Data Processing Addendum

1.Structure & Scope

This Data Processing Addendum (the “DPA”) is part of and supplements the Terms of Service (the “Agreement”) between you (“User”, “you” or “Merchant”) and Lumiria LLC, a North Carolina limited liability company doing business as securepayAPI (“securepayAPI”, “we”, “us” or “our”).

This DPA governs the Processing of Personal Data by securepayAPI and its Sub-processors in connection with the Services. Capitalised terms used but not defined in this DPA have the meanings given in the Agreement or in Section 8 below.

2.Roles, Purposes & Categories of Data

2.1 When we are a Processor

When securepayAPI Processes Personal Data of your Customers in order to provide the Services to you, we act as a Processor (and a “Service Provider” as that term is used under the CCPA), and you act as the Controller (and a “Business” under the CCPA). The purposes of our Processing in this capacity are limited to:

• operating and securing the securepayAPI platform; and
• providing, and enabling your access to, our products and services in accordance with the Agreement and your documented Instructions.

2.2 When we are a Controller

When we Process Personal Data for our own purposes, we act as a Controller. We have sole and exclusive authority to determine the purposes and means of that Processing. The purposes of our Processing in this capacity are to:

• determine and engage third parties such as banks, acquirers, and payment-method providers;
• monitor, prevent, detect, and mitigate fraud, financial loss, security risks, and other harm to securepayAPI, our partners, or other users;
• operate internal processes that enable securepayAPI to provide its products and services, including relationship management, billing, and invoicing;
• comply with applicable law, including anti-money-laundering screening, know-your-customer and know-your-business obligations, sanctions screening, and requests from financial-services partners and governmental authorities; and
• analyse, improve, and develop our products and services.

2.3 Categories of Data Subjects

We may Process Personal Data relating to your Customers, representatives, beneficial owners, and any natural person who accesses or uses your securepayAPI account.

2.4 Categories of Personal Data

Where applicable, we may Process the following categories:

• name, contact details, and address;
• device identifier, IP address, and approximate location;
• order details (date, time, amount, description of goods or services);
• payment-method account details (including network token, last four digits of card, expiration), and bank-account details;
• tax identifier and tax status;
• identity information, including data extracted from government-issued documents (passport, driver's licence, national ID), photographs, selfies, and the results of liveness and document-authenticity checks;
• business registration data and beneficial-ownership information.

2.5 Sensitive Data

Where applicable to identity verification, we may Process Sensitive Data, including biometric data (such as facial-recognition templates generated by our verification vendors during liveness and face-match checks). Such Processing is performed only as necessary to satisfy our and your KYC and KYB obligations.

2.6 Duration of Processing

When we act as a Processor, the duration of Processing is the term of the Agreement plus any period required to perform our post-termination obligations (including those set out in Section 3.8 below).

2.7 Data Security

We implement and maintain a written information-security programme consistent with the technical and organisational measures set out in Section 9 of this DPA.

3.Our Obligations as Processor

When we act as a Processor for you, and to the extent required by DP Law, we will:

3.1 Instructions

Process Personal Data on your behalf and only in accordance with your documented Instructions. We will inform you if, in our opinion, your Instructions appear to violate or infringe DP Law.

3.2 Confidentiality of Personnel

Ensure that all persons we authorise to Process Personal Data are granted access on a need-to-know basis and are committed to appropriate confidentiality obligations.

3.3 Data Subject Requests

Inform you of each request we receive from a Data Subject (including a “verifiable consumer request” under the CCPA) seeking to: (i) access their Personal Data; (ii) correct or erase it; (iii) restrict or object to Processing; or (iv) exercise data portability (collectively, a “Data Subject Request”). Other than to acknowledge the request, identify the Data Subject, or direct the Data Subject to you as the Controller, we will not respond to the Data Subject Request unless you instruct us in writing to do so. Taking into account the nature of the Processing, we will assist you by appropriate technical and organisational measures, insofar as this is possible, to enable you to meet your obligation to respond.

3.4 Law-Enforcement Requests

Inform you of any law-enforcement or governmental-authority request for Personal Data we Process on your behalf, unless we are prohibited by law from doing so.

3.5 Compliance Assistance

Provide you with reasonable assistance, following your written request, to help you comply with your obligations under DP Law, including reasonable information to help you conduct a privacy or data-protection impact assessment or respond to inquiries from a regulator (including your state attorney general). If your request goes beyond our obligations under DP Law or the Agreement, we may charge a reasonable fee for the assistance.

