Data Processing Agreement
Last updated April 11, 2026
Last Updated: February 2, 2026
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Terms") between SolvaPay Inc. ("SolvaPay," "we," or "us") and the Provider ( "you," or "your") who has agreed to the Terms available at solvapay.com/terms.
This DPA sets out the terms and conditions under which SolvaPay processes Personal Data on behalf of the Provider in connection with the SolvaPay platform and services (the "Service").
This DPA is entered into to ensure compliance with Applicable Data Protection Law.n.
In the event of any conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of personal data.
2. Definitions
In this DPA, the following terms have the meanings set forth below. Terms not defined herein shall have the meanings given in the GDPR or the Terms.
“Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Processor”, and “Supervisory Authority” have the meaning given to them in Applicable Data Protection Law.
"Applicable Data Protection Law" means all laws and regulations relating to the processing of personal data that apply to the parties' respective processing activities under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), the UK General Data Protection Regulation as defined by Section 3(10), as amended by Section 205(4), of retained by the Data Protection Act 2018 ("UK GDPR") (together, the “GDPR”), U.S. Privacy Laws, PIPEDA, and any applicable national implementing legislation.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing," “Process,” “Processed” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“PIPEDA” means the Personal Information Protection and Electronic Documents Act 2000.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 for the transfer of personal data to third countries.
“Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.
"Sub-Processor" means any third party engaged by a Processor to process Personal Data on behalf of the Controller.
“Subcontractor” has the meaning defined in the CCPA;
“Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;
“UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
“U.S. Privacy Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information). U.S. Privacy Laws include, but are not limited to, the following:
- California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);
- Colorado Privacy Act;
- Connecticut Personal Data Privacy and Online Monitoring Act;
- Delaware Personal Data Privacy Act;
- Indiana Consumer Data Protection Act;
- Iowa Consumer Data Protection Act;
- Kentucky Consumer Data Protection Act;
- Maryland Online Data Privacy Act;
- Minnesota Consumer Data Privacy Act;
- Montana Consumer Data Privacy Act;
- Nebraska Data Privacy Act;
- New Hampshire Act Relative to the Expectation of Privacy;
- New Jersey Act Concerning Online Services, Consumers, and Personal Data;
- Oregon Consumer Privacy Act;
- Rhode Island Data Transparency and Privacy Protection Act;
- Tennessee Information Privacy Act;
- Texas Data Privacy and Security Act;
- Utah Consumer Privacy Act; and
- Virginia Consumer Data Protection Act.
In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
Capitalized terms used but not defined herein have the meaning given to them in the Terms.
3. Roles of the Parties
3.1 Controller and Processor
3.1.1 Excluding Section 3.1.2, this DPA applies to the Processing of Personal Data by SolvaPay as a Processor to provide the Service. The Provider is the Controller and determines the purposes and means of processing Personal Data, and SolvaPay processes Personal Data solely on behalf of and in accordance with the documented instructions of the Provider and for the limited and specific purposes set forth in Annex I of this DPA.
3.1.2 Notwithstanding this DPA, the Provider acknowledges that SolvaPay may Process Personal Data (including, but not limited to, Personal Data provided directly by a Data Subject or Consumer to SolvaPay via their SolvaPay account) relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. SolvaPay is the Controller for such Processing and will Process such data in accordance with Applicable Data Protection Law.
3.2 Provider's Responsibilities
The Provider shall:
(a) ensure that it has a valid legal basis for the processing of Personal Data, including obtaining any necessary consents from Data Subjects or Consumers;
(b) provide appropriate privacy notices to Data Subjects and Consumers informing them of the processing of their Personal Data, including disclosure that SolvaPay acts as a data processor;
(c) ensure that any instructions given to SolvaPay regarding the processing of Personal Data comply with Applicable Data Protection Law;
(d) be responsible for the accuracy, quality, and legality of the Personal Data provided to SolvaPay.
4. Processing Instructions
4.1 Scope of Processing
SolvaPay shall Process Personal Data only in accordance with the Provider's documented instructions as set out in this DPA and the Terms, unless required to do so by applicable law. If SolvaPay is required by applicable law to Process Personal Data for a purpose other than as instructed by the Provider, SolvaPay shall inform the Provider of that legal requirement before processing, unless prohibited by law from doing so.
Except as expressly permitted by the U.S. Privacy Laws, SolvaPay is prohibited from (a) Selling or Sharing Personal Data, (b) retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of performing the services specified in the Agreement or this DPA, (c) retaining, using, or disclosing Personal Data outside of the direct business relationship between the parties, and (d) combining Personal Data with Personal Data obtained from, or on behalf of, sources other than the Provider, except as expressly permitted under applicable U.S. Privacy Laws. For the avoidance of doubt, SolvaPay is permitted to retain, use, and disclose Personal Data for product improvement purposes.
