Data Processing Agreement

Effective date: January 1, 2026  ·  Last updated: June 1, 2026

This Data Processing Agreement ("DPA") forms part of the Merchant Terms of Service between SecondSwype Inc. ("Processor") and the Merchant ("Controller") and governs the processing of personal data by SecondSwype on behalf of Merchant.

1. Definitions

• Personal Data: any information relating to an identified or identifiable natural person processed in connection with the Service.
• Processing: any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Sub-processor: any third party engaged by SecondSwype to process Personal Data on behalf of Merchant.
• Applicable Data Protection Law: GDPR, CCPA, and other applicable privacy regulations.

2. Scope and Nature of Processing

SecondSwype processes tokenized transaction signals, device metadata, and BIN-level patterns solely to provide payment recovery routing decisions. No raw cardholder data (PAN, CVV, expiry) is processed by SecondSwype — tokenization occurs at the point of capture via VGS Vault before data reaches our systems.

3. Processor Obligations

SecondSwype shall:

• Process Personal Data only on documented instructions from Merchant.
• Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures.
• Assist Merchant in responding to data subject requests within applicable legal timeframes.
• Delete or return Personal Data upon termination of the Service, at Merchant's election.

4. Sub-processors

Merchant authorizes SecondSwype to engage the following sub-processors:

• Very Good Security (VGS) — tokenization vault and data isolation
• Amazon Web Services (AWS) — cloud infrastructure and data storage
• Stripe / NMI — payment network routing (receives tokens only)

SecondSwype will notify Merchant of any intended changes to sub-processors with reasonable advance notice, providing Merchant opportunity to object.

5. Data Subject Rights

SecondSwype will assist Merchant in fulfilling data subject requests (access, rectification, erasure, portability) within 5 business days of receiving a request. Where SecondSwype cannot fulfil a request, it will notify Merchant promptly.

6. Security Measures

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Role-based access controls and least-privilege principles
• Annual penetration testing by independent third parties
• SOC 2 Type II audit program (in progress)

7. Breach Notification

SecondSwype will notify Merchant without undue delay, and in no case later than 72 hours, after becoming aware of a Personal Data breach affecting Merchant's data. Notification will include the nature of the breach, categories of data affected, and remediation steps taken.

8. International Transfers

Personal Data is processed in the United States. Where Merchant is subject to GDPR, transfers are covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission. Contact privacy@secondswype.com to execute SCCs.