Última actualización: noviembre 27, 2025
ACUERDO DE TRATAMIENTO DE DATOS
This Data Processing Agreement (“DPA“) is an agreement between you and the entity you represent (“Client“), on the one hand, and the relevant contracting party of Pismo (“Pismo“), on the other hand. It forms part of the agreement for the provision of processing, banking, payment, card issuance and management, and/or related financial services (“Services“, “Agreement“). Each of Pismo and the Client may be referred to herein as a “Party” and collectively as the “Parties.”
A. DEFINITION
1. For the purposes of this DPA, the following definitions shall apply:
“Data Protection Laws” means any law or regulation pertaining to the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, “Data Protection Laws” include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR“), UK Data Protection Laws, the Gramm-Leach-Bliley Act of 1999 and applicable regulations thereunder (together, “GLBA“), the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations, as amended or superseded from time to time (collectively, “CCPA“), Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA“), Swiss DP Laws, Australian Privacy Act 1988 (including the Australian Privacy Principles), Singapore Personal Data Protection Act 2012, Japan Act on the Protection of Personal Information, Korean Personal Information Protection Act, Kingdom of Saudi Arabia Personal Data Protection Law (PDPL), Nigeria Data Protection Act 2023, Kenya Data Protection Act 2019, South Africa Protection of Personal Information Act, Hong Kong Personal Data Privacy Ordinance (PDPO), New Zealand Privacy Act 2020, Philippines Data Privacy Act, Argentina DP Laws Brazilian DP Laws, Chile DP Laws, Colombia DP Laws, Costa Rican DP Laws, Mexico DP Laws, Peru DP Laws, Uruguay DP Laws and any associated regulations or any other legislation or regulations that transpose, supersede or are deemed substantially similar to the above.
“Argentina DP Laws” means Law No 25.326 and its subsidiary regulations and other data protection or privacy legislation in force from time to time in Argentina.
“Brazilian DP Laws” means the Brazilian Data Protection Law (Law No. 13,709/2018, the “LGPD”), its subsidiary regulations and other data protection or privacy legislation or regulation in force from time to time in Brazil, including any regulation published by the Brazilian Data Protection Authority (“ANPD“).
“Chile DP Laws” means Law No. 19.628 on the Protection of Private Life (as updated, amended and replaced from time to time), including all implementing and associated regulations or instruments.
“Colombia DP Laws” means Law 1581 of 2012; Decree 1074 of 2015; Chapter V of the Circular Única of the SIC; Decree 090 of 2018; and all other regulation pertaining to data protection in Colombia.
“Costa Rican DP Laws” means Law No. 8968, its Regulation regulations and other data protection or privacy legislation in force from time to time in Costa Rica.
“KSA PDPL” means the Kingdom of Saudi Arabia Personal Data Protection Law and its subsidiary regulations and other data protection or privacy legislation in force from time to time in the Kingdom of Saudi Arabia.
“Mexico DP Laws” means the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), its Regulations, any related guidelines, circulars or standards issued by the Supervisory Authority and any other federal or local statutes, regulations or rules governing the protection of personal data in Mexico in force from time to time in Mexico.
“Personal Information” means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or individual (“Data Subject“) or household or that is regulated as “personal data,” “personal information,” or otherwise under Data Protection Laws. For the avoidance of doubt, this includes any information relating to a Data Subject as defined in the Agreement and as described in Schedule 3 to this DPA.
“Peru DP Laws” means Peru Personal Data Protection Law N° 29733, (as updated, amended and replaced from time to time), including all implementing and associated regulations or instruments.
“Process” or “Processed” or “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction, or as otherwise defined under Data Protection Laws.
“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information. A Security Incident includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system”, a “breach of security safeguards” (as defined in PIPEDA) or similar term (as defined in any other Data Protection Laws) as well as any other event that compromises the security, confidentiality or integrity of Personal Information or that is similarly regulated under Data Protection Laws.
