Data Processing Agreement

This DPA ensures that any Processing of Personal Data by Paid ("Processor") on behalf of Customer ("Controller") complies with UK GDPR, EU GDPR, and all Applicable Data-Protection Laws.

DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement or other written agreement between Customer and Agent Paid Ltd ("Paid") ("Agreement").

Last updated: 14 Nov 2024

This DPA ensures that any Processing of Personal Data by Paid ("Processor") on behalf of Customer

("Controller") complies with UK GDPR, EU GDPR, and all Applicable Data-Protection Laws.

Data Residency

Paid processes and stores all Customer Personal Data exclusively in the United States using Amazon Web Services (AWS) in the US-East-1 region. Customer Personal Data does not transit through or reside in the United Kingdom, the European Union, or any other region unless expressly agreed in writing.

1. Definitions

Capitalized terms not defined in this DPA have the meanings in the Agreement.

  • "Applicable Data-Protection Laws" means UK GDPR, EU GDPR, the Data Protection Act 2018, ePrivacy laws, and any laws implementing or amending them.
  • "Customer Personal Data" means Personal Data Processed by Paid on behalf of Customer under the Agreement.
  • "Subprocessor" means any third party engaged by Paid to Process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the EU/UK transfer clauses where applicable.

2. Roles of the Parties

  • Customer is the Controller.
  • Paid is the Processor and will Process Customer Personal Data only on documented instructions from Customer unless required by law.

3.Processor Obligations

Paid shall:

3.1 Process Only on Instructions

Process Customer Personal Data solely:

  • on documented Customer instructions.
  • to provide the Services under the Agreement; or
  • as required by law (with prior notice where permitted).

3.2 Confidentiality

Ensure personnel with access to Customer Personal Data are bound by confidentiality obligations.

3.3 Security Measures

Implement appropriate technical and organisational measures to protect Customer Personal Data, including:

  • access controls
  • encryption in transit and at rest
  • regular security testing
  • incident-response procedures
3.4 Assistance with Data-Subject Rights

Assist Customer in fulfilling data-subject requests (access, rectification, erasure, restriction, portability, objection).

3.5 Data Breach Notification

Notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data and provide all reasonable assistance.

3.6 Assistance with Compliance

Assist Customer with:

  • DPIAs (Data Protection Impact Assessments),
  • consultations with supervisory authorities,
  • demonstrating compliance with Applicable Data-Protection Laws.

4. Subprocessing

4.1 Authorised Subprocessors

Customer authorises Paid to use Subprocessors necessary to provide the Services.

4.2 Subprocessor Obligations

Paid shall:

  • impose data-protection terms on Subprocessors equivalent to this DPA;
  • remain fully liable for Subprocessor acts and omissions;
  • provide Customer with notice of material Subprocessor changes.

5. International Transfers

Paid is a UK-based company that hosts and Processes Customer Personal Data exclusively in the United States using AWS (US-East) as its primary infrastructure region. Customer Personal Data does not transit through or reside in the United Kingdom; all Processing occurs within the United States.

Such transfers shall be made in compliance with Applicable Data-Protection Laws and shall rely on appropriate safeguards, including:

  • the EU Standard Contractual Clauses (SCCs) where required;
  • the UK International Data Transfer Addendum (UK Addendum);
  • supplementary measures implemented by Paid and AWS; and
  • any other approved transfer mechanism under Applicable Data-Protection Laws.

Paid shall ensure that its Subprocessors, including AWS, maintain valid international transfer mechanisms and make available documentation evidencing such safeguards.

6. Audits and Inspections

Upon reasonable written request, Paid shall:

  • provide audit reports or security documentation; and
  • allow Customer (or independent auditor) to conduct audits, subject to reasonable scheduling, confidentiality, and fees where appropriate.

7. Data Return or Deletion

Upon termination or expiration of the Agreement, Paid shall:

  • delete or return all Customer Personal Data (unless retention is legally required); and
  • delete remaining copies from backup systems within standard purge cycles.

8. Customer Responsibilities

Customer shall:

  • ensure its instructions are lawful;
  • provide accurate Personal Data;
  • maintain its own security measures for Customer systems;
  • notify Paid of any changes impacting Processing.

9. Liability

Liability is governed by the Agreement. Nothing in this DPA increases either party’s liability beyond the limits in the Agreement.

10. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding Processing of Personal Data.

ANNEX 1 – DETAILS OF PROCESSING

A. Subject Matter

Provision of the Paid commercial operations platform and related services, including core functionality necessary to configure products and pricing, manage customers and orders, process usage and billing, facilitate payments, and provide analytics, integrations, and support.

B. Duration

For the term of the Agreement and as otherwise required by law.

C. Nature and Purpose of Processing

Paid Processes Customer Personal Data solely as necessary to:

  • provide, operate, and support the Paid commercial operations platform;
  • enable core functionality such as CRM synchronisation, account and customer management, product and pricing configuration, quoting, order management, usage metering, billing, invoicing, payments, and analytics;
  • ensure the security, availability, and performance of the Services; and
  • deliver implementation, onboarding, and customer support.

Paid does not process Customer Personal Data for any purpose other than delivering the Services under the Agreement.

D. Categories of Data Subjects

May include Customer’s:

  • employees
  • vendors/suppliers
  • customers
  • users inputting data into the Paid platform
E. Categories of Personal Data

May include:

  • business contact details (names, emails, phone numbers)
  • workflow-related information submitted via the Paid platform
  • metadata about system usage

Paid does not require or intentionally collect special-category data.

F. Subprocessors

Paid engages the following Subprocessor for hosting and infrastructure services:

  • Subprocessor: Amazon Web Services, Inc. (AWS)
  • Purpose: Cloud infrastructure, storage, networking, compute
  • Location United States (US-East-1)
  • Transfer Mechanism: SCCs + UK Addendum, supplementary measures

A complete and current list of Subprocessors can be found on https://trust.paid.ai/

ANNEX 2 – SECURITY MEASURES

Data Transfer Impact Assessment (Summary)

Paid has performed a Transfer Impact Assessment (TIA) for transfers of Customer Personal Data to the United States, concluding:

  • AWS US-East-1 provides industry-standard security and organisational controls aligned with ISO 27001, SOC 2, and CSA STAR.
  • Personal Data is encrypted in transit and at rest using strong cryptography, and Paid maintains strict access controls.
  • AWS contractual commitments incorporate SCCs and the UK Addendum, including obligations regarding government access requests.
  • The nature of the Customer Personal Data processed (primarily business contact details and workflow metadata) presents low residual risk.
  • No known circumstances materially affect the effectiveness of the implemented transfer safeguards.

These measures, combined with encryption, access restrictions, and contractual protections, provide an adequate level of protection for Customer Personal Data transferred to the United States.

Security Measures

Paid maintains:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and MFA
  • Logging, monitoring, and intrusion detection
  • Annual penetration testing
  • Vendor risk assessments
  • Segregated production environments
  • Regular backups and encrypted storage
  • Incident-response playbooks and staff training