Version: 1.2
Last updated: 22 December, 2025
This Data Processing Agreement (“DPA”) forms part of and is incorporated by reference into the Paymid Master Terms of Use and any applicable Order Form entered into between the parties.
1. Roles of the Parties
1.1 The Client acts as the Controller of Personal Data.
1.2 Paymid Limited acts as the Processor of Personal Data on behalf of the Client.
1.3 Nothing in this DPA shall be construed as creating a joint-controller relationship unless expressly agreed in writing.
2. Scope and Purpose of Processing
2.1 Paymid shall process Personal Data solely for the purpose of providing the Services as described in the Master Terms of Use and Order Form.
2.2 Processing activities may include collection, recording, organisation, structuring, storage, consultation, use, transmission, and deletion of Personal Data, as necessary to perform the Services.
2.3 Paymid shall not process Personal Data for its own purposes outside the scope of the Services.
3. Controller Instructions
3.1 Paymid shall process Personal Data only on documented instructions from the Client, including those set out in the Agreement, unless required to do otherwise by applicable law.
3.2 Where Paymid is required by law to process Personal Data outside the Client’s instructions, Paymid shall inform the Client of such legal requirement unless prohibited by law.
4. Confidentiality
4.1 Paymid shall ensure that all persons authorised to process Personal Data are subject to confidentiality obligations, whether by contract or statutory duty.
4.2 Access to Personal Data shall be limited to personnel who require such access for the performance of the Services.
5. Security Measures
5.1 Paymid shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature of the processing.
5.2 Such measures may include, as appropriate:
-
access controls and authentication mechanisms;
-
encryption or tokenisation where applicable;
-
logging and monitoring of system access;
-
incident detection and response procedures;
-
secure development and change-management practices.
5.3 Paymid maintains PCI DSS Level 1 compliance for systems and environments within its scope of responsibility. PCI DSS compliance does not extend to the Client’s systems, which remain the Client’s responsibility under a shared responsibility model.
6. Subprocessors
6.1 The Client grants Paymid general authorisation to engage subprocessors for the provision of the Services.
6.2 Client-Selected Subprocessors. The Client acknowledges and agrees that the Services enable the Client to select and integrate with third-party payment service providers and related subprocessors made available through the Paymid platform. The selection, onboarding, and use of such subprocessors is determined solely by the Client, and Paymid does not recommend, endorse, or control the Client’s choice of subprocessors.
6.3 Subprocessor Obligations. Where Paymid engages third parties to process Personal Data solely for the purpose of providing the Paymid platform itself (and not Client-selected PSPs), Paymid shall ensure that such third parties are subject to data protection obligations materially equivalent to those set out in this DPA. For Client-selected subprocessors, the Client remains responsible for ensuring that appropriate contractual arrangements and compliance obligations are in place between the Client and such subprocessors, including with respect to data protection and international data transfers.
6.4 Paymid shall remain responsible for the performance of its subprocessors in accordance with this DPA.
7. Data Subject Rights
7.1 Taking into account the nature of the processing, Paymid shall provide reasonable assistance to the Client to enable the Client to respond to requests from data subjects to exercise their rights under applicable data protection law.
7.2 Paymid shall not respond directly to data subject requests unless legally required to do so.
8. Personal Data Breach Notification
8.1 Paymid shall notify the Client without undue delay and in any event within twenty-four (24) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client.
8.2 Such notification shall include available information reasonably required by the Client to meet its notification obligations.
9. Audits and Compliance
9.1 Paymid shall make available to the Client information reasonably necessary to demonstrate compliance with this DPA.
9.2 Audits may be conducted by the Client no more than once per year, upon reasonable prior notice, and subject to confidentiality, security, and non-disruption requirements.
9.3 Where appropriate, Paymid may satisfy audit requests through third-party certifications, audit reports, or compliance documentation.
10. International Data Transfers
10.1 Where Personal Data is transferred outside the EEA to a country not subject to an adequacy decision, such transfers shall be governed by the EU Standard Contractual Clauses (Module 2), which are incorporated by reference.
10.2 The governing law and jurisdiction for the SCCs shall be Cyprus, unless otherwise required by applicable law.
11. Data Return and Deletion
11.1 Upon termination of the Services, Paymid shall, at the Client’s choice, delete or return Personal Data within a reasonable period, unless retention is required by applicable law.
11.2 Any retained Personal Data shall remain subject to the confidentiality and security obligations set out in this DPA.
12. Liability
12.1 Liability arising out of this DPA shall be subject to the limitations of liability set out in the Master Terms of Use.
13. Precedence
13.1 In the event of a conflict between this DPA and the Master Terms of Use or Order Form, the Order Form shall prevail, followed by the Master Terms of Use, and then this DPA.
14. Governing Law
14.1 This DPA shall be governed by and construed in accordance with the laws of Cyprus, and the courts of Cyprus shall have exclusive jurisdiction.