“Swiss DP Laws” means the Federal Act on Data Protection of June 19, 1992 (as updated, amended and replaced from time to time), including all implementing ordinances.
“Transfer” means to transmit or otherwise make Client Personal Information available across national borders in circumstances which are restricted by Data Protection Laws.
“UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR“), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions.
“Uruguay DP Laws” means Data Protection Act No. 18.331 2008; 414 2009, 19.670 2018, No. 64 2020 (as updated, amended and replaced from time to time), including all implementing and associated regulations or instruments.
2. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Data Protection Laws.
B. PROCESSING OF CLIENT PERSONAL INFORMATION
Designation
The Parties acknowledge and agree that, with respect to the Personal Information that Pismo Processes on behalf of Client (“Client Personal Information“) to provide the Services, Pismo is a “processor” or “service provider” and Client is a “controller” or such other equivalent term under Data Protection Laws, if any. The subject matter, duration, and purpose of the processing, including the type of Personal Information involved and the categories of Data Subject is set out in Schedule 3 to this DPA.Processing Instructions
Pismo will Process Client Personal Information to provide the Services, and Client authorises Pismo to Process Client Personal Information solely in connection with the following activities (together, “Processing Instructions“):- in accordance with the Agreement, Schedule 3 to this DPA, and any other applicable agreement(s), including, without limitation, any exhibits, schedules, and applicable price schedule(s), to provide the Services, and any Processing required or permitted under applicable laws or regulations;
- the transfer of Client Personal Information to downstream banks, wallet operators, wallet aggregators and/or clearing networks in order to complete a payment transaction;
- improve and develop products and services of potential benefit to Client or Client’s customer;
- to identify, prevent, and mitigate fraud, including by evaluating, analyzing, developing, improving, and enhancing Pismo and its affiliates’ fraud and risk capabilities generally, and/or
- as reasonably necessary to enable Pismo to comply with any other directions or instructions provided by Client.
Compliance with Law
Pismo, in its provision of Services to Client, and Client, in its use of the Services, shall Process Client Personal Information in accordance with Data Protection Laws. To the extent necessary to enable each party to comply with its obligations under Data Protection Laws, each party further agrees to comply with any required provisions of the Schedule 1 (U.S. State Law Privacy Compliance) and/or Schedule 2 (General Data Protection Regulation) to this DPA, each, to the extent applicable.Privacy Disclosures and Permissions
Client shall provide, or procure its customers to provide, Data Subjects with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable Pismo to comply with Data Protection Laws and with the Processing Instructions in Section 4 and Section 19.Data Subject Rights
Pismo will, to the extent legally permitted, provide reasonable assistance to Client to respond to requests from Data Subjects to exercise their rights under Data Protection Laws (e.g., rights to access or delete Personal Information) in a manner that is consistent with the nature and functionality of the Services. Where Pismo receives and identifies any such request as concerning the Client Personal Information, it shall advise the Data Subject that the Client is responsible for handling such requests by a Data Subject, in accordance with Data Protection Laws.Engaging with Sub-Processors
Pismo shall ensure that when engaging with another data processor (a “Sub-Processor”) for the purposes of carrying out specific Processing activities on behalf of Client, there is a written agreement between Pismo and the relevant Sub-Processor that provides, in substance, the same level of protection for Client Personal Information as set forth in this DPA or as required under Data Protection Laws.Cross-Border Transfer
Pismo shall only Transfer any Client Personal Information outside the Client’s applicable jurisdiction, including, without limitation, outside the European Economic Area (“EEA“), the UK, Switzerland or the United States, in compliance with the Data Protection Laws. Subject to Clause 10 below, Client agrees and acknowledges that Pismo Transfers and stores certain Client Personal Information (including relating to individuals located in the EEA, Switzerland, the UK, and other Latin American countries such as Argentina, Brazil, Chile, Colombia, Costa Rica, Mexico, Uruguay and/or Peru) in the United States, and other selected locations. Where required under any Data Protection Laws, the Client agrees to apply appropriate safeguards, measures, or mechanisms, obtain explicit consent for cross-border transfer, execute any registrations or notifications, obtain regulatory approval, complete security assessments or certifications, and/or complete any review necessary to enable Transfers by Pismo and/or its Sub-Processors under this DPA, including but not limited to any specific rules for Transfer relating to sensitive or special categories of data (if applicable).Transfers
1. Transfers Subject to the KSA PDPL
In the event Pismo Processes Client Personal Information subject to the KSA PDPL, the Standard Contractual Clauses issued by the Saudi AI and Data Authority (SDAIA) (“KSA SCCs“) shall apply as follows:- Second Template: Controller to Processor shall apply for Transfers from the Client (as Personal Data Exporter) to Pismo (as Personal Data Importer).
