SeamlessPay Data Processing Addendum (DPA)

This document was last updated on February 20th, 2026

This Data Processing Addendum (“DPA”) forms part of the SeamlessPay Services Agreement (“Agreement”) between Seamless Payments, Inc. (“SeamlessPay,” “Processor,” “we,” “us,” or “our”) and the entity using the Services (“Merchant,” “Controller,” “Customer,” “you,” or “your”).

This DPA governs the processing of Personal Data by SeamlessPay on behalf of Merchant in connection with the Services.

To the extent of any conflict, this DPA governs matters relating specifically to Personal Data processing, while all liability limitations, indemnities, and risk allocations in the Services Agreement remain fully applicable.

1. Roles of the Parties and Scope of Processing

Merchant acts as Data Controller or Business with respect to Personal Data processed through the Services. SeamlessPay acts as Data Processor or Service Provider, processing Personal Data solely to:

• Provide payment orchestration, authentication, tokenization, fraud prevention, and related Services;
• Maintain system security and integrity;
• Prevent fraud, abuse, or unauthorized transactions;
• Comply with legal and regulatory obligations;
• Support operational analytics and platform stability.


SeamlessPay does not independently determine the purposes or means of Merchant customer data processing except where required by law or necessary to protect system security.

Merchant remains solely responsible for:

• Lawful collection of Personal Data;
• Providing required notices to data subjects;
• Obtaining necessary consents;
• Compliance with applicable Data Protection Laws.

2. Compliance With Data Protection Laws

Each party agrees to comply with applicable Data Protection Laws, including GDPR, UK GDPR, CCPA/CPRA, PSD2/SCA-related requirements, AML obligations where applicable, and similar global regulations.

Merchant acknowledges that SeamlessPay operates as a technology infrastructure provider and not as a Financial Institution, merchant of record, or regulated payment institution unless expressly agreed in writing.

Nothing in this DPA guarantees Merchant regulatory compliance outcomes.

3. Processing Instructions

SeamlessPay processes Personal Data:

• On documented instructions from Merchant;
• As necessary to provide the Services;
• As required by applicable law;
• As necessary to maintain security, fraud prevention, and system integrity.


Where legal obligations conflict with Merchant instructions, SeamlessPay may process data as required by law without liability.

4. Confidentiality and Personnel Controls

SeamlessPay ensures personnel authorized to process Personal Data:

• Are bound by confidentiality obligations;
• Receive appropriate security awareness training;
• Have access limited to operational necessity.


SeamlessPay may rely on contractors, affiliates, and vendors subject to comparable confidentiality obligations.

5. Security Measures and Shared Responsibility

SeamlessPay implements commercially reasonable administrative, technical, and organizational safeguards appropriate to the nature of payment infrastructure services, which may include:

• Encryption in transit and at rest where appropriate;
• Access controls and authentication protections;
• System monitoring and anomaly detection;
• Vendor risk management procedures;
• Security incident response procedures.


However:

• Absolute security cannot be guaranteed;
• Payment ecosystems involve third-party dependencies;
• Merchant Environment security remains Merchant responsibility.


SeamlessPay shall not be liable for Security Incidents originating in:

• Merchant systems or integrations;
• Credential misuse or compromise;
• Third-party financial institutions or Payment Networks;
• Infrastructure providers outside SeamlessPay control.

6. Subprocessors

SeamlessPay may engage Subprocessors to support the Services, including:

• Cloud hosting providers;
• Authentication vendors;
• Fraud detection vendors;
• Payment infrastructure partners;
• Analytics and operational support providers.


SeamlessPay:

• Maintains commercially reasonable due diligence for Subprocessors;
• Requires appropriate data protection commitments;
• Remains responsible for Subprocessor compliance with this DPA.


Merchant acknowledges that Subprocessors are essential to modern payment infrastructure and consents to their use.

7. International Data Transfers

Personal Data may be processed globally where required for payment orchestration, authentication, fraud prevention, or infrastructure reliability.

Where required, transfers rely on:

• Standard Contractual Clauses;
• UK International Data Transfer Addendum;
• Other lawful safeguards.


Merchant acknowledges that cross-border processing is inherent to global payments infrastructure.

8. Data Subject Rights Assistance

SeamlessPay will reasonably assist Merchant in responding to data subject requests where:

• The request relates to data processed by SeamlessPay;
• Merchant cannot reasonably fulfill the request independently.


Merchant remains responsible for primary responses to data subjects.

9. Security Incident Notification

Upon becoming aware of a confirmed Security Incident affecting Personal Data processed on Merchant’s behalf, SeamlessPay will notify Merchant without undue delay, taking into account:

• Verification of incident scope;
• Legal or regulatory constraints;
• Security considerations.


Notification does not constitute admission of fault or liability.

SeamlessPay shall not be responsible for:

• Incidents originating outside its controlled environment;
• Notification obligations imposed on Merchant by law;
• Customer remediation costs unless required by law.

10. Data Retention, Deletion, and Return

Upon termination of Services, SeamlessPay may delete or return Personal Data, subject to:

• Legal retention obligations;
• Security requirements;
• Backup system limitations;
• Fraud prevention needs.


Complete immediate deletion may not always be technically feasible.

11. Audit and Information Rights

Where required by law, SeamlessPay will provide reasonable information demonstrating compliance with this DPA, subject to:

• Confidentiality obligations;
• Security safeguards;
• Protection of proprietary information.


On-site audits are not permitted unless legally required.

12. Liability Allocation

Liability relating to Personal Data processing remains governed by the Services Agreement. Nothing in this DPA:

• Expands SeamlessPay liability;
• Creates new indemnification obligations beyond the Agreement;
• Overrides agreed limitation-of-liability provisions.


This allocation reflects the shared responsibility model of payment infrastructure.

13. Regulatory Cooperation

SeamlessPay may cooperate with regulators, Payment Networks, or Financial Institutions where required by law or network rules. Such cooperation may include disclosure of relevant information without prior notice where legally required.

14. Survival

This DPA remains in effect for as long as SeamlessPay processes Personal Data on Merchant’s behalf and survives termination of the Services Agreement to the extent required by Data Protection Laws.