Data Processing

Last Updated: Dec 19, 2023

This Data Processing Agreement (“DPA”) is an agreement between, on the one hand, you and the entity you represent (“Client”), and, on the other hand, Currency Cloud Ltd. and/or any other applicable affiliated Currencycloud entity(ies) (“Currencycloud”, “we”, or “us”) with which you have a written or electronic agreement to Process Personal Information on your behalf including the Commercial Agreement and the Terms of Use (each, an “Agreement”). Except for any Agreement under which you and Currencycloud have expressly agreed to terms that address the subject matter of this DPA, this DPA forms part of our Agreement under which we Process Personal Information on your behalf (“Client Personal Information”) for services you offer under your applicable regulatory license. For the avoidance of doubt, this DPA does not apply to any services that may be provided to users in reliance on Currencycloud’s own regulatory license. Each of Currencycloud and Client are referred to herein as a “Party” and collectively as the “Parties”.

1. Processing of Client Personal Information.

1.1. Processor designation. The Parties acknowledge and agree that:

1.1.1. the delivery of the applicable Services to Client involves the Processing of Client Personal Information by Currencycloud on behalf of Client;

1.1.2. such Processing by Currencycloud may include, by way of example and for illustrative purposes, the Processing detailed in Schedule C (Details of the Processing of Client Personal Information) of this DPA below;

1.1.3. Currencycloud is a “processor” or “service provider” under Applicable Data Protection Law acting on Client’s instructions (referred to as “Processor” for purposes of this DPA); and

1.1.4. notwithstanding clause 1.1.3 above, Currencycloud is a “controller” under Applicable Data Protection Law in respect of Currencycloud’s use of Personal Information in connection with the applicable Services in order to: (a) conduct KYC, CDD and other checks as part of our process of accepting you as a Client; (b) comply with any legal and/or regulatory requirements to which we are subject from time to time, including but not limited to FCA requirements; (c) determine how best to provide the Services and our risks in doing so; and (d) prevent fraud or financial crime. For the avoidance of doubt, with the exception of clause 3 below, the provisions of this DPA do not apply to the Parties in relation to Currencycloud’s use of Personal Information as a controller.

1.2. Authorization to Process. Processor will Process Client Personal Information on behalf of Client to provide Client with the Services, and Processor is authorized to Process Client Personal Information solely in connection with the following activities:

1.2.1. to provide the Services in accordance with the applicable Agreement(s);

1.2.2. to provide any Processing required under applicable laws or regulations;
81123230-1

1.2.3. based on the instructions of Client, to transfer Personal Information Processed by Processor to payment processors and network banking partners; and

1.2.4. as reasonably necessary to enable Processor to comply with any other directions or instructions provided by Client.

To reduce or eliminate fraud, or protect against fraudulent or illegal activity.

2. Compliance with Law

Processor, in its provision of services to Client, in its use of the services, shall Process Client Personal Information in accordance with Applicable Data Protection Law.

3. Client obligations

3.1. Client shall ensure that it complies fully with all Applicable Data Protection Laws and regulations with regard to Personal Information that it collects, stores, transfers, or otherwise Processes;

3.2. Client shall provide its Data Subjects (including End Customers where applicable) with all privacy notices, information and any necessary choices and shall obtain any necessary consents or otherwise have an appropriate lawful basis relating to the Processing of Client Personal Information in connection with the applicable Services (including in relation to clause 1.1.4 above) in order to enable Processor to comply with Applicable Data Protection Law;

3.3. Where required by Applicable Data Protection Law, Client shall promptly inform Processor when Client Personal Information must be corrected, updated, and/or deleted;

3.4. Client shall ensure that at the point of transferring Client Personal Information to Processor, the Client Personal Information is adequate, relevant and limited to what is necessary in relation to the Processing envisaged under the applicable Agreement and this DPA;

3.5. Client shall notify Processor, following contact from any given regulatory authority in relation to data Processed by Processor, unless applicable laws or regulations prohibit such notification; and

3.6. Client shall comply (and ensure that its third party auditor’s comply) with Processor’s relevant security policies and appropriate confidentiality obligations as set out in the applicable Agreement.