- In relation to any subsequent Transfers by Pismo, the Third Template: Processor to Processor shall apply between Pismo (as Personal Data Exporter) and any Sub-Processor (as Personal Data Importer).
- For the purposes of the KSA SCCs, Appendix 1 – Parties of List shall be the Personal Data Exporter and Personal Data Importer described in this Section 10.1 (a) or 10.1 (b) above as applicable; Appendix 2 – Description of the Transferred Personal Data shall be as set out in Schedule 3 – Details of Processing; and Appendix 3 – Security Measures shall be the security measures set out in Section 10.1.1 below.
1.1. India-Specific Data Localization
In the event Pismo Processes Client Personal Information relating to individuals located in India, and such Client Personal Information is subject to India’s laws, Client acknowledges that Pismo Transfers and stores such Client Personal Information within India.2. Transfers Subject to the Argentina DP Laws, Colombia DP Laws, Peru DP Laws, or Uruguay DP Laws
In the event Pismo Processes Client Personal Information subject to Argentina DP Laws, Colombia DP Laws, Peru DP Laws, or Uruguay DP Laws, the Standard Contractual Clauses issued by Red Iberoamericana de Protección de Datos, which have been approved by Argentina’s Data Protection Authority through Resolution 198/2023, by Peru´s Data Protection Authority through Directorial Resolution N.° 0074-2022-JUS/DGTAIPD and Uruguay’s Data Protection Agency through Resolution N° 50/022 URCDP available in RIPD Web Page (the RIPD Standard Contractual Clauses”) shall apply as follows:- Controller to Processor Clauses shall apply for Transfers from the Client (as Personal Data Exporter) to Pismo (as Personal Data Importer).
- In relation to any subsequent Transfers by Pismo, the Processor to Processor Clauses shall apply between Pismo (as Personal Data Exporter) and any Sub-Processor (as Personal Data Importer).
- Clause 5 (Docking clause) from RIPD SCC will apply.
- Clause 7.1. Sub-processor authorization from the RIPD Standard Contractual Clauses applicable from Controller to Processor is replaced by section 8. Engaging with Sub-Processors and the provisions in Schedule 2.
- Clause 9. Redress of the RIPD Standard Contractual Clauses from Controller to Processor shall be read as follows “a. The Data Importer shall inform the Data Subjects, in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints, which shall handle complaints received from the Data Subjects as quickly as possible”.
- Parties shall be the Personal Data Exporter and Personal Data Importer described in this Section 10.2 (a) or 10.2 (b) above as applicable; Appendix 2 – Description of the Transferred Personal Data shall be as set out in Schedule 3 – Details of Processing; and Appendix 3 – Security Measures shall be the security measures set out in Schedule 5.
