Data Processing Agreement

1. Definitions

Terms in initial caps that are not defined here have the meaning given in the MSA or, where applicable, in the GDPR (Regulation (EU) 2016/679), the ECOWAS Supplementary Act on Personal Data Protection (A/SA.1/01/10), and the data protection laws of the merchant's jurisdiction (BCEAO Instructions, the Mauritius Data Protection Act 2017, etc.).

2. Subject matter and duration

ZyndPay processes personal data of the Merchant's end-customers strictly to provide the payment, payout, KYC/KYB, dispute, and audit services described in the MSA. Processing continues for the duration of the MSA and the additional retention periods required by Article 11 below.

3. Nature, scope, and purpose of processing

ZyndPay performs (a) collection at checkout / payout, (b) storage in encrypted databases (AES-256 at rest, TLS 1.2+ in transit), (c) transmission to authorised sub-processors solely to execute the service, (d) production of reports and audit trails, (e) deletion or return at the end of the retention window. ZyndPay does not use your customers' personal data for any purpose outside the MSA, and does not sell, rent, or share it with third parties for marketing.

4. Categories of personal data and data subjects

Data subjects:

• The Merchant's end-customers (payers, payees)
• The Merchant's authorised users (the dashboard operators you create)

Categories of data:

• Identification: name, email, phone, locale
• Payment: amount, currency, transaction reference, on-chain address
• KYC/KYB (where applicable): identity document image, business registration, director details, ultimate beneficial owner declarations
• Technical: IP address, user agent, device fingerprint, session ID
• Audit: timestamps, action logs, hash-chained event records

We do not process special categories of personal data (Article 9 GDPR) unless they appear incidentally on a KYC document; in that case the data is retained only for the audit-retention window and is not used for any purpose other than verifying the document's authenticity.

5. Merchant instructions and lawful basis

ZyndPay processes personal data only on documented instructions from the Merchant, including the instructions implicit in the Merchant's use of the platform. Where ZyndPay is required by Union, Member-State, OHADA, or applicable West-African law to process data otherwise, ZyndPay will inform the Merchant before processing unless the law prohibits such notice on grounds of public interest.

6. Confidentiality

ZyndPay ensures that every person authorised to process personal data is bound by a written confidentiality obligation (employment contract, contractor NDA, or statutory duty), and that access is granted only on a need-to-know basis through role-based access control with two-factor authentication.

7. Security measures

Article 32 GDPR security obligations are implemented through:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Hash-chained immutable audit logs for state transitions and admin actions
• Role-based access control with mandatory two-factor authentication for admin users
• Segregation of production data from non-production environments
• Quarterly access reviews and immediate de-provisioning on staff offboarding
• Regular vulnerability scanning and dependency monitoring
• Documented incident-response procedures with named on-call contacts

8. Sub-processors

ZyndPay engages the sub-processors listed at the URL communicated to the Merchant on request. Each sub-processor is bound by a written contract imposing data- protection obligations no less protective than this DPA. ZyndPay will give the Merchant 30 days' notice of any new sub-processor and of any replacement; the Merchant may object on reasonable data-protection grounds, in which case the parties will negotiate in good faith a workaround, failing which the Merchant may terminate the affected services.

9. Data subject rights

ZyndPay assists the Merchant in responding to requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability, and objection. Where a data subject contacts ZyndPay directly, ZyndPay will forward the request to the Merchant and will not respond on the Merchant's behalf except where required by law.

10. Personal data breaches

ZyndPay will notify the Merchant without undue delay (and in any event within 48 hours) of becoming aware of a personal data breach affecting the Merchant's data, providing all information reasonably required for the Merchant to comply with its own notification obligations under Articles 33–34 GDPR or equivalent local law.

11. Retention, return, and deletion

Transactional and KYC/KYB data is retained for the period required by applicable AML/CFT law — at minimum 5 years from the date of the transaction or the end of the business relationship, in accordance with FATF Recommendation 11, BCEAO Instruction 008-05-2015, and FIAMLA 2002. Audit-grade evidence (signed contracts, AML notes/evidence) is retained for 10 years.

On termination of the MSA, ZyndPay will, at the Merchant's choice, return or delete the personal data, subject to retention obligations imposed by mandatory law. Cryptographic destruction of encryption keys constitutes deletion for storage that uses immutable WORM media.

12. International transfers

Where ZyndPay or a sub-processor transfers personal data outside the data subject's jurisdiction, the transfer is covered by an adequacy decision, the ECOWAS Supplementary Act's Article 36 mechanisms, the EU Standard Contractual Clauses (modules appropriate to the transfer), or another lawful transfer tool. A copy of the executed transfer mechanism is available on the Merchant's request.

13. Audit rights

Once per twelve-month period (or more frequently if required by a competent supervisory authority or following a personal data breach), the Merchant may audit ZyndPay's compliance with this DPA. Audits will be conducted on reasonable notice during business hours, will not unduly disrupt operations, and the Merchant will bear its own costs. ZyndPay may satisfy this obligation by providing recent third-party assurance reports (SOC 2, ISO 27001) where available.

14. Liability

Each party's liability under this DPA is governed by the limitation-of- liability clause in the MSA. Nothing in this DPA limits a party's liability for fraud, wilful misconduct, or for matters where liability cannot lawfully be excluded.

15. Governing law and dispute resolution

This DPA is governed by the law identified in the MSA. Disputes are resolved per the MSA's dispute-resolution clause.

16. Changes to this DPA

ZyndPay may update this DPA to reflect changes in applicable law, the addition of features, or material changes in sub-processors. Material changes will be communicated to the Merchant at least 30 days before they take effect. Continued use of the platform after the effective date constitutes acceptance.

17. Contact

Questions about this DPA, exercise of your rights, or breach notifications should be sent to [email protected]. Our Data Protection Officer can be reached at the same address.