Paid.ai Logo

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or other written agreement between Customer and Agent Paid Limited (“Paid”) (“Agreement”). This DPA ensures that any Processing of Personal Data by Paid (the “Processor”) on behalf of Customer (the “Controller”) complies with UK GDPR, EU GDPR, and all Applicable Data-Protection Laws.

Last updated: 13 March 2026

Data Residency

Paid hosts Customer Personal Data in the United States using Amazon Web Services (AWS) in the US-East-1 region (or such other region(s) as the parties may agree in writing). Customer Personal Data may be accessed and processed from other locations where necessary to provide, secure, support, and maintain the Services, including by Paid personnel in the United Kingdom (“UK”) and European Economic Area (“the EEA”) and authorised Subprocessors, in accordance with this DPA.

1. Definitions

Capitalized terms not defined in this DPA have the meanings in the Agreement.

The terms “controller”, “processor”, “personal data”, “processing”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given to them under Applicable Data-Protection Laws.

“Applicable Data-Protection Laws” means UK GDPR, EU GDPR, the Data Protection Act 2018, the Swiss Federal Data Protection Act (FDPA) (to the extent applicable), ePrivacy laws, and any laws implementing, replacing, or amending them.

“Customer Personal Data” means Personal Data Processed by Paid on behalf of Customer under the Agreement.

“Data Protection Act 2018” means the Data Protection Act 2018, as amended, updated or replaced from time to time.

“EU GDPR” means Regulation (EU) 2016/679 (the General Data Protection Regulation), and any delegated or implementing acts made under it, in each case as amended, updated or replaced from time to time.

“EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914, as updated or replaced from time to time.

“Subprocessor” means any third party engaged by Paid to Process Customer Personal Data.

“Swiss Federal Data Protection Act” or “FDPA” means the Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz) together with its implementing ordinances, in each case as amended, updated or replaced from time to time.

“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, as updated or replaced from time to time.

“UK GDPR” means the “UK GDPR” as defined in section 3(10) of the Data Protection Act 2018 (i.e., the retained EU law version of Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland), as amended, updated or replaced from time to time.

2. Roles of the Parties

Customer is the Controller.

Paid is the Processor.

3. Processor Obligations

3.1 Process Only on Instructions

Paid will Process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement, any Ordering Documents, the Documentation, and Customer's use and configuration of the Services. If Paid believes an instruction infringes Applicable Data-Protection Laws, Paid will promptly inform Customer and may suspend the relevant Processing until the parties have agreed revised lawful instructions.

3.2 Confidentiality

Ensure personnel with access to Customer Personal Data are bound by confidentiality obligations.

3.3 Security Measures

Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data, as described in Annex 2. Paid may update these measures from time to time provided that such updates do not materially decrease the overall security of the Services.

3.4 Assistance with Data-Subject Rights

Taking into account the nature of the Processing, provide reasonable and technically feasible assistance to Customer to enable Customer to respond to requests from data subjects to exercise their rights under Applicable Data-Protection Laws. Customer remains responsible for responding to such requests. Where assistance requires work beyond Paid's standard support, Paid may charge reasonable fees provided it informs Customer in advance.

3.5 Data Breach Notification

Notify Customer without undue delay after becoming aware of and, where feasible, no later than 72 hours after, a Personal Data Breach involving Customer Personal Data. Paid's notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and measures taken or proposed to address the breach. Paid will provide reasonable updates as further information becomes available. Customer may report suspected security incidents to security@paid.ai.

3.6 Assistance with Compliance

Taking into account the nature of the Processing and information available to Paid, provide reasonable assistance to Customer with DPIAs (Data Protection Impact Assessments) and prior consultations with supervisory authorities, and to demonstrate compliance with Applicable Data-Protection Laws. Where assistance requires work beyond Paid's standard support, Paid may charge reasonable fees provided it informs Customer in advance.

4. Subprocessing

4.1 Authorised Subprocessors

Customer authorises Paid to use Subprocessors necessary to provide the Services. Paid will maintain an up-to-date list of Subprocessors at https://trust.paid.ai/.

