Skip to main content

Effective Date: December 31, 2025 | Version 1.0

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms of Service or other agreement (the “Agreement”) between PayNext Inc. (“PayNext”) and the entity executing the Agreement (“Customer”).

This DPA governs the processing of Personal Data by PayNext on behalf of Customer in connection with the Services. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

1. Definitions

1.1 In this DPA, the following terms have the following meanings:

Applicable Data Protection LawAll laws and regulations applicable to the processing of Personal Data under this DPA, including: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”); and (e) any other applicable data protection or privacy laws
ControllerThe natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data
Customer DataAny Personal Data processed by PayNext on behalf of Customer in connection with the Services
Data SubjectAn identified or identifiable natural person to whom Personal Data relates
EEAThe European Economic Area
Personal DataAny information relating to an identified or identifiable natural person, as defined in Applicable Data Protection Law
Personal Data BreachA breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed
ProcessingAny operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction (and “Process” and “Processed” shall be construed accordingly)
ProcessorA natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller
ServicesThe services provided by PayNext to Customer under the Agreement
Standard Contractual Clauses (SCCs)(a) For transfers from the EEA, the standard contractual clauses approved by European Commission Decision 2021/914; (b) for transfers from the UK, the International Data Transfer Agreement or Addendum issued by the UK Information Commissioner; and (c) for transfers from Switzerland, the applicable standard contractual clauses recognized under Swiss law
Sub-processorAny Processor engaged by PayNext to Process Customer Data on behalf of Customer
Supervisory AuthorityAn independent public authority responsible for monitoring the application of Applicable Data Protection Law

1.2 Terms not defined in this DPA have the meanings given in the Agreement or Applicable Data Protection Law.

2. Scope and Roles

2.1 Customer as Controller

Customer is the Controller of Customer Data. Customer determines the purposes and means of Processing Customer Data and is responsible for compliance with its obligations as Controller under Applicable Data Protection Law.

2.2 PayNext as Processor

PayNext is the Processor of Customer Data. PayNext Processes Customer Data only on behalf of and in accordance with Customer’s documented instructions.

2.3 Processing Details

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I.

2.4 Customer Responsibilities

Customer shall:

  • Ensure it has all necessary rights, consents, and lawful bases to transfer Customer Data to PayNext
  • Provide all required notices to Data Subjects regarding Processing
  • Ensure that its instructions to PayNext comply with Applicable Data Protection Law
  • Maintain appropriate records of Processing activities
  • Respond to Data Subject requests where Customer is the appropriate party to respond

2.5 PayNext as Controller

PayNext acts as an independent Controller for certain Processing activities, including: (a) account administration; (b) billing and payment; (c) service improvement and analytics; (d) compliance with legal obligations; and (e) fraud prevention and security. Such Processing is governed by PayNext’s Privacy Policy.

3. Processing Instructions

3.1 PayNext shall Process Customer Data only in accordance with Customer’s documented instructions, unless required to do otherwise by Applicable Data Protection Law. Customer’s instructions are set forth in:

  • This DPA and its Annexes
  • The Agreement
  • Customer’s configuration and use of the Services
  • Any other documented instructions provided by Customer and acknowledged by PayNext

3.2 PayNext shall promptly inform Customer if, in PayNext’s opinion, an instruction infringes Applicable Data Protection Law. PayNext may suspend performance of the relevant instruction until Customer confirms or modifies it.

3.3 If PayNext is required by Applicable Data Protection Law to Process Customer Data for purposes other than as instructed by Customer, PayNext shall inform Customer of such requirement before Processing (unless prohibited by law from doing so on important grounds of public interest).

3.4 Customer agrees that the Processing described in this DPA, including the engagement of Sub-processors listed in Annex III, constitutes Customer’s complete and final instructions. Additional instructions outside the scope of this DPA require a separate written agreement.

3.5 PayNext shall not Process Personal Data for any purpose other than providing the Services in accordance with Customer’s documented instructions.