4.2 Details of Processing
The subject matter, duration, nature, and purpose of the processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex I to this DPA.
4.3 Instruction Conflicts
If SolvaPay reasonably believes that an instruction from the Provider infringes Applicable Data Protection Law, SolvaPay shall promptly notify the Provider and shall not be required to carry out the instruction until the Provider has confirmed or modified it.
5. Confidentiality
SolvaPay shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Personal Data. SolvaPay shall ensure that access to Personal Data is limited to those personnel who require access to perform their duties under this DPA.
6. Security Measures
6.1 Technical and Organizational Measures
SolvaPay and Provider shall implement and maintain no less than commercially reasonable and appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access (the "Security Measures"). Without limiting the foregoing, SolvaPay and Provider shall comply with the Security Measures are described in Annex II to this DPA when Processing Personal Data.
6.2 Assessment and Updates
SolvaPay and Provider shall regularly assess and, where necessary, update the Security Measures to ensure an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
7. Sub-Processors and Subcontractors
7.1 General Authorization
The Provider grants SolvaPay a general written authorization to engage Sub-Processors and Subcontractors to Process Personal Data on behalf of the Provider, subject to the conditions set out in Section 7 of this DPA
7.2 Current Sub-Processors and Subcontractors
The current list of Sub-Processors and Subcontractor is available at solvapay.com/legal/sub-processors. The Provider acknowledges and approves the Sub-Processors and Subcontractor listed at the time of entering into this DPA.
7.3 Notification of Changes
SolvaPay shall notify the Provider by email (to the email address associated with the Provider's Account) of any intended addition or replacement of a Sub-Processor or Subcontractor. The notification shall include the name of the Sub-Processor or Subcontractor, the nature of the processing to be performed, and the location of processing.
7.4 Objection Right
The Provider may object to the appointment of a new or replacement Sub-Processor or Subcontractor by notifying SolvaPay in writing within thirty (30) days of receiving the notification in accordance with Section 7.4. The objection must be based on reasonable grounds relating to data protection. In the event of objections, SolvaPay and the Provider shall discuss Provider’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no alternative is reasonably available, either party may terminate the affected portion of the Service with respect to the processing that would require the use of the objected-to Sub-Processor or Subcontractor.
7.5 Sub-Processor Obligations
SolvaPay shall impose on each Sub-Processor or Subcontractor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA as well as to comply with Applicable Data Protection Law. SolvaPay shall remain fully liable to the Provider for the performance of each Sub-Processor's obligations.
8. Data Subject Rights
8.1 Assistance with Requests
SolvaPay shall, taking into account the nature of the processing, assist the Provider by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Provider's obligation to respond to requests for the exercise of Data Subject or Consumer rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, data portability, and objection.
The Provider shall inform SolvaPay of any Data Subject or Consumer right requests made pursuant to Applicable Data Protection Law that they must comply with. The Provider shall provide SolvaPay with the information necessary for SolvaPay to comply with the request.
SolvaPay shall not be required to delete any Personal Data to comply with a Consumer’s request directed by Provider if retaining such information is specifically permitted by Applicable Data Protection Law; provided, however, that in such case, SolvaPay will promptly inform the Provider of the exceptions relied upon under Applicable Data Protection Law and SolvaPay shall not use Personal Data retained for any purpose other than provided for by that exception.
8.2 Notification
If SolvaPay receives a request directly from a Data Subject relating to the Provider's Personal Data, SolvaPay shall promptly notify the Provider and shall not respond to the Data Subject directly unless instructed to do so by the Provider or required by applicable law.
9. Personal Data Breach Notification
9.1 Notification to Controller
SolvaPay shall notify the Provider without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. The notification shall include, to the extent available:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) the name and contact details of the point of contact where further information can be obtained;
(c) a description of the likely consequences of the Personal Data Breach;
(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its possible adverse effects.
9.2 Ongoing Cooperation
Where it is not possible to provide all information at the time of notification, SolvaPay shall provide the information in phases without undue further delay. SolvaPay shall cooperate with the Provider and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
9.3 Provider's Obligations
The Provider is responsible for determining whether a Personal Data Breach triggers notification obligations to supervisory authorities and Data Subjects or Consumers under Applicable Data Protection Law, and for carrying out such notifications.
10. Data Protection Impact Assessments
SolvaPay shall, taking into account the nature of processing and the information available to SolvaPay, provide reasonable assistance to the Provider in ensuring compliance with the Provider's obligations regarding data protection impact assessments and prior consultation with supervisory authorities, as required under Articles 35 and 36 of the GDPR.
11. International Data Transfers
11.1 Transfer Mechanism
Where the processing of Personal Data under this DPA involves a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the parties shall comply with the Standard Contractual Clauses as set forth in Annex III to this DPA.
