Data Processing Addendum (DPA)
Effective date: August 9, 2025
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer") and Payhouse Technologies, Inc., doing business as TAAARS! ("Processor" or "TAAARS!") governing Customer’s use of the services (the "Agreement"). This DPA reflects the parties’ agreement with respect to the processing of Personal Data by TAAARS! on behalf of Customer under applicable data protection laws, including the GDPR, UK GDPR, PIPEDA, and Quebec Law 25.
1. Definitions
- Controller/Processor: As defined by applicable Data Protection Laws. For the purposes of this DPA, Customer is the Controller and TAAARS! is the Processor (or Service Provider under CCPA/CPRA).
- Personal Data: Any information relating to an identified or identifiable natural person processed under the Agreement.
- Data Protection Laws: All laws and regulations applicable to the processing of Personal Data, including GDPR, UK GDPR, PIPEDA, Quebec Law 25, and CCPA/CPRA where applicable.
- Sub‑processor: Any third party engaged by TAAARS! to process Personal Data on behalf of Customer.
2. Scope and Roles
TAAARS! will process Personal Data as a Processor solely for the purposes of providing the Services in accordance with Customer’s documented instructions, the Agreement, and this DPA.
3. Customer Instructions
TAAARS! will process Personal Data only on Customer’s documented instructions. The Agreement, this DPA, and Customer’s configuration and usage of the Services are Customer’s instructions.
4. Confidentiality
TAAARS! will ensure persons authorized to process Personal Data are bound by confidentiality obligations.
5. Security
TAAARS! will implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of processing and the risks. A description of key measures may be provided upon request.
6. Sub‑processors
Customer authorizes TAAARS! to engage Sub‑processors to support the Services. TAAARS! will impose data protection obligations on Sub‑processors and remain responsible for their performance. TAAARS! will provide notice of new Sub‑processors and allow Customer to object on reasonable grounds.
7. Assistance
Taking into account the nature of the processing, TAAARS! will assist Customer, insofar as possible, with responding to data subject requests and with compliance with security, breach notification, data protection impact assessments, and consultation obligations under Data Protection Laws.
8. Incident Notification
TAAARS! will notify Customer without undue delay after becoming aware of a Personal Data breach involving Customer Data and provide information reasonably required for Customer to meet its obligations.
9. Data Deletion and Return
Upon termination or expiry of the Services, TAAARS! will delete or return Personal Data, unless retention is required by law. If deletion is infeasible, TAAARS! will protect the data and isolate it from further processing.
10. Records and Audits
TAAARS! will maintain records of processing and, upon reasonable request, make available information necessary to demonstrate compliance, including by allowing audits conducted by Customer or an independent auditor (subject to reasonable notice, confidentiality, and frequency limits).
11. International Transfers
Where Personal Data is transferred internationally, TAAARS! will ensure appropriate safeguards are in place, including the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum, as applicable, and conduct transfer assessments where required (including under Quebec Law 25).
12. CCPA/CPRA Service Provider Terms
For California Personal Information, TAAARS! will act as a Service Provider and will not sell or share Personal Information, will process only to provide the Services, will not combine Personal Information across customers except as permitted, and will assist Customer in responding to verifiable consumer requests.
13. Liability
Liability is governed by the Agreement. Nothing in this DPA expands either party’s liability beyond that set forth in the Agreement.
14. Order of Precedence
If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict regarding data protection obligations.
Annex I – Subject Matter and Details of Processing
- Subject matter: Provision of the Services.
- Duration: Term of the Agreement.
- Nature and purpose: Hosting, storage, transmission, and other processing necessary to provide the Services.
- Types of Personal Data: As determined by Customer (e.g., contact info, usage data).
- Categories of data subjects: Customer’s end users, employees, contractors, and other individuals whose data Customer submits to the Services.
Annex II – Technical and Organizational Measures
- Access controls, encryption in transit, vulnerability management, logging/monitoring, backups and disaster recovery, employee security training, and incident response procedures.
Annex III – Sub‑processors
- TAAARS! will maintain a current list of Sub‑processors upon request or via published notice.