3. Transfers Subject to the Brazilian DP Laws
In the event there is a transfer of Personal Information from the Client (as Personal Data Exporter, located in Brazil) to Pismo (as Personal Data Importer, located abroad), the Standard Contractual Clauses approved by the Brazilian Data Protection Authority (ANPD) through Resolution CD/ANPD No. 19 of 23 August 2024 (the “Brazilian Standard Contractual Clauses”) shall apply as available in RESOLUÇÃO CD/ANPD Nº 19, DE 23 DE AGOSTO DE 2024 – RESOLUÇÃO CD/ANPD Nº 19, DE 23 DE AGOSTO DE 2024 – DOU – Imprensa Nacional. In the event of any conflict or inconsistency between this DPA and the Brazilian Standard Contractual Clauses incorporated herein, the terms in the Brazilian Standard Contractual Clauses shall prevail.4. Staff
Pismo shall ensure that persons authorised to Process Client Personal Information are under an appropriate obligation of confidentiality in accordance with applicable laws or regulations governing the same.Security of Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of natural persons, Pismo will implement and maintain technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Pismo shall, in particular, take into account the sensitivity of the Personal Information and the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Information transmitted, stored or otherwise Processed. Pismo shall provide reasonable assistance to Client in ensuring Client meets its own compliance obligations with respect to these same security measures.Security Incident
- In the event of an Security Incident affecting Client Personal Information contained in Pismo’s systems, Pismo shall (i) investigate the circumstances, extent and causes of the Security Incident and report the results to Client and continue to keep Client informed on a regular basis of the progress of Pismo’s investigation until the issue has been effectively resolved; and (ii) cooperate with Client in any legally required notification by Client to affected Data Subjects.
- Pismo shall notify Client without undue delay upon Pismo or any Sub-Processor becoming aware of a Security Incident affecting Client Personal Information, providing the Client with sufficient information and reasonable assistance to allow Client to meet its obligations under Data Protection Laws to: (i) notify a Supervisory Authority (as defined under Data Protection Laws) of the Security Incident; and (ii) communicate the Security Incident to the relevant Data Subjects.
- To the extent that a Security Incident was caused by Client (including its officers, employees, agents, business partners, representatives and/or vendors) or its customers, Client shall be responsible for the costs arising from Pismo’s provision of assistance under this Section 12.
Deletion and Retention
Pismo shall delete all Client Personal Information upon termination of the Agreement and delete existing copies unless and to the extent storage is required or permitted by applicable law or regulation.Client Responsibility as Controller
With respect to the Client’s role as a data controller in respect of the Services, it must do all of the following:- ensure that it complies fully with all Data Protection Laws and regulations with regard to Client Personal Information that it collects, stores, transfers, or otherwise Processes;
- ensures that it executes all regulatory registrations, notifications, submissions, reviews and/or any other action required under all Data Protection Laws to enable the Client to receive the Services and for Pismo to provide the Services in accordance with the Agreement;
- in the event there are data localization or local storage requirements under any Data Protection Laws, the Client shall be responsible for taking all steps necessary to comply with such requirements;
- provide appropriate prior information to the Data Subjects about the intended Processing of Client Personal Information by the Client and Pismo, including as set out in Section 4 and 19;
- provide accurate data regarding the relevant Data Subjects to Pismo, including informing Pismo when Client Personal Information must be corrected, updated, blocked, deindexed or deleted;
- ensure that it has a lawful basis, including the obtention of the Data Subject’s express, prior and informed consent. when required under Data Protection Laws, for the processing of any Client Personal Information, including processing of any Client Personal Information by Pismo; and
- notify Pismo, following contact from any given regulatory authority in relation to data Processed by Pismo, unless applicable laws or regulations prohibit such notification.