11.2 Applicable SCCs
11.2.1 For transfers from the EEA, the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 shall apply and are hereby incorporated in this DPA. The applicable Module is Module 2 (Controller to Processor). The specific clauses and elections are set out in Annex III.
11.2.2 For transfers from the United Kingdom, the parties shall enter into the the UK Addendum, which is hereby incorporated into this DPA. Part 1 of the UK Addendum is completed as set out in Annex III to this DPA.
11.3 Supplementary Measures
SolvaPay shall implement supplementary measures as necessary to ensure that the level of protection of Personal Data is not undermined by the transfer, taking into account the laws and practices of the destination country.
12. Compliance and Audit Rights
12.1 Compliance with Obligations
SolvaPay, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the U.S. Privacy Laws, (b) shall provide the level of privacy protection required by the U.S. Privacy Laws, (c) shall provide Provider with all reasonably-requested assistance to enable Provider to fulfill its own obligations under the U.S. Privacy Laws, and (d) understand and shall comply with this U.S. DPA.
12.2 Compliance Assurance
Provider has the right to take reasonable and appropriate steps to ensure that SolvaPay uses the Provider’s Personal Data consistent with Customer’s obligations under applicable U.S. Privacy Laws and this DPA.
12.3 Information and Audit
Upon the reasonable request of the Provider, SolvaPay shall make available to the Provider information in SolvaPay’s possession necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Provider or an auditor mandated by the Provider.
12.2 Audit Conditions
Provider has the right to monitor SolvaPay’s compliance with this DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing at least once every twelve (12) months. SolvaPay shall cooperate fully with any audit initiated by the Provider, provided that such audit will not unreasonably interfere with the normal conduct of SolvaPay’s business.
Audits shall be conducted upon thirty (30) days' prior written notice, during SolvaPay's regular business hours, and in a manner that does not unreasonably disrupt SolvaPay's operations. The Provider shall bear the cost of any audit, except where the audit reveals material breach of this DPA or applicable laws by SolvaPay, in which case SolvaPay shall bear the cost.
12.3 Certifications and Reports
Where SolvaPay holds relevant third-party certifications or audit reports (such as SOC 2 or ISO 27001), SolvaPay may provide these to the Provider to satisfy the audit requirement set out in Section 12.1 of this DPA, unless the Provider has a reasonable basis for conducting an additional audit.
13. Deletion and Return of Data
13.1 Upon Termination
Upon termination or expiration of the Terms except as set forth herein or therein, SolvaPay shall discontinue Processing and shall destroy or, at the Provider's election and expense, return all Personal Data Processed on behalf of the Provider and in its or its Subcontractors’ and Sub-Processors’ possession without undue delay. SolvaPay may retain Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that SolvaPay shall ensure the confidentiality of all such Personal Data.
13.2 Retention Period
The Provider shall communicate their election (deletion or return) within thirty (30) days of termination. If the Provider does not provide instructions within this period, SolvaPay shall delete the Personal Data, except as required by applicable law.
13.3 Certification
SolvaPay shall, upon request, certify in writing that it has complied with the deletion obligations under this Section 13.
14. Sale of Data
The Provider and SolvaPay acknowledge and agree that the disclosure or making available of Personal Data between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Terms or this DPA.
14. Exemptions
Notwithstanding any provision to the contrary in the Terms or this DPA, the terms of this DPA shall not apply to SolvaPay’s Processing of Personal Data that is exempt from Applicable Data Protection Law.
15. Liability
The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms, except that such limitations shall not apply to the extent prohibited by Applicable Data Protection Law.
16. Duration
This DPA shall remain in effect for as long as SolvaPay processes Personal Data on behalf of the Provider. This DPA shall automatically terminate when the Terms terminate, subject to Section 13 (Deletion and Return of Data).
17. Modifications
The parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the U.S. Privacy Laws.
18. Contact
For questions about this DPA, please contact:
SolvaPay Inc.
Grev Turegatan 10B, 114 46 Stockholm, Sweden
Data Protection Officer: dpo@solvapay.com
Annex I: Details of Processing
A. List of Parties
Controller (Provider):
Name: As identified in the Provider's SolvaPay Account.
Address: As provided in the Provider's Account.
Contact person: As designated by the Provider.
Role: Data Controller.
Processor (SolvaPay):
Name: SolvaPay Inc.
Address: Grev Turegatan 10B, 114 46 Stockholm, Sweden
Contact person: Data Protection Officer — dpo@solvapay.com
Role: Data Processor.
B. Description of Processing
Element
Description
Subject matter
Processing of personal data in connection with the provision of the SolvaPay payment platform, including hosted checkout, subscription management, and transaction processing on behalf of the Provider.
Duration
For the duration of the Terms between the Provider and SolvaPay, plus any retention period required by applicable law.