4. Processor obligations

4.1. Applicable Data Protection Law. To the extent necessary to enable Client to comply with its obligations under Applicable Data Protection Law, Processor further agrees to comply with any required provisions of the Schedule A (CCPA) and/or Schedule B (GDPR) to the extent applicable to Client’s use of the Services. The Parties agree that Processor may add additional Schedules to this DPA, wherever required for Processor to comply with Applicable Data Protection Laws that become applicable to Processor in the future.

4.2 Data Subject Rights. Processor shall notify Client if Processor receives a request from a Data Subject to exercise its rights under Applicable Data Protection Law (e.g. rights to access or delete Client Personal Information) and advise the Data Subject that Client is responsible for handling their requests in accordance with Applicable Data Protection Law. If Client requests Processor to do so in writing, Processor shall provide Client with reasonable co-operation and assistance (at the Client’s cost) to respond to such requests in a manner that is consistent with the nature and functionality of the applicable Services.

4.3 Engaging with Sub-Processors. When engaging with another data processor (“Sub-Processor”) for the purposes of carrying out specific Processing activities on behalf of Client, Processor shall ensure that there is a written contract in place with the relevant Sub-Processor. To the extent applicable and having regard to the nature of the services provided by the relevant Sub-Processor, such written contracts will impose on the Sub-Processor, in substance, the same level of data protection obligations as those imposed on Processor under this DPA in connection with the Processing of Client Personal Information. Client acknowledges that Processor may disclose Client Personal Information to its employees, subcontractors (including third party suppliers and Sub-Processors), agents, group companies and group company employees as Processor reasonably considers necessary: (i) for the performance of Processor’s obligations under the applicable Agreement; and (ii) for compliance with applicable law; and (iii) to defend any actual or possible legal claims

4.4 Staff. Processor shall ensure that persons authorized to Process Client Personal Information are under an appropriate obligation of confidentiality

4.5 Security of Processing. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of natural persons, Processor will implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Processor shall, in particular, take into account the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Information transmitted, stored or otherwise Processed. Processor shall provide reasonable assistance to Client in ensuring Client meets its own compliance obligations with respect to these same security measures.

4.6 Security Breach

4.6.1. In the event of an actual Security Breach (defined below) affecting Client Personal Information contained in Processor’s systems, Processor shall (i) investigate the circumstances, extent and causes of the Security Breach and report the results to Client and continue to keep Client informed on a regular basis of the progress of Processor’s investigation until the issue has been effectively resolved; and (ii) cooperate with Client in any legally required notification by Client to affected Data Subjects. The obligations herein shall not apply to Security Breaches caused by Client or Client’s End Customers.

4.6.2. Processor shall notify Client without undue delay upon Processor becoming aware of an actual Security Breach affecting Client Personal Information, providing Client with sufficient information and reasonable assistance to allow Client to meet its obligations under Applicable Data Protection Law to (i) notify a Supervisory Authority (as defined under Applicable Data Protection Law) of the Security Breach; and (ii) communicate the Security Breach to the relevant Data Subjects. For the avoidance of doubt, Client shall be responsible for communicating any Security Breach to Data Subjects if such communication is required under Applicable Data Protection Law.

4.6.3. Except as required by applicable law or regulation, each Party will not make (nor permit any third party to make) any statement concerning the Security Breach that directly or indirectly references to the other Party, unless the other Party provides its explicit written authorization.

4.6.4. To the extent that a Security Breach was caused by Client or Client’s End Customers, Client shall be responsible for the costs arising from the provision of Processor’s assistance under this clause 4.6.

4.7. Deletion and Retention. Processor shall, at the choice of Client, delete or return all Client Personal Information upon termination of the applicable Agreement and delete existing copies unless storage is required by applicable law.

5. Miscellaneous.

The terms of this DPA shall apply only to the extent required by Applicable Data Protection Law. To the extent not inconsistent herewith, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term or condition of this DPA, this DPA does not apply to any data or information that does not relate to one or more identifiable individuals, that has been aggregated or de-identified in accordance with Applicable Data Protection Law, or to the extent that Processor and Client have entered into separate data processing terms that address the subject matter hereof.

6. Definitions

Unless otherwise defined in the applicable Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Law.