C. MISCELLANEOUS
In accordance with the terms of the Agreement, Pismo will allow the Client to take appropriate steps to ensure Pismo Processes Client Personal Information in accordance with the Agreement and Data Protection Law. The terms of this DPA shall apply only to the extent required by Data Protection Laws. To the extent not inconsistent herewith, the applicable provisions of the Agreement (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of the Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Data Protection Laws, and, in all other respects, the terms of the Agreement shall control. Notwithstanding any term or condition of this DPA, this DPA does not apply to any data or information that is not regulated under Data Protection Laws. This includes Personal Information that has been aggregated or de-identified in accordance with Data Protection Laws. Additionally, this DPA does not apply to the extent that Pismo and the Client have entered separate data processing terms that address the subject matter hereof. The Client agrees that Pismo may, without the need to obtain any further consent or notify the Client, use, distribute, transfer or sublicence any aggregated and anonymized forms of data provided under this Agreement, as may be permitted or required under Data Protection Laws. Notwithstanding the foregoing, the Client acknowledges that in some jurisdictions Pismo may perform certain processing activities on Personal Information in Pismo’s capacity as an independent controller for the purposes of billing, internal and external accounting and auditing, detecting or preventing financial crime (including anti money laundering or know your client checks), fraud prevention, authentication, security, managing risk, bringing or defending legal or arbitral proceedings and/or other forms of dispute resolution, responding to regulatory or law enforcement requests, complying with legal obligations, developing and testing and marketing products and services, generating de-identified, anonymized, or aggregated datasets, data modelling, analytics, business intelligence and insights supporting loyalty and benefit programs, including by checking eligibility or qualifying transactions, segmentation.SCHEDULE 1 – U.S. STATE LAW PRIVACY COMPLIANCE
This Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the California Consumer Privacy Act of 2018 and its implementing regulations, as amended or superseded from time to time (California Civil Code §§ 1798.100 to 1798.199) (collectively, the “CCPA“) or similar state laws (“U.S. State Privacy Laws“) apply to Client’s use of the Services.1. APPLICATION
1.1 This Schedule is applicable solely to the extent that any Client Personal Information Processed by Pismo while performing the Services is subject to applicable U.S. State Privacy Laws. Nothing in this Schedule indicates acknowledgement by either party that it is subject to the applicable U.S. State Privacy Laws for any purpose, including the provision of Services, nor does anything in this Schedule waive either party’s right to object to application of the U.S. State Privacy Laws. Notwithstanding anything else to the contrary, the Parties agree that this Schedule does not apply to any information that is collected, processed, or sold or disclosed by the Parties subject to the Gramm Leach Bliley Act (“GLBA“). 1.2 Capitalized terms used but not defined in this Schedule shall have meaning assigned to such terms in the Agreement, the DPA, or, if not defined therein, in the applicable U.S. State Privacy Laws. In the event of a conflict between this Schedule and the Agreement, this Schedule will control, to the extent necessary to ensure compliance with U.S. State Privacy Laws. The foregoing recitals are hereby incorporated by reference into this Schedule.2. DATA PRIVACY ROLES AND OBLIGATIONS
2.1 For purposes of this Schedule, the Parties acknowledge that, with respect to Client Personal Information Pismo processes on behalf of Client under the Agreement that is not processed pursuant to GLBA (a) Client acts as a Business and Pismo acts as a Service Provider as those terms are defined under the CCPA; and (b) Client acts as a Controller and Pismo acts as a Processor within the meanings provided by other applicable U.S. State Privacy Laws. 2.2 For the avoidance of doubt, Pismo is not acting as a Third Party, nor is Pismo providing Cross-Contextual Behavioral Advertising under this Schedule. 2.3 Each party shall comply with its obligations under the applicable U.S. State Privacy Laws in respect of any Client Personal Information Processed under this Schedule. Client specifically acknowledges and agrees that its use of the Services will not violate the rights of any Consumer, including those that have opted-out from sales or other disclosures of Client Personal Information, to the extent applicable under the U.S. State Privacy Laws.3. PISMO OBLIGATIONS
3.1 In its role as a Service Provider or Processor, Pismo:- Will protect and secure Client Personal Information in accordance with the applicable U.S. State Privacy Laws, including by providing the same level of privacy protection as is required by the applicable by the CCPA or other applicable U.S. State Privacy Laws;
