Holder is responsible for ensuring that it has obtained all necessary consents and authorisations required for the cross-border transfer of Personal Data to Tazapay.
Tazapay may transfer Personal Data across borders in connection with the Tazapay Services, including to its Affiliates and Sub-processors located in different jurisdictions. Tazapay shall ensure that any such transfer is conducted in accordance with applicable DP Laws and that appropriate safeguards are in place to protect Personal Data.
Where required by applicable DP Laws, Tazapay shall implement appropriate Data Transfer Mechanisms, including contractual clauses, binding corporate rules, or other mechanisms recognised under applicable DP Laws, to ensure that Personal Data transferred across borders receives an adequate level of protection.
In addition to the general obligations set out above, the following jurisdiction-specific requirements shall apply:
India: Where Personal Data is transferred to Tazapay's affiliate in India for operational processing, Tazapay shall ensure that appropriate contractual safeguards are in place, including the obligations on the affiliate to implement technical and organisational measures consistent with PDPA and PIPEDA.
Singapore: Tazapay shall ensure the recipient is bound by legally enforceable obligations as per section 26 of the PDPA.
Canada: Transfers shall comply with PIPEDA, including the requirement under Principle 1 that the transferring organisation remains accountable for Personal Data transferred to a third party for processing.
The Account Holder acknowledges that Tazapay has audit and inspection rights as set out in section 16 of the General (Account Holder) Terms. Tazapay may monitor and review the Account Holder's Account, use of the Tazapay API, and any other information, policies, procedures, or agreements to ensure compliance with these Terms and this DPA.
At Tazapay's written request, the Account Holder must permit and cooperate with Tazapay or its third-party auditor to audit the Account Holder's compliance with these Terms and this DPA, consistent with section 16 of the General (Account Holder) Terms. The Account Holder agrees to preserve all relevant evidence and information and shall not intentionally withhold, conceal, destroy, or alter any record pertinent to an audit or inspection.
At the Account Holder's written request (not more than once per calendar year), Tazapay shall make available demonstrating the compliance with this DPA, which may include the summaries of third party audit reports or response to data protection questionnaires. Tazapay may redact commercially sensitive information.
Tazapay shall review this DPA and its data protection practices at least annually, updating as necessary to reflect change in Applicable Laws, regulatory guidance or processing activities.
The Account Holder understands and acknowledges that data about the Account Holder, its Users, and Customers may be disclosed to such third parties as necessary for the purpose of providing the Tazapay Services, as set out in sections 12 of the General (Account Holder) Terms. Such disclosure may be necessary for facilitating or enabling the use of Tazapay Services, compliance with Applicable Laws, or fulfilling Compliance obligations.
In connection with Appendix 1 (Payment Gateway Terms) of the Agreement, Tazapay may share data with APM Providers, Service Providers, Card Schemes, and other third parties for the purpose of managing disputes, assessing Compliance with Service Provider and Card Network Rules, and facilitating Compliance with Applicable Laws, Payment Method Rules, and Payment Method Terms.
Where Personal Data is shared with Sub-processors or Service Providers, Tazapay shall ensure that appropriate contractual and organisational safeguards are in place to protect such data in accordance with this DPA and applicable DP Laws.
The Account Holder waives its right to bring any claim against Tazapay arising from Tazapay sharing information as described in sections 12 of the General (Account Holder) Terms, including any inclusion on a terminated merchant list that results from such sharing.
The confidentiality obligations set out in section 13 of the General (Account Holder) Terms shall apply to all Personal Data Processed under this DPA. All Personal Data shall be treated as Confidential Information for the purposes of section 13 of the General (Account Holder) Terms.
Tazapay shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The confidentiality obligations in this clause shall survive the termination or expiry of this DPA and the Agreement.
In the event of any inconsistency or conflict between the provisions of this DPA and other related agreements, the following order of precedence shall apply:
Data Processing Addendum vs. the Agreement: If there is a conflict between the provisions of this DPA and the Agreement regarding the Processing of Personal Data, the provisions of this DPA shall prevail.