4. Confidentiality

4.1 PayNext shall ensure that persons authorized to Process Customer Data:

  • Have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Process Customer Data only as necessary to perform their duties
  • Are informed of the confidential nature of the Customer Data and their obligations under this DPA

4.2 PayNext shall implement appropriate access controls to ensure that Customer Data is accessible only to personnel who require access to perform their duties.

5. Security Measures

5.1 PayNext shall implement and maintain appropriate technical and organizational measures to protect Customer Data against unauthorized or unlawful Processing, accidental loss, destruction, damage, theft, alteration, or disclosure.

5.2 Security measures shall be appropriate to the risk, taking into account:

  • The state of the art
  • The costs of implementation
  • The nature, scope, context, and purposes of Processing
  • The risk of varying likelihood and severity for the rights and freedoms of Data Subjects

5.3 PayNext’s technical and organizational measures are described in Annex II. These measures include, at a minimum:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems
  • Measures to restore availability and access to Personal Data in a timely manner following an incident
  • Processes for regularly testing, assessing, and evaluating effectiveness of security measures
  • Measures for user identification and authorization

5.4 PayNext shall regularly review and update security measures to address evolving threats and vulnerabilities.

5.5 Customer acknowledges that security measures are subject to technical progress and development, and PayNext may update measures provided they do not materially decrease the overall level of protection.

6. Sub-processing

6.1 Authorization

Customer provides general authorization for PayNext to engage Sub-processors to Process Customer Data, subject to the requirements of this Section 6.

6.2 Current Sub-processors

Annex III lists PayNext’s current Sub-processors. Customer consents to the use of these Sub-processors as of the Effective Date.

6.3 Notification of Changes

PayNext shall:

  • Maintain an up-to-date list of Sub-processors at paynext.com/subprocessors
  • Notify Customer at least fourteen (14) days before engaging a new Sub-processor or replacing an existing Sub-processor
  • Provide a mechanism for Customer to subscribe to notifications of Sub-processor changes

6.4 Objection Rights

If Customer has a reasonable, documented objection to a new Sub-processor based on data protection grounds, Customer shall notify PayNext in writing within seven (7) days of receiving notice. The parties shall negotiate in good faith to address Customer’s concerns. If the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Services without penalty.

6.5 Sub-processor Obligations

PayNext shall:

  • Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA
  • Ensure each Sub-processor provides sufficient guarantees regarding technical and organizational measures
  • Remain fully liable to Customer for any failure by a Sub-processor to fulfill its data protection obligations

6.6 Third-Party Providers

For clarity, third-party payment processors, gateways, and financial institutions selected and contracted directly by Customer are not Sub-processors under this DPA. Customer maintains a direct relationship with such providers.

7. Data Subject Rights

7.1 PayNext shall, taking into account the nature of the Processing, assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to Data Subject requests exercising their rights under Applicable Data Protection Law, including:

  • Right of access
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to restriction of Processing
  • Right to data portability
  • Right to object
  • Right not to be subject to automated individual decision-making

7.2 If PayNext receives a request from a Data Subject regarding Customer Data, PayNext shall:

  • Promptly (and in any event within five (5) business days) notify Customer of the request
  • Not respond to the request directly unless authorized by Customer or required by law
  • Provide Customer with reasonable assistance to respond to the request

7.3 Customer shall reimburse PayNext for reasonable costs incurred in providing assistance beyond what is included in the Services, at PayNext’s then-current rates.

8. Personal Data Breach

8.1 Notification

PayNext shall notify Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data.

8.2 Content of Notification

The notification shall include, to the extent known:

  • A description of the nature of the breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned
  • The name and contact details of PayNext’s designated privacy or security contact
  • A description of the likely consequences of the breach
  • A description of measures taken or proposed to address the breach, including measures to mitigate possible adverse effects

8.3 Additional Information

If it is not possible to provide all information simultaneously, PayNext shall provide information in phases without undue further delay as information becomes available.

8.4 Cooperation

PayNext shall:

  • Cooperate with Customer in investigating the breach
  • Take reasonable steps to mitigate the effects and minimize further harm
  • Assist Customer in fulfilling its obligations to notify Supervisory Authorities and Data Subjects
  • Not inform any third party of the breach without Customer’s prior consent, unless required by law

8.5 Documentation

PayNext shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and remedial actions taken.

