Data Processing Agreement (DPA)

‍
Effective Date: June 2, 2025

1. Introduction

This Data Processing Agreement (“DPA”) sets forth the terms under which Paywhale (“Processor”), a company processing personal data on behalf of its clients (“Controller”), carries out its activities in the context of delivering services. This DPA is intended to ensure compliance with applicable data protection regulations, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Dutch Implementation Act (Uitvoeringswet AVG).

2. Definitions

Controller – The party that determines the purposes and means of processing personal data.
Processor – The party that processes personal data on behalf of the Controller.
Personal Data – Any data relating to an identified or identifiable natural person, as defined under the GDPR.
Sub-Processor – Any third party appointed by the Processor to process personal data on its behalf.

3. Purpose and Scope of Processing

Paywhale processes personal data solely for the purpose of delivering its operational services, including but not limited to order fulfillment coordination, payment handling, dispute resolution, compliance assistance, and customer service support, as specified in the service agreement between the parties.

4. Processor Responsibilities

Paywhale agrees to:

Process personal data only on documented instructions from the Controller.
Ensure that employees and agents authorized to process personal data are bound by confidentiality obligations.
Implement technical and organizational measures appropriate to the risk to ensure the security of personal data.
Assist the Controller in responding to data subject requests in accordance with applicable data protection laws.
Upon termination of services, delete or return all personal data to the Controller, unless otherwise required by law.

5. Use of Sub-Processors

Paywhale may engage sub-processors to perform specific parts of its services. A current list of authorized sub-processors is available upon written request. Paywhale ensures that all sub-processors are contractually bound to obligations consistent with this DPA.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Paywhale ensures that such transfers are conducted in compliance with applicable data protection requirements, including appropriate safeguards such as Standard Contractual Clauses (SCCs) or other legally accepted mechanisms under the GDPR.

7. Audit and Inspection

Upon reasonable prior written notice, the Controller has the right to audit Paywhale’s compliance with this DPA. Any audit shall be subject to reasonable time, scope, and confidentiality limitations.

8. Liability

Liability arising from a breach of this DPA shall be governed by the terms set forth in the main service agreement between Paywhale and the Controller, including any limitations or exclusions of liability contained therein.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Netherlands. Any disputes arising from or related to this DPA shall be submitted to the competent court in Amsterdam, unless mandatory law provides otherwise.