6.1. “Applicable Data Protection Law” means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a Party’s obligations under the applicable Agreement and this DPA. For illustrative purposes only, “Applicable Data Protection Laws” may include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/579 (the “GDPR”), Swiss DP Laws and UK Data Protection Laws, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), Brazilian General Data Protection Law (“LGPD”), Colombian Data Protection Law, The Federal Law on The Protection of Personal Data Held by Private Parties (Mexico), Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) and any associated regulations or any other legislation or regulations that transpose or supersede the above;

6.2. “Commercial Agreement” means the agreement between Client and Currencycloud setting out the commercial terms for the provision of one or more of the Services.

6.3 “End Customer” means any person other than Currencycloud who contracts with Client, including without limitation any customer that Client engages in connection with the Services.

6.4. “Personal Information” means all data or information, in any form or format, that:(i) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household; or (ii) the Applicable Data Protection Law regulates as “personal data,” “personal information,” or otherwise. To avoid doubt, “Personal Information” includes any information relating to a Data Subjects as defined in the Agreement;

6.5 “Process” or “Processed” or “Processing” means any operation or set of operations which is performed upon Personal Information , whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction;

6.6. ” Transfer” means to transmit or otherwise make Client Personal Information available across national borders in circumstances which are restricted by Applicable Data Protection Law.

6.7 “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach,” a “breach of security of a system” or similar term (in each case, as defined in any other Applicable Data Protection Law) as well as any other event that compromises the security, confidentiality or integrity of Personal Information.

6.8. “Services” means the Payment Services – Global Account, Foreign Exchange Service, EUR Collection Service Currency Collections Services, and Platform Services provided by Currencycloud to Client as described in the Terms of Use and on the Client Help Centre

6.9. “Swiss DP Laws” means the the Federal Act on Data Protection of June 19, 1992 (as updated, amended and replaced from time to time), including all implementing ordinances. In this DPA, in circumstances where and solely to the extent that the Swiss DP Laws apply, references to the GDPR and its provisions shall be construed as references to the Swiss DP Laws and their corresponding provisions.

6.10. “Terms of Use” means our terms and conditions that govern Client’s use of the Services, including the schedules and any other terms and conditions referred to therein, the Privacy Processing Agreement, the Cookies Policy, and the Client Help Center, all as amended from time to time;

6.11. “UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions.

SCHEDULE A: CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”) SCHEDULE

This CCPA Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the CCPA applies to Client’s use of the Services. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this CCPA Schedule and the DPA, this CCPA Schedule shall prevail.

1. Currencycloud shall not:

1.1. sell Client Personal Information; or
1.2. retain, use or disclose Client Personal Information other than as set forth in the body of the DPA, except as required or permitted by the CCPA.

2. When providing or making available Personal Information to Currencycloud, Client shall only disclose or transmit that Personal Information which is necessary for Currencycloud to perform its obligations under the applicable Agreement(s).

3. To the extent required by the CCPA, this CCPA Schedule constitutes its certification to the Processing restrictions herein.

SCHEDULE B: GENERAL DATA PROTECTION REGULATION

This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR and/or UK Data Protection Laws apply to Client’s use of the Services or if Applicable Data Protection Law imposes a comparable requirement outlined under Schedule B. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.

1. Processor Obligations. Processor shall Process Client Personal Information only on documented reasonable instructions from Client (including instructions with respect to transfers of Client Personal Information to a third country, if applicable) unless Processor is required to otherwise Process Client Personal Information by Applicable Data Protection Law. In such circumstances, Processor shall inform Client of that legal requirement before Processing, unless prohibited from doing so by applicable law, on important grounds of public interest. Processor shall immediately inform Client if, in Processor’s opinion, Client’s instructions would be in breach of Applicable Data Protection Law. Client agrees that Processor shall be under no obligation to take actions designed to form any such opinion and that any instructions that Client issues to Processor shall comply with Applicable Data Protection Law.

2. Sub-processing.

2.1. Processor will not engage any Sub-Processor without the specific or general written authorisation from Client. In accordance with this section 2.1 of this GDPR Schedule, Client provides authorisation for Processor to engage with the Sub-Processors detailed in the “Technology Partners” page of Processor’s website (https://www.currencycloud.com/legal/technology-partners/) as updated from time to time and made available to the Client.