9. Data Protection Impact Assessments

9.1 PayNext shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under Applicable Data Protection Law and to the extent such assessments relate to PayNext’s Processing of Customer Data.

9.2 Assistance shall take into account the nature of Processing and information available to PayNext.

9.3 Customer shall reimburse PayNext for reasonable costs incurred in providing such assistance, at PayNext’s then-current rates.

10. International Data Transfers

10.1 General

PayNext shall not transfer Customer Data outside the EEA, UK, or Switzerland unless appropriate safeguards are in place as required by Applicable Data Protection Law.

10.2 Transfer Mechanisms

For transfers of Customer Data to countries not recognized as providing adequate protection, PayNext relies on:

  • Standard Contractual Clauses, incorporated by reference in Annex IV
  • Binding corporate rules approved by a Supervisory Authority
  • Other valid transfer mechanisms recognized under Applicable Data Protection Law

10.3 Standard Contractual Clauses

Where Standard Contractual Clauses apply:

  • For transfers from the EEA: The SCCs (Module Two: Controller to Processor) are incorporated, with PayNext as data importer and Customer as data exporter
  • For transfers from the UK: The UK International Data Transfer Addendum is incorporated
  • For transfers from Switzerland: The SCCs apply with modifications required under Swiss law
  • Annex I, II, and III of this DPA serve as the Annexes to the SCCs

10.4 Supplementary Measures

PayNext shall implement supplementary technical, organizational, and contractual measures as necessary to ensure an essentially equivalent level of protection, considering the laws of the destination country.

10.5 Government Access Requests

PayNext shall:

  • Notify Customer promptly of any legally binding request for disclosure of Customer Data by a government authority, unless prohibited by law
  • Challenge any request it believes to be unlawful
  • Exhaust available appeals before disclosing data
  • Provide the minimum amount of information permissible when responding to a request

11. Audit Rights

11.1 Information

PayNext shall make available to Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

11.2 Audit Reports

PayNext shall provide, upon request:

  • SOC 2 Type II aligned controls documentation (or equivalent)
  • PCI DSS compliance documentation to the extent applicable to the Services
  • ISO 27001 certification (if applicable)
  • Penetration test summaries or other security assessments

11.3 On-Site Audits

Customer (or a mutually agreed third-party auditor bound by confidentiality) may conduct audits of PayNext’s Processing of Customer Data, subject to the following:

  • Customer shall provide at least thirty (30) days’ written notice
  • Audits shall be conducted during normal business hours and no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach)
  • Audits shall not unreasonably interfere with PayNext’s business operations
  • Customer shall bear the costs of any audit
  • Audit findings shall be treated as PayNext’s Confidential Information

11.4 Regulatory Audits

PayNext shall cooperate with audits or inspections by Supervisory Authorities to the extent such audits relate to PayNext’s Processing of Customer Data.

12. Return and Deletion of Data

12.1 During the Term

Customer may export or retrieve Customer Data through the Services at any time during the term of the Agreement.

12.2 Upon Termination

Upon termination or expiration of the Agreement, PayNext shall, at Customer’s election:

  • Return Customer Data to Customer in a structured, commonly used, machine-readable format; and/or
  • Delete all Customer Data, including copies, within thirty (30) days

12.3 Certification

Upon request, PayNext shall provide written certification that Customer Data has been deleted.

12.4 Retention Exceptions

PayNext may retain Customer Data to the extent required by Applicable Data Protection Law or other legal obligations, provided that PayNext:

  • Limits Processing to purposes required by law
  • Continues to protect the data in accordance with this DPA
  • Deletes the data when no longer required

12.5 Sub-processor Data

PayNext shall ensure that Sub-processors return or delete Customer Data in accordance with this Section 12.

13. Liability

13.1 Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. All liability arising under this DPA is subject to the limitations of liability set forth in the Terms of Service.

