This Data Processing Addendum (“DPA”) forms part of the applicable agreement between the customer identified in the relevant order form or written agreement (“Customer”) and the operator of the PayeeProof Service (“PayeeProof”, “Processor”).
To the extent PayeeProof processes Customer Personal Data on behalf of Customer in connection with the Service, Customer acts as controller or equivalent business entity and PayeeProof acts as processor or service provider.
This DPA does not apply where PayeeProof acts as an independent controller for its own business operations, such as billing, website administration, security logging, fraud prevention, legal compliance, and direct communications.
The subject matter of the processing is PayeeProof’s provision of pre-transfer verification, related decision-support outputs, verification records, webhook notifications, and support. Processing continues for the duration of the applicable customer relationship unless earlier terminated.
PayeeProof may process Customer Personal Data to receive and process verification requests, generate verification records, transmit webhooks and delivery metadata, maintain auditability and service reliability, provide support, and comply with documented customer instructions consistent with the Service.
PayeeProof will process Customer Personal Data only on documented instructions from Customer, unless otherwise required by law. The applicable agreement, API usage, configuration choices, and written support requests constitute Customer’s documented instructions.
PayeeProof will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations.
PayeeProof will implement reasonable technical and organizational measures appropriate to the risk. Depending on the Service setup, these may include access controls, authentication, secrets management, logging and monitoring, abuse protections, rate limiting, environment separation, transport security, backups, and incident-response procedures.
Customer authorizes PayeeProof to use sub-processors for hosting, infrastructure, email delivery, monitoring, analytics, support, logging, and related business operations necessary to provide the Service. PayeeProof will remain responsible for the performance of its sub-processors to the extent required by law.
Taking into account the nature of the processing and the information available to PayeeProof, PayeeProof will provide reasonable assistance with data-subject requests, breach-related obligations, and impact assessments where required, subject to reasonable commercial limits.
If PayeeProof becomes aware of a confirmed personal data breach affecting Customer Personal Data, PayeeProof will notify Customer without undue delay and provide reasonably available information relevant to the incident.
Where Customer Personal Data is transferred across borders, the parties will implement appropriate safeguards where required by applicable data protection law.
Upon termination of the applicable services, PayeeProof will delete or return Customer Personal Data as required by the agreement or applicable law, unless retention is required for legal, security, fraud-prevention, backup, or dispute-resolution reasons.
PayeeProof will make available information reasonably necessary to demonstrate compliance with this DPA. If additional audits are requested, the parties will cooperate in good faith to agree on scope, timing, confidentiality, and cost, taking into account security and operational burden.
This DPA is subject to the liability limitations in the main agreement except to the extent prohibited by applicable law.
If there is a conflict between this DPA and the main agreement regarding the processing of Customer Personal Data, this DPA controls to the extent of that conflict.
Privacy / legal contact: hello@payeeproof.com