DPA vs. Regional Terms: Where Regional Terms under section 21 of the General (Account Holder) Terms impose additional or more stringent data protection requirements under Applicable Laws, such Regional Terms shall prevail to the extent necessary to comply with the Applicable Laws of the relevant jurisdiction.
Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution mechanisms in the General (Account Holder) Terms, applying the governing laws and jurisdiction applicable to the Account Holder as determined under section 21 (Regional Terms) of the General (Account Holder) Terms.
"Agreement" has the meaning given in the General (Account Holder) Terms and Conditions between the Account Holder and the applicable Tazapay Contracting Entity, as determined in accordance with section 2 (Definitions and Interpretation) of the General (Account Holder) Terms.
"Authorised Services" means services that a Governmental Authority licences, authorises, or regulates.
"Data Controller" means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data. Where the PDPA applies to Tazapay, references to the "Data Controller" shall be read as the "organisation" that determines the purpose of Processing; where PIPEDA applies, as the organisation accountable under Principle 1.
"Data Incident" means an unauthorised or unlawful Processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a party's or its Affiliate's, or a party's or its Affiliate's subcontractor's, agent's or representative's, possession or control. Where the PDPA applies to Tazapay, "Data Incident" shall have the same meaning as "data breach" as defined under the PDPA. For the avoidance of doubt, a Major Breach (as defined in the General (Account Holder) Terms) that involves Personal Data constitutes a Data Incident.
"Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. Where the PDPA applies to Tazapay, "Data Processor" shall have the same meaning as "data intermediary" as defined under the PDPA.
"Data Subject" means an identified or identifiable natural person to which Personal Data relates, including Account Holders' Users, Customers, and Beneficiaries.
"Data Transfer Mechanism" means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under DP Law, which includes transfer mechanisms that are required under DP Law in Singapore, Canada, and India.
"DP Law" means laws that apply to Personal Data Processing under the Agreement and this DPA, including international, federal, state, provincial and local law relating in any way to privacy, data protection or data security, and includes, where applicable, the Applicable Laws (as defined in the General (Account Holder) Terms) relating to data protection.
"DPIA" means a Data Protection Impact Assessment as required under applicable DP Laws.
"Instructions" or "Instruction" means any communication or documentation, including that which may be provided through a Tazapay API, Tazapay Dashboard, or written agreements between the Account Holder and Tazapay, through which the Account Holder (as the Data Controller, where applicable) instructs Tazapay (as the Data Processor, where applicable) to perform specific Processing of Personal Data for the Account Holder.
"Joint Controller" means a Data Controller that jointly determines the purposes and means of Processing Personal Data with one or more Data Controllers.
"PDPA" means the Singapore Personal Data Protection Act 2012.
"Personal Data" means any information relating to an identifiable natural person that is Processed in connection with the Tazapay Services, and includes "personal data" as defined under the PDPA, "personal information" as defined under PIPEDA, and "Personal Data" as defined in section 2 (Definitions and Interpretation) of the General (Account Holder) Terms.
"PIPEDA" means the Canada Personal Information Protection and Electronic Documents Act.
"Process" means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under DP Law. "Processes", "Processed" and "Processing" shall be construed accordingly. Processing includes sub-processing.
"Sensitive Data" means, to the extent this data is treated distinctly as a special category of Personal Data under DP Law: (a) Personal Data that is genetic data, biometric data, data concerning health, a natural person's sex life or sexual orientation; (b) data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (c) geolocation data; or (d) sensitive personal information.
"Sub-processor" means an entity Tazapay (as a Data Processor, where applicable) engages to Process Personal Data on Tazapay's behalf in connection with the Tazapay Services under the Agreement, and includes Service Providers (as defined in the General (Account Holder) Terms) to the extent they Process Personal Data on Tazapay's behalf.