- Will Process Client Personal Information only for the specific business purposes set forth in the Processing Instructions, the Agreement and/or Schedule 3;
- Except as permitted by the applicable U.S. State Privacy Laws, will not sell or share Client Personal Information or retain, use, or disclose Client Personal Information (i) for any purpose other than as necessary to fulfill the business purposes set forth in the Agreement and/or Schedule 3, including retaining, using, or disclosing Client Personal Information for a commercial purpose other than the business purpose set forth in the Agreement and/or Schedule 3; or (ii) outside of the direct business relationship between Pismo and Client;
- Will not combine the Client Personal Information with Personal Information that it receives from or on behalf of any other person(s) or entity(ies), or collects from its own interaction with an individual, except as otherwise permitted by U.S. State Privacy Laws;
- Will implement reasonable security procedures and practices, appropriate to the nature of the Client Personal Information, to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure;
- Will immediately notify Client of any material changes in Pismo’s ability to meet its obligations under the applicable U.S. State Privacy Laws, including but not limited to any determination that Pismo can no longer meet its obligations under this Schedule;
- Will ensure that Pismo personnel involved in the Processing of Client Personal Information are subject to a duty of confidentiality and ensure that Pismo’s agreement with any sub-processors used to Process Client Personal Information complies with applicable U.S. State Privacy Laws, including, without limitation, the contractual requirements for Service Providers and Contractors;
- Will provide reasonable cooperation to Client, upon request, to enable Client to comply with consumer requests made pursuant to the applicable U.S. State Privacy Laws;
- Will provide reasonable information necessary for Client to conduct and document data protection assessments;
- Grants Client the right to take reasonable and appropriate steps in accordance with the Agreement to ensure that Pismo uses Client Personal Information in a manner consistent with Client’s obligations under the applicable U.S. State Privacy Laws;
- Grants Client the right, upon notice, and in accordance with the Agreement to take reasonable and appropriate steps to stop and remediate Pismo’s unauthorized use of Client Personal Information; and
- Will delete Client Personal Information of the Client at the end of the provision of Services under the Agreement, unless retention of the Client Personal Information is required or authorized under the Agreement or U.S. State Privacy Laws.
- To retain and employ another Service Provider or Contractor as a subcontractor in accordance with Section 3.1(g) of this Schedule and any other applicable terms of the Agreement where the subcontractor meets the requirements for a Service Provider or Contractor or similar term under applicable U.S. State Privacy Laws;
- For its internal use to build or improve the quality of the Services, provided that Pismo does not use the Client Personal Information to perform services on behalf of another person;
- To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity;
- For the purposes enumerated in California Civil Code § 1798.145(a)(1) through §1798.145(a)(7); and/or
- For any other purpose expressly contemplated or permitted by U.S. State Privacy Laws or other Applicable Data Protection Law.
SCHEDULE 2 – GENERAL DATA PROTECTION REGULATION
This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR applies to Client’s use of the Service or to the extent Data Protection Laws imposes a comparable requirement outlined under Schedule 2. Capitalised terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail. In accordance with Section 3 of this DPA and for the purposes of this Schedule 2, the term “Processor” means Pismo.1. ADDITIONAL PROCESSOR OBLIGATIONS
1.1 Processing of Client Personal Information. Processor shall Process Client Personal Information pursuant only to documented reasonable instructions from Client (including the Processing Instructions set out in Section 4, with respect to Transfers of Client Personal Information to a third country, if applicable) unless Processor is required to otherwise Process Client Personal Information by Data Protection Laws. In such circumstances, Processor shall inform Client of that legal requirement before Processing, unless prohibited from doing so by applicable law, on important grounds of public interest.2. USE OF SUB-PROCESSOR