13.2 Customer acknowledges that PayNext’s compliance with Customer’s instructions, including with respect to international transfers, may require Customer to provide appropriate contractual protections and assurances.

13.3 In no event shall PayNext be liable for any claims, damages, or losses arising from Customer’s failure to comply with its obligations under this DPA or Applicable Data Protection Law.

13.4 Indemnification. Customer shall indemnify and hold harmless PayNext from any losses, claims, fines, penalties, or damages arising out of Customer’s breach of this DPA, violation of Applicable Data Protection Law, or unlawful Processing of Personal Data. PayNext shall have no indemnification obligations under this DPA.

14. Term and Termination

14.1 This DPA shall become effective on the Effective Date and shall remain in effect until the Agreement terminates or expires.

14.2 Sections 4 (Confidentiality), 8 (Personal Data Breach), 11 (Audit Rights), 12 (Return and Deletion), 13 (Liability), and 15 (General Provisions) shall survive termination or expiration of this DPA.

14.3 Termination of this DPA shall not affect any rights or obligations accrued prior to termination.

15. General Provisions

15.1 Amendments. PayNext may update this DPA from time to time to reflect changes in Applicable Data Protection Law or Processing activities. PayNext shall notify Customer of material changes at least thirty (30) days in advance.

15.2 Conflicts. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the SCCs shall prevail.

15.3 Severability. If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.

15.4 Entire Agreement. This DPA, together with the Agreement and the Annexes, constitutes the entire agreement between the parties regarding the Processing of Customer Data.

15.5 Governing Law. This DPA shall be governed by the law that governs the Agreement, except that the SCCs shall be governed as specified therein.

15.6 Contact. Questions regarding this DPA may be directed to: [email protected].

Annex I: Processing Details

A. List of Parties

Data Exporter (Controller)Customer, as identified in the Agreement
Data Importer (Processor)PayNext Inc., 8 The Green, Suite R, Dover, DE 19901, USA
Contact for Data Protection[email protected]

B. Description of Processing

Subject MatterProcessing of Personal Data in connection with PayNext’s modern payments platform and related Services
DurationFor the term of the Agreement plus any retention period required by law or as specified in Section 12
Nature of ProcessingCollection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Personal Data as necessary to provide the Services
Purpose of ProcessingTo provide payment services, including payment routing, transaction management, reconciliation, reporting, analytics, fraud prevention, and customer support

C. Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

  • Customer’s employees, contractors, and authorized users
  • Customer’s end users and customers
  • Cardholders and payment account holders
  • Customer’s merchants (if Customer operates as a platform)

D. Categories of Personal Data

Personal Data Processed may include:

Identification dataName, email address, user ID, account credentials
Contact dataBusiness address, phone number
Transaction dataPayment amounts, transaction IDs, timestamps, currency
Payment dataMasked card numbers, card type, expiration date, bank account details
Device dataIP address, device identifiers, browser information
Usage dataLogs, API calls, service interactions
MetadataTransaction references, merchant identifiers, routing information

E. Sensitive Data

PayNext does not intentionally Process special categories of Personal Data (sensitive data) as defined in GDPR Article 9 or equivalent provisions. If Customer Data contains sensitive data, Customer is responsible for ensuring appropriate legal bases and safeguards.

F. Frequency and Retention

Frequency of TransferContinuous, as necessary to provide the Services
Retention PeriodAs specified in Section 12 of the DPA and PayNext’s data retention policies, subject to Customer instructions and legal requirements

Annex II: Technical and Organizational Measures

PayNext implements the following technical and organizational measures to protect Customer Data:

1. Encryption

  • Data in transit: TLS 1.2 or higher for all communications
  • Data at rest: AES-256 encryption for stored data
  • Key management: Secure key storage and rotation procedures
  • Payment data: Tokenization and encryption in compliance with PCI DSS

2. Access Control

  • Role-based access control (RBAC) with least privilege principle
  • Multi-factor authentication (MFA) required for all employees
  • Unique user accounts; no shared credentials
  • Regular access reviews and prompt de-provisioning
  • Privileged access management for administrative functions