2.2. Where Processor engages a Sub-Processor, Processor shall ensure that the Client is notified of that engagement. Processor shall provide Client a reasonable timeframe to object to the engagement of that Sub-Processor and the Client agrees and hereby consents for Processor to engage the relevant Sub-Processor where the Client fails to raise objections within the applicable timeframe. If the Client objects to the engagement of a Sub-Processor within the applicable timeframe, Processor may choose one of the following: (i) decide not to use the Sub-Processor for that processing activity; (ii) take the corrective steps requested by the Client in its objection (which remove the Client’s objection) and proceed to use the Sub-Processor; or (iii) suspend or terminate the provision of the services that require the use of the Sub-Processor.

3. Data Protection Impact Assessments and Prior Consultation with Regulator. Processor shall provide reasonable assistance to Client with any legally required (i) data protection impact assessments; and (ii) prior consultations initiated by Client with its regulator in connection with such data protection impact assessments. Such assistance shall be strictly limited to the Processing of Client Personal Information by Processor on behalf of Client under the applicable Agreement taking into account the nature of the Processing and information available to Processor.

4. Demonstrating Compliance with this DPA. Processor shall make available to Client all information necessary to demonstrate compliance with Processor’s obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by Client or another auditor under Client’s instruction for the same purposes of demonstrating compliance with the obligations set out in this DPA. Client’s right to audit is subject to the following:

4.1. if Processor can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification or by providing Client with an audit report issued by an independent third party auditor (provided that Client will comply with appropriate confidentiality obligations as set out in the applicable Agreement and shall not use such audit report for any other purpose), Client agrees that it will not conduct any further audits or inspections; and

4.2. in the acknowledgement of the time, expense and disruption to business associated with performing audits and inspections involving interviews and onsite visits, Client agrees to only conduct such audits and inspections on condition that Client can demonstrate that such audit or inspection is necessary beyond the information made available by Processor pursuant to clause 4.1 above. Such audits and inspections shall be at reasonable intervals (but not more that once a year) upon not less than 60 days’ notice and at a date mutually agreed by the Parties, provided that: (i) the audit will not disrupt Processor’s business activities and shall be conducted during business hours, subject to Processor’s policies; (iii) the audit will not interfere with the interests of Processor’s other Clients; (iv) the audit not exceed a period of two successive business days; (v) before Client uses a third party to perform the audit on its behalf (if applicable), such third party shall execute a confidentiality agreement acceptable to Processor; (vi) Client must provide Processor with any audit reports generated in connection with any audit (unless prohibited by applicable law), and Client may only use the audit reports for the purposes of meeting Client’s audit requirements under Applicable Data Protection Law and/or confirming compliance with the requirements of this DPA; (vii) the audit reports shall be confidential; (viii) to request an audit, Client must first submit a detailed audit plan to Processor at least 6 (six) weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration and start date of the audit. Processor will review the audit plan and inform Client of any concerns or questions (for example, any request for information that could compromise Processor’s confidentiality obligations or Processor’s security, privacy, employment or other relevant policies). Processor will work cooperatively with Client to agree a final audit plan; (viiii) nothing in this clause 4.2 shall require Processor to breach any duties of confidentiality owed to any of Processor’s Clients, employees or third party suppliers; and (x) all audits shall be at Client’s sole cost and expense.

5. International transfers of Personal Information. Processor shall only Transfer any Client Personal Information outside the Client’s applicable jurisdiction, including, without limitation, outside the European Economic Area (“EEA”), the UK or Switzerland, in compliance with the Applicable Data Protection Laws. Where required under any Applicable Data Protection Laws, the Client agrees to apply appropriate safeguards, measures, or mechanisms, execute any notifications, obtain regulatory approval, and/or complete any review necessary to enable Transfers by Processor and/or its Sub-Processors under this DPA.

SCHEDULE C: DETAILS OF THE PROCESSING OF CLIENT PERSONAL INFORMATION

Nature and Purpose of the ProcessingType of Personal InformationCategories of Data Subjects
Processing of Personal Information as required for Processor to provide the applicable Services to Client and to perform Processor’s other obligations under the applicable Agreement.Sender, recipient and transaction details, including financial information (and such other information as is necessary under local laws/ regulatory requirements in the applicable sender or recipient jurisdiction)The Client’s End Customers (or any customer or the End Customer, if applicable) where those are natural persons

Duration: The duration of Processing is the period during which Processor provides the Services to the Client and any additional period required to fulfil Processor’s contractual obligations with the Client or applicable laws. Processor may retain data for archiving purposes in accordance with applicable laws and Processor’s records management policies.