- Login
Featured from Blog
TravelFX x Vyne Pay with bank case study
As the fintech and FX industry evolves so does consumer behaviour. Because of this, TravelFX looked to expand the payment options available so that their customers could benefit from a friction-free, cardless transaction, while TravelFX benefit from reduced costs and speedy settlement.
Read more - Get your demo
Data Processing Agreement
Download printable PDF version
1. Introduction
1.1. In most instances, where Vyne provides services to Merchant involving processing of personal data, each of Vyne and Merchant do so as data controller. Such personal data is referred to in this DPA as “Controlled Personal Data”.
1.2. In some limited circumstances, as set out in this DPA, Vyne processes personal data specifically at Merchant’s request, as data processor for Merchant.
1.3. This DPA sets out the basis on which Vyne processes Processed Personal Data, and also sets out the obligations of the parties with respect to Controlled Personal Data.
AGREED TERMS
2. Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement:
2.1. Definitions:
| Definition | Description |
|---|---|
Agreed Purpose | the purpose in respect of this the parties agree Vyne will process Processed Personal Data on behalf of Merchant |
Agreed Terms | the terms applicable to the provision of services by Vyne to Merchant, as agreed between Vyne and Merchant. In the absence of any express agreement to the contrary, these are the terms set out at Merchant Services Terms and Conditions. |
Commissioner | the UK Information Commissioner |
Controlled Personal Data | has the meaning given in clause 1.1 above |
Data Protection Legislation | the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data |
Merchant | any entity identified as a ‘Merchant’ on any order form or other contract for the provision of services by Vyne facilitating payments to Merchant by its clients or customers |
Personal Data Breach | a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, Merchant’s Processed Personal Data |
Processed Personal Data | data received from an Originating Account in connection with an Inbound Transaction that relates to the End User initiating the Inbound Transaction and which is not otherwise provided to Merchant as part of the Service. For the avoidance of doubt, Controlled Personal Data is not Processed Personal Data |
Vyne | Vyne Technologies Limited, a company registered in England and Wales with registered number 11872778 whose registered office is at 71-75 Shelton Street, London, WC2H 9JQ, England |
2.2. Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation
2.3. This DPA is subject to the Agreed Terms, and is incorporated into them. Interpretations and defined terms set forth in the Agreed Terms or the Order Form (as defined in the Agreed Terms) apply to the interpretation of this DPA, except where this DPA expressly states otherwise.
2.4. In the case of conflict or ambiguity between any of the provisions of this DPA and any of the Agreed Terms, the provisions of this DPA will prevail
2.5. A reference to writing or written includes email.
3. Personal data types and processing purposes
3.1. Vyne and Merchant agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) each party is Controller of Controlled Personal Data, and responsible for its own compliance obligations under the Data Protection Legislation;
(b) Merchant retains control of all Processed Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Vyne; and
(c) the processing is limited to the provision of the Processed Personal Data by Vyne to Merchant. The Processed Personal Data shall be provided in its raw form, or tokenised, as requested by the Merchant from time to time, giving Vyne reasonable notice and with the Merchant’s agreement that it will not unreasonably alter its request in this respect. Vyne shall not store the Processed Personal Data on behalf of Merchant.
4. Vyne's Obligations as Processor
4.1. Vyne will only process the Processed Personal Data to the extent, and in such a manner, as is necessary for the Agreed Purpose in accordance with Merchant's written instructions. Vyne will not process the Processed Personal Data for any other purpose or in a way that does not comply with this DPA.
4.2. Vyne must comply promptly, at Merchant’s reasonable expense, with any Merchant written instructions requiring Vyne to cease to process the Processed Personal Data. Vyne shall stop, mitigate or remedy any unauthorised processing of Processed Personal Data as soon it becomes aware of it, at Vyne’s own expense.
4.3. Vyne will maintain the confidentiality of the Processed Personal Data and will not disclose the Processed Personal Data to third parties unless Merchant or this DPA specifically authorise the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Vyne to process or disclose the Personal Data to a third party, Vyne must first inform Merchant of such legal or regulatory requirement and give Merchant an opportunity to object or challenge the requirement, unless and to the extent Vyne is prohibited from doing so by any law or regulation.
