Data Processing Addendum (DPA)

Last updated: April 15, 2026

Draft for legal review

This addendum is a placeholder template. It is not legal advice. Have qualified counsel review and adapt it for your jurisdiction, customers, and data flows before you rely on it or present it to third parties.

Parties

This Data Processing Addendum ("DPA") is between you ("Customer") and EasyPayRequest (the party operating easypayrequest.com) ("Processor"). Where Customer acts as a controller (or similar role under applicable law) and Processor processes personal data on Customer's instructions in connection with the service, this DPA supplements the applicable agreement and our Privacy Policy.

[Legal review] Insert the correct legal name and address of the Processor entity that contracts with the Customer, and any registration details your counsel requires.

Subject matter and duration

Subject matter: Processing of personal data as needed to provide the EasyPayRequest service described in your agreement with us.

Duration: For the term of the service agreement, unless applicable law or the agreement requires otherwise.

Nature and purpose of processing

Processor processes personal data to operate, secure, and improve the service; provide support; send transactional communications related to the service; and comply with law where Processor is directly obligated. The exact features you use (for example, invoicing, email delivery, or payment integrations) determine what data is processed.

Type of personal data and categories of data subjects

Types of data may include account and contact details you provide, invoice and billing-related data you enter, and technical or usage data generated through use of the service. Data subjects may include you, your authorized users, and third parties whose information you choose to include (for example, your clients).

[Legal review] Align this section with your product, integrations, and actual data categories.

Customer instructions

Customer instructs Processor to process personal data as described in this DPA and the agreement, and as further documented in the ordinary use of the service. Customer is responsible for the lawfulness of instructions and for obtaining any rights, notices, or consents needed for its use of the service.

Processor obligations

Processor will:

  • Process personal data only on documented instructions from Customer, unless required by applicable law.
  • Ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures designed to protect personal data, taking into account the state of the art, cost, and risks.
  • Assist Customer, where reasonable and proportionate, with responding to requests from individuals exercising rights in relation to their data, subject to the agreement.
  • At Customer's direction and subject to the agreement, delete or return personal data when no longer needed for the purposes described, unless retention is required by law.

Specific security practices and subprocessors are described at a high level in our Privacy Policy. [Legal review] Add annexes (security measures, transfer mechanisms, subprocessors) as your counsel advises.

Sub-processors

Customer authorizes Processor to engage sub-processors to support the service. Processor will impose data-protection terms on sub-processors that are materially consistent with Processor's obligations under this DPA, to the extent practicable. Processor may make sub-processor changes; where the agreement or applicable law requires notice or an opportunity to object, those terms control.

International transfers

Personal data may be processed in countries where we or our sub-processors operate. Where cross-border transfers are restricted by law, Processor will use appropriate safeguards (for example, standard contractual clauses or other mechanisms) only where required and as determined with legal counsel.

[Legal review] Specify transfer mechanisms, locations, and any required exhibits or assessments.

Audits and information

On reasonable request, Processor will provide information reasonably necessary to demonstrate compliance with this DPA. Where audits are permitted under the agreement, they will be conducted during business hours, with reasonable notice, and may be satisfied by third-party certifications or reports where appropriate.

Conflict

If this DPA conflicts with the main agreement, the terms that provide stronger protection for personal data will prevail to the extent required by applicable law; otherwise the agreement governs.

Contact

For privacy and data-protection inquiries, contact support@easypayrequest.com.