3.6 Data Incident Notification

If we experience a Data Incident affecting your Personal Data, we will notify you without undue delay after becoming aware. To the extent then known, our notification will describe in reasonable detail (i) the type of Personal Data subject to the Data Incident; (ii) the categories and approximate number of individuals or records affected; and (iii) the status of our investigation and current or planned remediation. We will provide further updates as they become available to assist you in complying with your notification and other obligations under applicable law (including U.S. state breach-notification laws).

3.7 Audit Reports & Security Questionnaires

Following your written request, and no more frequently than once per calendar year (or more frequently if required by a Supervisory Authority or following a Data Incident materially affecting your Personal Data), we will provide reasonable documentation, audit summaries, or a completed written security questionnaire of reasonable scope and duration regarding our Processing of Personal Data. All such reports, documentation, and questionnaire responses are our confidential information and may not be disclosed without our prior written consent.

3.8 Return or Deletion on Termination

On termination of the Agreement, at your choice, we will delete or return to you all Personal Data Processed in connection with the Services, and delete existing copies, except to the extent that we are (i) required to retain that Personal Data to exercise our rights or perform our obligations under the Agreement; or (ii) required or authorised by DP Law or by the Network Rules to retain it for a longer period.

3.9 Sub-processors

You acknowledge that we engage Sub-processors, including our Affiliates and third-party service providers, as necessary to perform the Services. You consent to our use of our existing Sub-processors, and you grant us a general written authorisation to engage Sub-processors in the future.

Our current key Sub-processors include:

• Sum and Substance Ltd. (Sumsub) — identity (KYC) and business (KYB) verification, sanctions and PEP screening;
• Plaid Inc. — bank-account verification and ownership confirmation;
• cloud-infrastructure and database providers used to host the Services;
• transactional-email and SMS providers used to deliver authentication codes and operational notices;
• analytics, monitoring, and customer-support tooling.

A current and complete list of Sub-processors is available on written request to privacy@securepayapi.com. We will notify you at least thirty (30) days before adding or replacing a Sub-processor that Processes your Personal Data, providing you a reasonable opportunity to object on legitimate data-protection grounds. If you object, we will use commercially reasonable efforts to make a change available that avoids the objected-to Sub-processor; if no such change is reasonably available, we will not be obligated to provide the affected portion of the Services and you may terminate the affected portion of the Agreement.

We enter into a written agreement with each Sub-processor that imposes data-protection obligations comparable to those imposed on us under this DPA, including the obligation to implement appropriate technical and organisational measures. We remain liable to you for the acts and omissions of our Sub-processors to the same extent as if we performed the relevant Services directly.

3.10 CCPA & U.S. State Privacy Laws

To the extent the CCPA or another U.S. state privacy law (including the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act) applies, and we act as a Processor or Service Provider, we will not (except to provide the Services as permitted by law):

• sell or share Personal Data;
• retain, use, or disclose Personal Data for any purpose other than the specific business purpose set out in the Agreement, including any commercial purpose, or outside our direct business relationship with you;
• combine the Personal Data we receive from or on behalf of you with Personal Data we receive from or on behalf of any other person, or that we collect from our own interactions with the Data Subject, except to the extent permitted by law.

We will provide the same level of privacy protection as required by the CCPA, and we certify that we understand and will comply with the requirements in this DPA relating to the CCPA. We will inform you if we determine that we can no longer meet our obligations under the CCPA and will take reasonable and appropriate steps to remediate any unauthorised Processing.

3.11 Disclaimer of Liability for Acting on Instructions

Notwithstanding anything to the contrary in the Agreement, including this DPA, securepayAPI and its Affiliates will not be liable for any claim made by a Data Subject arising from or related to our or our Affiliates' acts or omissions to the extent that we were acting in accordance with your Instructions.

4.Your Obligations as Controller

4.1 Lawful Instructions

You must provide only lawful Instructions to securepayAPI.

4.2 Compliance with DP Law

You must comply with, and perform your own obligations under, DP Law, including with regard to Data Subject rights, security, and confidentiality, and you must ensure that you have an appropriate legal basis for the Processing of Personal Data described in the Agreement and this DPA.

4.3 Notices and Consents

You must provide all necessary notices (including by making available your own privacy policy) to, and obtain all necessary rights, permissions, and consents from, Data Subjects (including your Customers) to enable securepayAPI to lawfully Process Personal Data in connection with the Services. You are solely responsible for the content of the notices you provide to your Customers.