5. Merchant’s Obligations
5.1. Merchant shall ensure that all processing by Vyne in accordance with Merchant’s instructions is compliant Data Protection Legislation. Without limitation, Merchant shall ensure that it is has in place appropriate data privacy notices informing the Data Subject of Merchant's identity, Vyne’s identity, the purpose or purposes for which their Personal Data will be processed by Vyne, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. Merchant shall indemnify Vyne against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) suffered or incurred by Vyne arising out of or in connection with any breach of this clause 5.1.
6. Vyne's employees
6.1. Vyne will ensure that all of its employees who are involved with processing Processed Personal Data:
(a) are informed of the confidential nature of the Processed Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Processed Personal Data;
(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
(c) are aware both of Vyne's duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
7. Security
7.1. Vyne must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Processed Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
(a) tokenisation of the Personal Data in accordance with the provisions of clause 3.1(c) above;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
8. Personal data breach
8.1. Vyne will, without undue delay notify Merchant in writing if it becomes aware of any Personal Data Breach involving Processed Personal Data while it is in Vyne’s possession (a “Relevant PD Breach”). Vyne shall, without undue delay, also provide Merchant with the following written information:
(a) description of the nature of the Personal Data Breach, including the categories of in-scope Processed Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
8.2. Immediately following any Relevant PD Breach, the parties will co-ordinate with each other to investigate the matter. Further, Vyne will reasonably co-operate with Merchant at no additional cost to Merchant, in Merchant's handling of the matter, including but not limited to:
(a) assisting with any investigation;
(b) facilitating interviews with Vyne's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
(c) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation; and
(d) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Relevant PD Breach.
8.3. Vyne will not inform any third party of a Relevant PD Breach without first obtaining Merchant's written consent, except when required to do so by law
8.4. Vyne agrees that Merchant has the sole right to determine:
(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Relevant PD Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in Merchant's discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
9. Subcontractors
9.1. Vyne may only authorise a subcontractor to process Processed Personal Data if:
(a) Merchant is provided with an opportunity to object to the appointment of each subcontractor within 10 working days after Vyne supplies Merchant with full details in writing regarding such subcontractor;
(b) Vyne enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Merchant's written request, provides Merchant with copies of the relevant excerpts from such contracts; and
(c) Vyne maintains control over all of the Processed Personal Data it entrusts to the subcontractor.
9.2. Where the subcontractor fails to fulfil its obligations under the written agreement with Vyne which contains terms substantially the same as those set out in this DPA, Vyne remains fully liable to Merchant for the subcontractor's performance of its agreement obligations.
10. General Obligation, Complaints, data subject requests and third-party rights
10.1. The provisions of this clause 11 apply both to Controlled Personal Data and Processed Personal Data.
10.2. Both parties will comply with all applicable requirements of Data Protection Legislation with respect to Personal Data that they control.
10.3. Each party must, at the other party’s reasonable expense, take such steps as may be appropriate, and promptly provide such information to the other party as the other party may reasonably require, to enable the other party to comply with:
(a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
(b) information or assessment notices served on that party by the Commissioner or other regulatory authority.
10.4. Each party must notify the other party promptly if it receives:
(a) any complaint, notice or communication that relates directly or indirectly to the processing of Personal Data or the other party's compliance with the Data Protection Legislation; or
(b) a request from a Data Subject for access to their Personal Data, or to exercise any of their other rights under the Data Protection Legislation, in each case in connection with Personal Data processed in connection with this DPA or the Agreed Terms.
10.5. Each party will give the other party, at the other party’s reasonable cost, reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
11. Term and termination
11.1. This DPA will remain in full force and effect so long as the Agreed Terms are in effect.
11.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreed Terms in order to protect Personal Data will remain in full force and effect.
11.3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations pursuant to this DPA, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, either party may terminate the Agreed Terms on not less than 30 days’ notice to the other party.
12. Records
12.1. Vyne will keep detailed, accurate and up-to-date written records regarding any processing of the Processed Personal Data, including but not limited to approved subcontractors and a general description of the technical and organisational security measures referred to in Clause 7.1 (“Records”).
12.2. Vyne will provide Merchant with copies of the Records upon request.
13. Audit
13.1. At least once a year, Vyne will conduct site audits of its processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations as Data Processor under this DPA.
13.2. On Merchant's written request, Vyne will make all of the relevant audit reports available to Merchant for review. Merchant will treat such audit reports as Vyne's confidential information under the Master Agreement.