Nature and purpose
Collection, storage, organization, retrieval, use, and transmission of personal data for the purpose of processing payments, managing subscriptions, facilitating refunds, providing transaction records, and operating hosted checkout pages on behalf of the Provider.
Types of Personal Data
End-User names; email addresses; transaction amounts and currency; product/plan selection details; billing cycle information; IP addresses; browser and device identifiers; timestamps.
Categories of Data Subjects
End-Users who purchase products or services from the Provider through SolvaPay-hosted checkout pages.
Sensitive data
None. SolvaPay does not process special categories of data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR) on behalf of Providers. Payment card data is processed directly by the Payment Service Provider and is not accessible to SolvaPay.
C. Competent Supervisory Authority
The competent supervisory authority shall be determined in accordance with GDPR Article 55 and Article 56, based on the Controller's establishment in the EU/EEA. If the Controller is not established in the EU/EEA, the competent supervisory authority shall be the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
Annex II: Technical and Organizational Security Measures
SolvaPay implements the following technical and organizational measures to ensure an appropriate level of security for the processing of Personal Data:
1. Encryption
- Data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using AES-256 or equivalent encryption standards provided by the cloud infrastructure provider.
2. Access Controls
- Role-based access control (RBAC) is implemented to ensure personnel access only the data necessary for their role.
- Multi-factor authentication (MFA) is required for access to production systems and administrative interfaces.
- Unique user accounts are assigned to each authorized person.
3. Infrastructure Security
- The Service is hosted on Google Cloud Platform (EU region), which maintains SOC 2 Type II, ISO 27001, and other relevant certifications.
- Network segmentation and firewalls are used to restrict access to production environments.
- Intrusion detection and monitoring systems are in place.
4. Application Security
- Secure software development practices, including code review and vulnerability testing.
- Regular patching and updating of software components.
- Input validation and output encoding to prevent common application vulnerabilities.
5. Logging and Monitoring
- Access logs and audit trails are maintained for systems that process Personal Data.
- Automated monitoring and alerting for suspicious or unauthorized activity.
6. Data Minimization and Pseudonymization
- Personal Data collection is limited to what is necessary for the specified processing purposes.
- Pseudonymization and anonymization techniques are applied where appropriate.
7. Business Continuity and Disaster Recovery
- Regular backups of data, stored in encrypted form.
- Disaster recovery procedures are maintained and tested periodically.
8. Personnel Security
- Personnel with access to Personal Data are subject to confidentiality obligations.
- Data protection training is provided to relevant personnel.
9. Incident Response
- A documented incident response plan is maintained for Personal Data Breaches.
- Incident response procedures include identification, containment, eradication, recovery, and notification phases.
10. Vendor Management
- Sub-Processors are assessed for their data protection practices prior to engagement.
- Contractual obligations consistent with this DPA are imposed on Sub-Processors.
Annex III: International Data Transfer Mechanisms
1. Standard Contractual Clauses (EEA Transfers)
For transfers of Personal Data from the EEA to SolvaPay Inc. (located in the United States), the parties agree to be bound by the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor), with the following elections:
- Clause 7 (Docking clause): Included. Additional controllers or processors may accede to the SCCs.
- Clause 9(a) (Sub-processor authorization): Option 2 — General written authorization, with a 30-day notice period for changes.
- Clause 11 (Redress): The optional language regarding independent dispute resolution is not included.
- Clause 13 (Supervision): The competent supervisory authority shall be as identified in Annex I(C).
- Clause 17 (Governing law): The SCCs shall be governed by the law of the EU Member State in which the Controller is established. If the Controller is not established in the EU, the SCCs shall be governed by the laws of Sweden.
- Clause 18(b) (Choice of forum): Disputes shall be resolved before the courts of the EU Member State in which the Controller is established. If the Controller is not established in the EU, disputes shall be resolved before the courts of Sweden.
The Annexes to the SCCs are completed by reference to Annex I and Annex II of this DPA.
2. UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the parties agree to be bound by the UK Addendum.
The UK Addendum applies in addition to the SCCs described in Section 1 above, with the necessary modifications to reflect the application of UK data protection law as set out below:
- In Table 1, the “Exporter” is Provider and the “Importer” is SolvaPay, their details are set forth in this DPA.
- In Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 11.2.1 of this DPA.
- In Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II to this DPA respectively.
- In Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
3. Supplementary Measures
SolvaPay implements the following supplementary measures, in addition to Annex II of this DPA, to support the lawfulness of international data transfers:
- Encryption of Personal Data in transit and at rest (as described in Annex II).
- Access controls limiting data access to authorized personnel.
- Regular assessment of the legal framework of the destination country, including US government access requests, and implementation of additional safeguards where necessary.
- Transparency reporting: SolvaPay will notify the Provider if it receives a legally binding request from a government authority for disclosure of Personal Data, unless prohibited by law from doing so.