5.Our Obligations as Controller

When we Process Personal Data as a Controller, we will comply with and perform our obligations under DP Law, including by maintaining a Privacy Policy that explains how and for what purposes we collect, use, retain, disclose, and safeguard Personal Data.

6.Where We Process Personal Data

Lumiria LLC is a North Carolina limited liability company, and the Services are operated from and primarily directed to merchants and customers in the United States. Our primary processing infrastructure is located in the United States.

You acknowledge that, in order for us to provide the Services, Personal Data may be transferred to Lumiria LLC in the United States. Some of our Sub-processors operate in or store data in other countries (for example, Sumsub and Plaid), as described in Section 3.9.

Where Personal Data originates from a jurisdiction whose law requires a specific cross-border-transfer mechanism, we will rely on a lawful transfer mechanism reasonably available to us. Specific mechanisms (such as Standard Contractual Clauses or any then-current Data Privacy Framework certification) will be agreed between the parties where required and incorporated into this DPA by reference.

7.Conflict

To the extent of any conflict between the provisions of:

• this DPA and the Agreement regarding the Processing of Personal Data, the provisions of this DPA prevail; and
• this DPA and any cross-border-transfer mechanism agreed between the parties (such as Standard Contractual Clauses), the provisions of that transfer mechanism prevail to the extent of the conflict and only as to the transfers it governs.

8.Definitions

• CCPA — the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100–1798.199, as amended by the California Privacy Rights Act, and its implementing regulations.
• Controller — the entity that, alone or jointly with others, determines the purposes and means of Processing Personal Data, including a “business” under the CCPA and equivalent terms under other U.S. state privacy laws.
• Customer — an end user, cardholder, or payer who completes a Transaction with you using the Services.
• Data Incident — an unauthorised or unlawful Processing, use, access, loss, disclosure, destruction, or alteration of Personal Data in our possession or control or that of our Sub-processors.
• Data Subject — an identified or identifiable natural person to whom Personal Data relates (a “consumer” under U.S. state privacy laws).
• Data Subject Request — has the meaning given in Section 3.3.
• DP Law — every law applicable to the Processing of Personal Data under the Agreement and this DPA, including U.S. federal, state, and local privacy and data-protection laws, the CCPA, and the consumer-privacy laws of Colorado, Connecticut, Utah, Virginia, and other states as they come into force.
• Instructions — any documented instruction from you to us regarding the Processing of Personal Data, including the Agreement, this DPA, the Documentation, configurations you select in the dashboard, and API calls you initiate.
• Joint Controller — a Controller that jointly determines the purposes and means of Processing Personal Data with one or more other Controllers.
• Personal Data — any information relating to an identified or identifiable natural person Processed in connection with the Services, including “personal information” as defined under the CCPA and equivalent terms under other applicable privacy laws.
• Process, Processed, and Processing — any operation or set of operations performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.
• Processor — the entity that Processes Personal Data on behalf of the Controller, including a “service provider” under the CCPA and equivalent terms under other U.S. state privacy laws.
• Sensitive Data — Personal Data treated as a special or sensitive category under applicable law, including (a) biometric data used for unique identification; (b) precise geolocation; (c) data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or sex life or sexual orientation; (d) Social-Security, driver's-licence, state-ID, or passport numbers; (e) financial-account, debit-card, or credit-card numbers in combination with any required security code, access code, or password; and (f) any data treated as sensitive under the CCPA or other applicable U.S. state privacy laws.
• Sub-processor — an entity engaged by a Processor to Process Personal Data on the Processor's behalf in connection with the Services.

9.Technical & Organisational Measures

securepayAPI maintains and enforces a written information-security and privacy programme designed to protect Personal Data against unauthorised access, disclosure, alteration, and destruction. The measures below describe our programme; we may update specific tools and configurations from time to time, provided that the overall level of protection is not materially diminished.

9.1 Security Programme & Policies

• documented policies that we formally approve, internally publish, communicate to appropriate personnel, and review at least annually;
• clear assignment of responsibility and authority for security-programme activities;
• policies covering acceptable use, data classification, cryptographic controls, access control, removable media, and remote access; and
• regular testing of key controls, systems, and procedures.

9.2 Privacy Programme

We maintain a privacy programme and related policies that address how Personal Data is collected, used, retained, shared, and safeguarded.

9.3 Risk & Asset Management

We perform risk assessments and maintain controls for risk identification, analysis, monitoring, reporting, and corrective action. We maintain an asset-management programme that classifies and controls hardware and software assets throughout their lifecycle.

