Data Processing Addendum
Last updated: 2026-05-04
This Data Processing Addendum ("DPA") is incorporated into the Terms of Service between you ("Customer", the controller) and AI Payment Guard SAS ("Processor") and applies to processing of Personal Data on Customer's behalf.
1. Subject matter
We process Personal Data submitted to the Service by Customer's agents and users (e.g. emails, names, IP addresses, beneficiary identifiers). We do so solely to provide, secure and improve the Service in accordance with Customer's documented instructions.
2. Duration
We process Personal Data for as long as Customer maintains an account and per the retention windows of Customer's plan, plus a 30-day deletion grace period after termination.
3. Categories of data subjects
- Customer's authorized users (admins, approvers, viewers);
- Customer's autonomous agents (technical accounts);
- Beneficiaries identified in payment intents (only the data fields submitted by Customer).
4. Categories of personal data
- Identifiers: email, name, user ID, agent ID;
- Authentication: password hashes, 2FA secrets, recovery code hashes;
- Financial metadata: amounts, beneficiary names and account identifiers, memos, categories;
- Audit metadata: timestamps, IP addresses, decisions, hashes.
We do not process special categories of personal data.
5. Sub-processors
We engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| OVHcloud / Scaleway | Compute and database hosting | EU (FR) |
| Resend | Transactional email delivery | EU + US (SCCs in place) |
| Sentry | Error tracking | EU |
| Stripe | Subscription billing (paid plans) | EU + US (SCCs in place) |
We will notify Customer at least 30 days before adding or replacing a sub-processor and give Customer the opportunity to object on reasonable grounds.
6. Security measures
Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, append-only audit logging, hardware MFA on production access, least-privilege IAM, annual third-party penetration testing, vulnerability scanning, automated patching, and incident response procedures with 72-hour notification commitment.
7. Confidentiality and personnel
Personnel are bound by written confidentiality obligations and trained on data protection annually. Production access is limited to engineers with a documented need and is logged.
8. International transfers
Where Personal Data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) and equivalent safeguards. SCCs are incorporated by reference and prevail in case of conflict with this DPA.
9. Customer rights and audits
We assist Customer in responding to data subject requests and provide reasonable assistance with DPIAs. Customer may audit our compliance once per year on 30 days' notice, subject to confidentiality.
10. Breach notification
We notify Customer without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer's data, including a description, the affected categories and number of records, likely consequences and the measures taken or proposed.
11. Return and deletion
Upon termination, Customer may export its data for 30 days. Thereafter, we delete or return Personal Data within 30 days, except as required by law or retained in encrypted backups for up to 30 additional days.
To countersign this DPA for your account, contact legal@payment-guard.example.