3. Network Security

  • Firewalls and intrusion detection/prevention systems
  • Network segmentation and isolation
  • DDoS protection and mitigation
  • Secure VPN for remote access
  • Regular vulnerability scanning and patching

4. Physical Security

  • Data centers with 24/7 security, access controls, and surveillance
  • Environmental controls (fire suppression, climate control, power redundancy)
  • Secure disposal of hardware and media

5. Availability and Resilience

  • Redundant infrastructure and failover capabilities
  • Regular backups with tested recovery procedures
  • Disaster recovery and business continuity plans
  • Geographic distribution of systems

6. Monitoring and Logging

  • Centralized logging of security events
  • Real-time monitoring and alerting
  • Security information and event management (SIEM)
  • Log retention for investigation and compliance

7. Incident Response

  • Documented incident response plan
  • 24/7 security operations capability
  • Regular incident response testing and tabletop exercises
  • Post-incident review and improvement process

8. Personnel Security

  • Background checks for employees with access to Personal Data
  • Security awareness training (onboarding and annual)
  • Confidentiality agreements
  • Disciplinary process for security violations

9. Vendor Management

  • Security assessments of Sub-processors
  • Contractual security requirements
  • Ongoing monitoring of vendor compliance

10. Certifications and Audits

  • SOC 2 Type II aligned controls
  • PCI DSS compliance to the extent applicable to the Services
  • Annual penetration testing by independent third parties
  • Regular internal audits

Annex III: Authorized Sub-processors

The following Sub-processors are authorized to Process Customer Data as of the Effective Date:

Sub-processorLocationFunctionSafeguards
Amazon Web ServicesUnited StatesCloud infrastructure and hostingSCCs and supplementary measures
Google Cloud PlatformUnited StatesCloud infrastructure and hostingSCCs and supplementary measures
SvixUnited StatesWebhook deliverySCCs and supplementary measures
StripeUnited StatesPayment infrastructure servicesSCCs and supplementary measures

A current list of Sub-processors is maintained at: paynext.com/subprocessors

To subscribe to Sub-processor change notifications, contact: [email protected]

Annex IV: Standard Contractual Clauses

A. Incorporation of Standard Contractual Clauses

1. For transfers of Personal Data from the European Economic Area to countries not recognized as providing adequate protection under GDPR, the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 are hereby incorporated by reference.

2. Module Two (Controller to Processor) of the SCCs applies, with:

  • Customer as the data exporter (Controller)
  • PayNext as the data importer (Processor)

3. For the purposes of the SCCs:

ClauseSelection
Clause 7 (Docking clause)Not applicable
Clause 9 (Use of sub-processors)Option 2 (General written authorization) applies, with 14 days’ notice
Clause 11 (Redress)Optional language is not included
Clause 17 (Governing law)Option 1 applies; the laws of Ireland govern
Clause 18 (Choice of forum)Courts of Ireland

B. UK International Data Transfer Addendum

4. For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum) is incorporated by reference, with the following selections:

TableSelection
Table 1Parties as specified in Annex I
Table 2The EU SCCs incorporated in Part A apply
Table 3Annex I, II, and III of this DPA serve as the Appendix Information
Table 4Neither party may terminate the UK Addendum per Section 19

C. Swiss Data Transfers

5. For transfers from Switzerland, the SCCs apply with the following modifications:

  • References to “Regulation (EU) 2016/679” include the Swiss Federal Act on Data Protection (FADP)
  • References to “EU”, “Union”, and “Member State” include Switzerland
  • References to “Supervisory Authority” include the Swiss Federal Data Protection and Information Commissioner
  • The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner

D. Supplementary Measures

6. PayNext implements the following supplementary measures to ensure an essentially equivalent level of protection for transferred Personal Data:

  • Technical measures as described in Annex II (encryption, access controls, etc.)
  • Policies to challenge government access requests and provide transparency reports
  • Commitment to exhaust legal remedies before disclosing data to authorities
  • Regular assessment of laws in destination countries

E. Copies of SCCs

7. Complete copies of the Standard Contractual Clauses are available at: