Last Updated: 25 March, 2025
This Data Processing Addendum ("DPA") is an integral component and forms part of the Agreement between you and Tazapay Pte. Ltd. ("Tazapay"), delineating the terms and conditions governing the Processing of Personal Data by Tazapay and its affiliates.
This DPA is designed to comply with applicable DP Laws, including but not limited to the PDPA, the PIPEDA, and the DPDPA.
By entering into the Agreement, you affirm that you have read, comprehended, and agree to be bound by the provisions of this DPA. This DPA is legally binding and applies to all users who access or utilize the service under the Agreement.
We strongly advise you to thoroughly review this DPA, as it comprehensively outlines the terms and conditions governing the Processing of Personal Data in connection with the service under the Agreement. Should you have any inquiries or require further clarification regarding the Processing of Personal Data, please contact us at [email protected].
Capitalized terms not defined herein shall have the meanings assigned to them in the Agreement. For definitions specific to this DPA, please refer to the Appendix.
Tazapay is committed to Processing Personal Data in strict adherence to applicable DP Laws and regulations. Depending on the specific circumstances, Tazapay may function either as a Data Processor or a Data Controller, each role encompassing distinct responsibilities and purposes.
When acting as a Data Processor, Tazapay Processes Personal Data on behalf of you, the Data Controller, and strictly in accordance with your documented Instructions. In this capacity,
Tazapay's Processing activities are limited to:
- Platform Maintenance: Ensuring the effective operation and servicing of the Tazapay platform.
- Service Provision: Providing and facilitating access to Tazapay’s products and services as specified in the Agreement.
As a Data Processor, Tazapay is committed to implementing robust security measures to safeguard Personal Data and ensure compliance with applicable DP Laws.
In certain situations, Tazapay independently determines the purposes and methods of Processing Personal Data, thereby acting as a Data Controller. This occurs when Tazapay Processes data to meet regulatory requirements, enhance service delivery, or protect its operational integrity.
Purposes of Processing as a Data Controller:
- Compliance with Legal Obligations: Tazapay Processes Personal Data to fulfill regulatory requirements, such as anti-money laundering (AML) screening, know-your-customer (KYC) obligations, and responding to lawful requests from governmental authorities. Tazapay will not Process Sensitive Data as defined under the DPDPA, unless expressly required by law or with explicit consent.
- Fraud Detection and Risk Management: Tazapay monitors, detects, and prevents fraudulent transactions and activities, mitigating risks to its users and platform.
- Service Improvement and Innovation: Personal Data is analyzed and utilized to enhance Tazapay’s products and services, ensuring they remain effective and relevant to user needs.
- Operational Efficiency: Tazapay Processes Personal Data to support essential business operations, such as billing, invoicing, and customer relationship management.
- Third-Party Collaboration: Tazapay engages with banks, payment providers, and other essential entities to ensure seamless service delivery.
In its role as a Data Controller, Tazapay may also collaborate with its affiliates, who may act as:
- Joint Controllers: Working alongside Tazapay to provide services regulated or authorized by governmental authorities.
- Data Processors: Supporting Tazapay in the delivery of auxiliary services that fall outside the scope of Authorized Services.
In both roles, Tazapay adheres to stringent data protection principles, ensuring that all Processing activities are conducted lawfully, fairly, and transparently. With a focus on security, accountability, and compliance, Tazapay strives to maintain the trust and confidence of its users while upholding its legal and regulatory responsibilities.
Tazapay Processes Personal Data of its users and customers strictly as necessary to deliver its services. The categories of Personal Data Processed by Tazapay may include, but are not limited to: payment account details, bank account details, billing and shipping addresses, names, order information (such as date, time, amount, and product or service descriptions), device IDs, email addresses, IP addresses/locations, order IDs, payment card details, tax IDs/status, unique customer identifiers, and identity information, including government-issued documents (e.g., national IDs, driver’s licenses, and passports). Tazapay limits data collection to what is required for the specified purposes and implements anonymization or pseudonymization wherever feasible.
3.1.1.Compliance with Laws
You (the Data Controller, as applicable) and Tazapay commit to Processing Personal Data in compliance with applicable DP Law, ensuring that all Processing activities are grounded on a valid legal basis or exception, such as consent, contractual necessity, or statutory obligation. Both parties agree to implement appropriate safeguards, such as Standard Contractual Clauses, for transfers to jurisdictions which are regarded by applicable DP Law as not having adequate data protection to the standard as required by applicable DP Law.
The Controller acknowledges its responsibility to honor Data Subject requests to withdraw consent, as required by applicable DP Law including but not limited to PDPA and DPDPA.
3.1.2. Cooperation
You (as the Data Controller, where applicable) and Tazapay commit to working collaboratively to fulfill their respective obligations under this DPA and applicable DP Laws. This cooperation extends to ensuring the exercise of Data Subjects’ rights, managing security incidents (including Data Incidents), and addressing regulatory requirements.
3.1.3. Incident
Each party commits to promptly notifying the other upon becoming aware of a data breach or Data Incident involving Personal Data Processed under this Agreement. The party who is the Data Controller responsible for the data breach or Data Incident shall lead the response efforts, including containment, investigation, and remediation, while the other party provides necessary assistance to mitigate adverse effects and ensure compliance with applicable DP Laws.
Specifically, Tazapay (as the Data Processor, where applicable) shall notify you (as the Data Controller, where applicable) without undue delay of becoming aware of a data breach or Data Incident affecting Personal Data. The notification shall include sufficient information to allow you to meet any obligations to inform regulatory authorities or Data Subjects. Notifications will include details required under applicable DP Laws, such as the PDPA, which mandates reporting to the Singapore personal data protection regulator for breaches posing significant harm.
Both parties agree to maintain records of any data breaches and the corresponding response actions taken, in compliance with applicable legal requirements.
3.2.1. Processing of Personal Data
Tazapay (as the Data Processor, where applicable) shall Process Personal Data exclusively on documented Instructions from you (as the Data Controller, where applicable), including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
3.2.2. Security of Processing
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Tazapay (as the Data Processor, where applicable) shall implement appropriate or reasonable technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:
3.2.3. Sub-processing
To ensure compliance with data protection regulations and maintain transparency, Tazapay (as the Data Processor, where applicable) shall adhere to the following terms regarding the engagement of sub-processors:
1.Engagement of Sub-Processors
You (as the Data Controller, where applicable) acknowledge that Tazapay (as the Data Processor, where applicable) is required to engage sub-processors as necessary to perform the services under the Agreement. By agreeing to this DPA, you (as the Data Controller, where applicable) consent to Tazapay's use of the sub-processors listed therein and grants a general authorization to engage additional or replacement sub-processors as required to deliver the services under the Agreement.
2.Sub-Processor Obligations
Tazapay (as the Data Processor, where applicable) shall enter into a written agreement with each sub-processor imposing data protection obligations comparable to those set forth in this DPA, including the implementation of appropriate or reasonable technical and organizational measures to ensure the security of Personal Data. Tazapay retains the right to periodically review sub-processor engagements to ensure compliance with Tazapay’s obligations.
3.2.4. Personal Data Breach
Tazapay (as the Data Processor, where applicable) shall notify you (as the Controller, where applicable) without undue delay after becoming aware of a Data Incident. Such notification shall at least:
3.2.4.1 Describe the nature of the Data Incident including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
3.2.4.2 Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3.2.4.3 Describe the likely consequences of the Data Incident;
3.2.4.4 Describe the measures taken or proposed to be taken by Tazapay to address the Data Incident, including, where appropriate, measures to mitigate its possible adverse effects;
3.2.4.5 And any other detail as required by applicable DP Law.
3.2.5. Deletion or return of Personal Data
At the written request of you (as the Data Controller, where applicable), Tazapay (as the Data Processor, where applicable) shall delete or return all the Personal Data to you after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data. Where required by applicable laws, Tazapay may retain minimal data necessary for statutory purposes beyond service termination.
3.2.6. Liability
Tazapay (as the Data Processor, where applicable) shall Process Personal Data strictly in accordance with your (as the Data Controller, where applicable) documented Instructions, as stipulated in this Agreement. Tazapay shall not be liable for any claims, damages, or losses arising from Processing activities that result from adhering to your Instructions. In the event that Tazapay acts outside the scope of your Instructions or in contravention of applicable DP Laws, Tazapay shall be liable for any resulting damages or losses.
3.3. Rights and Obligations of you (as the Data Controller, where applicable)
As the entity or person determining the purposes and means of processing Personal Data, you (as the Data Controller, where applicable) commits to the following obligations:
3.3.1. Lawful Instructions
You shall ensure that all Personal Data processing activities are conducted in compliance with applicable DP Laws. This includes establishing a valid legal basis or exception for processing, such as obtaining necessary consents or fulfilling contractual obligations.
3.3.2. Provision of Instructions
You are responsible for providing clear, documented Instructions to Tazapay regarding the Processing of Personal Data. These Instructions must align with the Agreement and comply with relevant legal requirements. Any additional Processing activities beyond the original scope require a separate written agreement between the parties.
3.3.3. Data Subject Rights
You are responsible for handling requests from Data Subjects concerning their rights under applicable DP Laws, including but not limited to access, rectification, erasure, restriction of processing, and objection to processing. Tazapay shall assist you, as necessary and upon request, in fulfilling these obligations.
3.3.4. Data Protection Impact Assessments
When required, you shall conduct DPIAs to evaluate the impact of Processing activities on the protection of Personal Data. Tazapay shall assist you in carrying out DPIAs and consulting with supervisory authorities, as necessary and upon your request.
3.3.5. Record-Keeping
You (as the Data Controller, where applicable) shall maintain accurate records of processing activities, detailing the nature and purpose of processing, categories of Personal Data, and any data transfers. These records should be readily available for inspection by relevant authorities.
3.4. Rights and obligations of Tazapay when acting as the Data Controller
As a Data Controller, Tazapay is responsible for determining the purposes and means of Processing Personal Data. In this capacity, Tazapay commits to the following obligations:
3.4.1. Compliance with Data Protection Laws
Tazapay shall Process Personal Data in strict adherence to all applicable DP Laws and regulations. This includes ensuring that all processing activities are based on a valid legal basis or exception, such as obtaining explicit consent from Data Subjects, fulfilling contractual obligations, or complying with legal requirements.
3.4.2. Transparency and Fairness
Tazapay is committed to Processing Personal Data transparently and fairly. This involves providing Data Subjects with clear and comprehensive information about how their data is collected, used, and shared. Tazapay shall ensure that its privacy notices are easily accessible and written in clear, plain language.
3.4.3. Data Subject Rights
Tazapay shall uphold the rights of Data Subjects as provided by applicable DP Laws. This includes facilitating the exercise of rights such as access to Personal Data, rectification of inaccuracies, erasure, restriction of processing, and the right to object to Processing. Tazapay shall establish efficient processes to respond to Data Subject requests within the timeframes stipulated by law.
3.4.4. Data Security
Tazapay shall implement appropriate or reasonable technical and organizational measures to ensure the security of Personal Data. This includes protecting data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. Measures may encompass encryption, access controls, regular security assessments, and staff training on data protection principles.
3.4.5. Data Minimization and Accuracy
Tazapay commits to collecting and Processing only the Personal Data that is necessary for the specified purposes. Tazapay shall take reasonable steps to ensure that Personal Data is accurate and, where necessary, kept up to date.
3.4.6. Accountability
Tazapay shall maintain records of its data Processing activities and be able to demonstrate compliance with applicable DP Laws. This includes conducting DPIAs when required and cooperating with supervisory authorities.
You as (the Controller, where applicable) acknowledges that, to facilitate the provision of services by Tazapay, it may transfer Personal Data to Tazapay's entities or data centers located in jurisdictions outside your country. You are responsible for ensuring that such transfers comply with applicable DP Laws, including implementing appropriate safeguards such as obtaining explicit consent from Data Subjects or utilizing approved data transfer mechanisms.
Tazapay and its affiliates may transfer Personal Data globally as necessary to provide the services under this Agreement. This includes transfers to Tazapay's data centers and Sub-processors in various jurisdictions. Tazapay commits to ensuring that such transfers comply with applicable DP Laws by implementing appropriate safeguards, such as legally enforceable contractual obligations or other approved mechanisms, to protect the transferred Personal Data.
By adhering to this clause, both you (as the Data Controller, where applicable) and Tazapay ensure that cross-border data transfers are conducted in compliance with relevant data protection regulations, thereby safeguarding the rights of Data Subjects.
For transfers to jurisdictions like India, Tazapay will implement localization requirements as per DPDPA.
In the event of any inconsistency or conflict between the provisions of this DPA and other related agreements, the following order of precedence shall apply:
“Agreement” has the meaning given in the Tazapay merchant account agreement between you and Tazapay located at https://tazapay.com/legal/seller/termsandconditions or as otherwise agreed by the parties.
“Authorized Services” means services that a governmental authority licenses, authorizes or regulates.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data. Where the PDPA applies to Tazapay, “Data Controller” shall have the same meaning as “organisation” as defined under the PDPA.
“Data Incident” means an unauthorized or unlawful Processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a party’s or its affiliate’s, or a party’s or its affiliate’s subcontractor’s, agent’s or representative’s, possession or control. Where the PDPA applies to Tazapay, “Data Incident” shall have the same meaning as “data breach” as defined under the PDPA.
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller. Where the PDPA applies to Tazapay, “Data Processor” shall have the same meaning as “data intermediary” as defined under the PDPA.
“Data Subject” means an identified or identifiable natural person to which Personal Data relates.
“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under DP Law, which includes transfer mechanisms that are required under DP Law in Singapore, Canada and India.
“DPDPA” means the India Digital Personal Data Protection Act, 2023.
“DP Law” means laws that applies to Personal Data Processing under the Agreement and this DPA, including international, federal, state, provincial and local law relating in any way to privacy, data protection or data security.
“Instructions” or “Instruction” means any communication or documentation, including that which may be provided through a Tazapay API, or Tazapay Dashboard, or written agreements between you and Tazapay through which you (as the Data Controller, where applicable) instructs Tazapay (as the Data Processor, where applicable) to perform specific Processing of Personal Data for you.
“Joint Controller” means a Data Controller that jointly determines the purposes and means of Processing Personal Data with one or more Data Controllers.
“PDPA” means the Singapore Personal Data Protection Act 2012.
“Personal Data” means any information relating to an identifiable natural person that is Processed in connection with the Services, and includes “personal data” as defined under the PDPA and PIPEDA.
“PIPEDA” means the Canada Personal Information Protection and Electronic Documents Act
“Process” means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under DP Law. "Processes", "Processed" and "Processing" shall be construed accordingly. Processing includes sub-processing.
“Sensitive Data” means, to the extent this data is treated distinctly as a special category of Personal Data under DP Law: (a) Personal Data that is genetic data, biometric data, data concerning health, a natural person's sex life or sexual orientation; (b) data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (c) geolocation data; or (d) sensitive personal information as defined under the DPDPA.
“Sub-processor” means an entity Tazapay (as a Data Processor, where applicable) engages to Process Personal Data on Tazapay’s behalf in connection with the services under the Agreement.