2.1 Processor will not engage any Sub-Processor without the specific or general written authorisation from Client. In accordance with this section 1.2 of this GDPR Schedule, Client provides authorisation for Processor to engage with the Sub-Processors detailed in the Processor’s Sub-Processor list as updated from time to time and made available to the Client through Pismo online portal. 2.2 Where Processor engages a Sub-Processor, Processor shall ensure that the Client is notified of that engagement. Processor shall provide Client a reasonable timeframe to object to the engagement of that Sub-Processor and the Client agrees and hereby consents for Processor to engage the relevant Sub-Processor where the Client fails to raise objections within the applicable timeframe. If the Client objects to the engagement of a Sub-Processor within the applicable timeframe, Processor may choose one of the following: (i) decide not to use the Sub-Processor for that processing activity; (ii) take the corrective steps requested by the Client in its object (which remove the Client’s objection) and proceed to use the Sub-Processor; or (iii) suspend or terminate the provision of the services that require the use of the Sub-Processor.3. DATA PROTECTION IMPACT ASSESSMENTS AND PRIOR CONSULTATION WITH REGULATOR
3.1 Processor shall immediately inform Client if, in Processor’s opinion, Client’s Processing Instructions would be in breach of Data Protection Laws. Client agrees that Processor shall be under no obligation to take actions designed to form any such opinion. 3.2 Processor shall provide reasonable assistance to Client with any legally required: (a) data protection impact assessments; and (b) prior consultations initiated by the Client with its regulator in connection with such data protection impact assessments. Such assistance shall be strictly limited to the Processing of Client Personal Information by Processor on behalf of Client under the Agreement taking into account the nature of the Processing and information available to Processor.4. DEMONSTRATING COMPLIANCE WITH THIS DPA
4.1 Processor shall make available to Client information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by Client or another auditor under the instruction of the Client for the same purposes of demonstrating compliance with the obligations set out in this DPA provided that:- the Client gives Processor reasonable notice in advance of any audit (where permitted by laws or regulations);
- the audit is carried out in a manner that causes the minimum possible disruption to Processor’s business (including with respect to the length of the audit and the number and seniority of Processor personnel required to assist with the audit); and
- the Client and its third party auditor are subject to applicable Processor policies and confidentiality obligations.
SCHEDULE 3 – DETAILS OF PROCESSING
| Service | Nature & Purpose of Processing | Types of Personal Information | Categories of Data Subjects |
|---|---|---|---|
| Core Banking | A set of Pismo services (accessible through APIs) that can manage various internal and third-party/partner functions to enable Pismo’s bank and fintech clients to offer financial products to their customers, including banking management, Interest Bearing Accounts and Time Deposits, Bill Payments, Instant Payments, and Regulatory Reports. | Telephone Number; Document number; Transaction; date/time/location/amount; CNPJ – entity register; Invoice number; Invoice series; Access key; Authorization; Email Address; Mailing Address; Mobile Number; Telephone Number; Name Device identifiers; IP address; Server / activity logs; Billing & shipping information; Card expiration date; Merchant information; PIN verification data and CVV; Payment account number (PAN); Payment account reference (PAR) token; Transaction; date/time/location/amount | Client’s customers, including consumers, cardholders, and merchants. |
| Card Issuing Processor | The card issuing capabilities of the Pismo platform can also facilitate the smooth and secure processing of electronic payment transactions among fintechs, banks, merchants, financial institutions, etc. The platform can enable clients to manage the complex processes involved in authorization, clearing, and settlement of transactions. | Client’s customers, including consumers, cardholders, and merchants. | |
| Transaction Banking | Pismo Transaction Banking is born-in-the-cloud, cloud-native, API based core banking platform that provides key capabilities for transaction banking and payment processing. The key services provided by Pismo include Hierarchical Structure to support Organizational Hierarchies, Complete Account Lifecycle Management, Earmark Handling, Dormancy Management, among others | Client’s customers, including consumers, cardholders, and merchants. | |
| Seller Management Platform | It comprises services (through APIs) for managing sellers/merchants, from their registration to financial aspects such as payment scheduling and settlement. | Client’s customers, including consumers, cardholders, and merchants. | |
| Loan Management Platform | A tech feature designed to help lenders (i.e. banks, building societies, credit unions, cooperatives, or non-banking finance companies) automate and render highly scalable loans management and servicing capabilities for their lending back-office operations. | Client’s customers, including consumers, cardholders, and merchants. |
SCHEDULE 4 – SUB PROCESSOR LIST
| Compañía | Functions Performed | Location | Applicable Service |
|---|---|---|---|
| Amazon Web Services | Data hosting, data security, and resilience. | United States | All Pismo Services |