9.4 Personnel

All personnel with access to Personal Data acknowledge their data security and privacy responsibilities under our policies. We:

• perform background checks and screening (subject to applicable law);
• provide security and privacy training, including an annual refresher;
• maintain disciplinary processes for violations;
• promptly remove or update access rights upon termination or role change, and require return or destruction of Personal Data;
• authenticate personnel using strong passwords or hardware token devices, with multi-factor authentication required for access to systems that Process Personal Data, in line with NIST SP 800-63B.

9.5 Network & Operations Management

We implement policies and procedures addressing system hardening, change control, segregation of duties, separation of development and production environments, technical-architecture management, network security, malware protection, encryption of data in transit and at rest, audit logs, and network segregation. We perform periodic vulnerability assessments and penetration testing on systems that Process Personal Data; vulnerabilities are remediated in accordance with our vulnerability-management standard.

9.6 Technical Access Controls

• user identification and authentication procedures;
• password policies and multi-factor authentication consistent with NIST SP 800-63B;
• automatic blocking on repeated failed authentication attempts and session timeout;
• break-in-attempt monitoring and alerting;
• differentiated access rights based on role, profile, action, and object (least privilege);
• access monitoring, logging, and periodic access reviews;
• documented access-grant, change, and deletion procedures.

9.7 Physical Access Controls

We host our production infrastructure with reputable third-party cloud providers operating to recognised audit standards (such as ISO 27001 and SOC 2). We rely on these providers to manage physical access to the data-centre facilities they operate, including 24×7 monitoring, electronic access control, video surveillance, and trained security personnel. We periodically review the providers' third-party audit reports.

9.8 Availability

• database replication;
• regular backup procedures, with restore tested periodically;
• infrastructure redundancy across availability zones; and
• a documented disaster-recovery plan reviewed periodically.

9.9 Disclosure & Entry Controls

We log access to and changes in Personal Data, and we use authentication, transport security, and encryption to ensure that Personal Data cannot be read, copied, modified, or deleted without authorisation during transmission, transport, or storage. We retain audit trails sufficient to verify entries, modifications, and deletions.

9.10 Separation Controls

• least-privilege limitation of access by internal services;
• segregation of production and non-production environments;
• logical segmentation between Customer Personal Data sets so that data collected for different purposes can be Processed separately.

9.11 Encryption

• In transit: all inbound and outbound data connections use TLS 1.2 or higher; mutual TLS is used for connections between production systems where supported.
• At rest: production data is encrypted using industry-standard symmetric encryption (AES-256 or equivalent).
• Card and bank-account data: minimised on our systems through the use of network tokenisation and tokenised references issued by Card Networks, our acquirers, and our partners. Where stored, such data is held in segregated, restricted-access vaults with separate key custody.

9.12 Certifications & Compliance

We maintain a PCI DSS programme appropriate to our role and the scope of card-data we handle, validated as required by the Card Networks. We are continuing to mature our security programme and may obtain additional independent certifications (such as SOC 2) as we grow. Our key Sub-processors operate at high assurance levels (for example, Sumsub maintains ISO 27001 and PCI DSS certifications, and Plaid maintains SOC 2 Type II).

9.13 System Configuration

We deploy production infrastructure through automated tools using infrastructure-as-code subject to formal code review and two-party approval before release. Production infrastructure is monitored for drift from known configuration baselines.

9.14 Data Portability

The securepayAPI API and dashboard enable you to programmatically access and export the data we store on your behalf, except where export is restricted by PCI DSS or by the Network Rules. Where you require export of card-scoped data to another PCI DSS-compliant processor, we will work with you and the Card Networks to facilitate a compliant migration.

9.15 Retention & Deletion

We maintain data-retention policies and procedures consistent with our Privacy Policy and applicable law, and we review these policies as appropriate.

10.Updates to this Addendum

We may update this DPA from time to time. Material changes will be communicated through the dashboard or by email at least thirty (30) days before they take effect, except where a shorter period is required by law, by the Network Rules, or to address a security or legal risk. The “Last updated” date at the top of this page reflects the most recent version.

11.Contact

For matters relating to this DPA, please contact:

Lumiria LLC d/b/a securepayAPI
1451 Richardson Rd. Ste. 109 #127, Apex, NC 27523, USA
Privacy: privacy@securepayapi.com
Legal: legal@securepayapi.com
Security: security@securepayapi.com
Phone: +1 844 680 0679