Data processing agreement

When ReliaPay processes personal data on your instructions to deliver the platform, you act as the data controller and ReliaPay acts as your data processor. When ReliaPay processes personal data for its own purposes — for example, to operate its risk and compliance programme — ReliaPay acts as an independent data controller.

ReliaPay processes personal data to provide payment processing, settlement, reporting, and related services described in our Terms of Service. The categories of data and data subjects, and the duration of processing, are described in the Annex below.

• Data subjects — your end customers, your employees and authorised users, and other individuals whose information is submitted to ReliaPay.
• Categories of data — identifiers (name, email, phone), financial data (masked card details, mobile-money numbers, transaction amounts), and technical data (IP, device metadata).
• Special categories — generally none. Identity-document data (e.g. national ID images) may be processed for KYC where you choose to use that feature.
• Duration — for the term of your subscription plus any retention period required by law.

ReliaPay processes personal data only on your documented instructions, including those given through the dashboard and APIs. ReliaPay ensures that personnel authorised to process personal data are bound by confidentiality, that appropriate technical and organisational measures are in place, and that any processing complies with applicable data-protection law.

ReliaPay implements security measures appropriate to the risk, including but not limited to:

• Encryption of personal data in transit (TLS 1.3) and at rest (AES-256).
• Tokenisation of cardholder data; raw PANs never reach merchant systems.
• Role-based access control and multi-factor authentication for all production systems.
• Continuous logging, monitoring, and alerting; dedicated security operations.
• Annual penetration tests by independent firms and an active bug-bounty programme.
• Documented business continuity and disaster-recovery plans, tested at least annually.

ReliaPay engages a limited number of sub-processors to deliver the platform. We impose contractual obligations on each sub-processor that are no less protective than those in this DPA. The current list of sub-processors is available below and is updated when changes occur.

We notify customers of new sub-processors at least 30 days before they begin processing personal data and offer an opportunity to object on reasonable grounds.

Where personal data is transferred outside the country of collection, we rely on appropriate safeguards such as Standard Contractual Clauses and equivalent mechanisms recognised by local regulators, together with supplementary technical measures (encryption, tokenisation) to protect the data.

If a data subject contacts ReliaPay directly with a request to exercise their rights in respect of data processed on your behalf, we will refer them to you. We will assist you in responding to such requests through reasonable technical and organisational measures, including dashboard exports and APIs.

ReliaPay notifies you without undue delay — and in any event within 72 hours — after becoming aware of a personal-data breach affecting your data. Our notice will describe the nature of the incident, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

We make available the information necessary to demonstrate compliance with this DPA, including independent audit reports (such as our SOC 2 Type II report) under NDA. Where additional audit is reasonably required by your data-protection authority, we will cooperate with reasonable requests during business hours and at your cost.

On termination of the underlying agreement, ReliaPay will return or delete personal data processed on your behalf, except to the extent retention is required by law (for example, transaction records retained under AML obligations). Backup copies are securely overwritten in accordance with our standard backup schedule.