4.2 Subprocessor Obligations

Paid shall:

  • impose data-protection terms on Subprocessors in a written agreement that, in substance, provide at least the same level of protection for Customer Personal Data as this DPA;
  • remain fully liable for Subprocessor acts and omissions;
  • provide Customer with prior notice of any intended addition or replacement of a Subprocessor by updating the Subprocessor list, and allow Customer to object in writing on reasonable data protection grounds within 30 days. If the parties cannot resolve the objection within a reasonable period, Customer may terminate the affected Services by written notice (without penalty) and receive a pro-rata refund of prepaid fees for the terminated portion of the affected Services (if any), to the extent set out in the Agreement.

5. International Transfers

Paid is a UK-based company that hosts and processes Customer Personal Data primarily in the United States using AWS (US-East) as its primary infrastructure region. Customer Personal Data may be accessed and processed from other locations, including the UK and EEA, where necessary to provide, secure, support, and maintain the Services, in accordance with this DPA.

To the extent Customer Personal Data is transferred from the UK, EEA and/or Switzerland to a country not recognised as providing an adequate level of protection, such transfers shall be made in compliance with Applicable Data-Protection Laws and shall rely on an appropriate transfer mechanism.

Where required, the EU SCCs are incorporated by reference into this DPA and completed as follows: Module Two (Controller to Processor) applies; in Clause 7, the optional docking clause applies; in Clause 9, Option 2 applies and the period for prior notice of Subprocessor changes is 30 days; in Clause 11, the optional language does not apply; in Clause 17, Option 1 applies and the EU SCCs are governed by the law of Ireland; and in Clause 18(b), disputes shall be resolved before the courts of Ireland. Where the UK GDPR applies, the UK Addendum is incorporated by reference and applies in respect of the relevant transfers, and Tables 1 to 3 of the UK Addendum are deemed completed with the relevant information set out in the Agreement, this DPA and Annexes 1 and 2, and Table 4 is deemed completed by selecting that neither party may end the UK Addendum when the Approved Addendum changes. Where the Swiss Federal Data Protection Act applies to a transfer, the EU SCCs shall apply with the modifications necessary for compliance with Swiss data protection law, including that references to “Member State” include Switzerland, references to the “competent supervisory authority” and “competent courts” mean the Swiss Federal Data Protection and Information Commissioner and the competent courts in Switzerland, references to the GDPR include the FDPA to the extent applicable, and data subjects in Switzerland may enforce the EU SCCs as third-party beneficiaries. Annex 1 and Annex 2 of this DPA are intended to populate the corresponding appendices/annexes of the EU SCCs and UK Addendum, as applicable. In the event of a conflict between the EU SCCs/UK Addendum and this DPA, the EU SCCs/UK Addendum prevail to the extent of the conflict.

Paid shall ensure that its Subprocessors, including AWS, maintain valid international transfer mechanisms where required and make available documentation evidencing such safeguards. To the extent legally permitted, Paid will notify Customer of binding requests for disclosure of Customer Personal Data by a law enforcement authority or other governmental body and will take reasonable steps to challenge requests that are unlawful or overbroad.

6. Audits and Inspections

Upon reasonable written request, Paid shall provide audit reports, third-party certifications (where available), or security documentation reasonably necessary to demonstrate compliance with this DPA.

Paid shall allow Customer (or independent auditor) to conduct audits of Paid's Processing of Customer Personal Data under this DPA, subject to: at least 30 days' prior written notice; no more than one audit in any 12-month period (unless required due to a confirmed Personal Data Breach involving Customer Personal Data); audits during normal business hours; scope limited to matters relevant to this DPA; and compliance with Paid's reasonable confidentiality and security requirements.

Customer will bear its own audit costs and Paid may charge reasonable fees to cover time and materials for audit assistance, provided it informs Customer in advance. Where reasonably available, Paid may satisfy audit requests by providing a SOC 2 report, ISO certification, or similar third-party assurance report and reasonable written responses instead of permitting an on-site audit.

7. Data Return or Deletion

Upon termination or expiration of the Agreement, and in accordance with the Documentation, Paid will make Customer Personal Data available for retrieval in JSON format for up to thirty (30) days, after which Paid will securely delete Customer Personal Data unless retention is required by law. Paid will delete remaining copies from backup systems within ninety (90) days.

8. Customer Responsibilities

Customer shall:

  • ensure its instructions are lawful;
  • provide accurate Personal Data;
  • maintain its own security measures for Customer systems;
  • notify Paid of any changes impacting Processing.

9. Liability

Liability is governed by the Agreement. Nothing in this DPA increases either party's liability beyond the limits in the Agreement.

10. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding Processing of Personal Data.

ANNEX 1 – DETAILS OF PROCESSING

A. Subject Matter

Provision of the Paid commercial operations platform and related services, including core functionality necessary to configure products and pricing, manage customers and orders, process usage and billing, facilitate payments, and provide analytics, integrations, and support.

B. Duration

For the term of the Agreement and as otherwise required by law.

C. Nature and Purpose of Processing

Paid Processes Customer Personal Data solely as necessary to:

  • provide, operate, and support the Paid commercial operations platform;
  • enable core functionality such as CRM synchronisation, account and customer management, product and pricing configuration, quoting, order management, usage metering, billing, invoicing, payments, and analytics;
  • ensure the security, availability, and performance of the Services; and
  • deliver implementation, onboarding, customer support, and limited AI-powered product functionality requested by Customer users, including natural-language querying, insights, and data visualisations.

Paid does not process Customer Personal Data for any purpose other than delivering the Services under the Agreement. For clarity, where prompts or outputs are processed as part of the Services, they are processed only to provide the Services, maintain auditability, and support debugging and quality assurance; any product improvement activities must use de-identified and/or aggregated data that does not constitute Customer Personal Data, and third-party model providers are not permitted by Paid to use such prompts or outputs to train their general models on Paid's behalf.

D. Categories of Data Subjects

May include Customer's:

  • employees
  • vendors/suppliers
  • customers
  • users inputting data into the Paid platform

E. Categories of Personal Data

May include:

  • business contact details (names, emails, phone numbers)
  • workflow-related information submitted via the Paid platform
  • metadata about system usage

Paid's Services are not designed for the Processing of special category Personal Data or Personal Data relating to criminal convictions and offences, and Paid does not require or intentionally collect such data. Customer must not provide special category Personal Data or Personal Data relating to criminal convictions and offences to Paid for Processing unless the parties expressly agree otherwise in writing and implement any additional safeguards required under Applicable Data-Protection Laws. If Paid becomes aware that any such data has been inadvertently or otherwise uploaded or submitted in breach of this DPA,Paid may, where reasonably necessary to mitigate risk or comply with Applicable Data-Protection Laws, delete or restrict access to the relevant data, require Customer to take prompt remedial steps, and will notify Customer without undue delay.

F. Subprocessors

Paid engages Subprocessors for hosting, infrastructure,identity and access management, customer support and messaging, observability and monitoring, analytics, email delivery, sales and marketing operations, data enrichment, payment processing, tax services, development support and AI/model functionality, as disclosed on https://trust.paid.ai/.

Subprocessor: Amazon Web Services, Inc. (AWS)
Purpose: Cloud infrastructure, storage, networking, compute
Location: United States (US-East-1)

Additional Subprocessors may include providers used for identity and access management, customer support and messaging, observability and monitoring, analytics, email delivery, sales and marketing operations,data enrichment,payment processing, tax services, development support and AI/model functionality, as identified on the Subprocessor list. Paid will ensure appropriate international transfer mechanisms are in place for Subprocessors where required under Applicable Data-Protection Laws.

A complete and current list of Subprocessors can be found on https://trust.paid.ai/.

ANNEX 2 – SECURITY MEASURES

Data Transfer Impact Assessment (Summary)

Paid has performed a Transfer Impact Assessment (TIA) for transfers of Customer Personal Data to the United States, concluding:

  • AWS US-East-1 provides industry-standard security and organisational controls aligned with ISO 27001, SOC 2, and CSA STAR.
  • Personal Data is encrypted in transit and at rest using strong cryptography, and Paid maintains strict access controls.
  • AWS contractual commitments incorporate SCCs and the UK Addendum, including obligations regarding government access requests.
  • The nature of the Customer Personal Data processed (primarily business contact details and workflow metadata) presents low residual risk.
  • No known circumstances materially affect the effectiveness of the implemented transfer safeguards.

These measures, combined with encryption, access restrictions, and contractual protections, provide an adequate level of protection for Customer Personal Data transferred to the United States.

Security Measures

Paid maintains:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and MFA
  • Logging, monitoring, and intrusion detection
  • Annual independent third-party penetration covering both application and infrastructure testing
  • Vendor risk assessments
  • Segregated production environments
  • Regular backups and encrypted storage
  • Incident-response playbooks and staff training