Data Processing Agreement (DPA)

Between

• [Client Name] (“Controller”)

and

(2) Bayarcash [Full Legal Entity Name], with principal office at [Address] (“Processor”)

Each referred to individually as a “Party” and collectively as the “Parties.”

1. Purpose

This Data Processing Agreement (“Agreement”) sets out the terms under which Bayarcash (“Processor”) will process personal data on behalf of the Client (“Controller”) in connection with the services provided under the Main Service Agreement (“Principal Agreement”).

2. Definitions

For the purposes of this Agreement:

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• “Data Controller” means the entity that determines the purposes and means of Processing.
• “Data Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Data Subject” means the individual whose Personal Data is processed.
• “Sub-processor” means any third party engaged by Bayarcash to process Personal Data on its behalf.

3. Roles and Responsibilities

• The Controller determines the purposes and means of Processing Personal Data.
• The Processor (Bayarcash) shall process Personal Data only on the documented instructions of the Controller and in compliance with applicable data protection laws.

4. Scope of Processing

Bayarcash shall process Personal Data solely for the following purposes:

• Providing digital payment, wallet, and financial technology services to the Controller and its customers;
• Customer onboarding and verification (including KYC and AML/CFT compliance);
• Transaction processing and fraud prevention;
• Customer support and account management;
• System analytics, risk management, and security monitoring.

The categories of data processed may include:

• Identification data (name, date of birth, ID number);
• Contact data (address, phone, email);
• Financial data (bank account, payment details, transaction records);
• KYC documents (government IDs, proof of address, etc.);
• Device and behavioral data (IP address, login metadata, etc.).

5. Lawful Basis

The Controller is responsible for ensuring that Personal Data is collected and processed lawfully.
Bayarcash acts strictly under the Controller’s lawful instructions and ensures all Processing complies with applicable data protection and financial regulations.

6. Confidentiality

Bayarcash shall ensure that:

• Only authorized personnel with a legitimate business need have access to Personal Data;
• All personnel are bound by confidentiality obligations;
• Personal Data is not disclosed to unauthorized third parties.

7. Security Measures

Bayarcash implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
These measures include:

• Encryption of data in transit and at rest;
• Access control and authentication mechanisms;
• Secure data centers and network protection;
• Regular vulnerability assessments and penetration testing;
• Employee security training and background checks;
• Business continuity and disaster recovery procedures.

8. Sub-Processing

• Bayarcash may engage Sub-processors to deliver certain services (e.g., cloud hosting, identity verification, payment gateways).
• Bayarcash shall maintain a current list of Sub-processors available upon request.
• All Sub-processors will be bound by written agreements ensuring data protection obligations equivalent to this DPA.
• Bayarcash remains fully liable for the performance of its Sub-processors.

9. International Data Transfers

If Personal Data is transferred outside the country of origin or outside the EEA, Bayarcash will ensure that such transfer is made in compliance with:

• Standard Contractual Clauses (SCCs) or equivalent safeguards approved by relevant data protection authorities; or
• Other lawful mechanisms (e.g., adequacy decisions or binding corporate rules).

10. Data Subject Rights

Bayarcash shall, to the extent legally permitted, assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Access, rectification, erasure, restriction, objection, and data portability;
• Complaints or inquiries received from data subjects or regulators.

Requests received directly by Bayarcash shall be promptly referred to the Controller.

11. Data Breach Notification

In the event of a Personal Data Breach, Bayarcash shall:

• Notify the Controller without undue delay (and no later than 24-48 hours) after becoming aware of the breach;
• Provide details of the nature, scope, and impact of the breach;
• Cooperate fully in investigating, mitigating, and remediating the breach;
• Assist the Controller in meeting any legal notification obligations to authorities or individuals.

12. Data Retention and Deletion

Bayarcash shall:

• Retain Personal Data only for as long as necessary to fulfill the purposes of processing or as required by law (e.g., AML/CFT or regulatory retention periods);
• Upon termination or expiration of the Principal Agreement, securely delete or return all Personal Data, unless retention is required by applicable laws.

13. Audits and Inspections

• Bayarcash shall make available all necessary information to demonstrate compliance with this Agreement.
• The Controller may, upon reasonable notice, conduct or commission an independent audit (subject to confidentiality and operational constraints).
• Bayarcash may provide independent audit reports (e.g., SOC 2, ISO 27001) to satisfy this requirement.

14. Compliance and Cooperation

Bayarcash shall:

• Comply with all applicable data protection, privacy, and cybersecurity laws;
• Cooperate with supervisory authorities and regulators upon request;
• Notify the Controller of any material changes in its data protection practices.

15. Limitation of Liability

Liability under this DPA shall be governed by the limitation of liability provisions set forth in the Principal Agreement, unless otherwise required by law.

16. Duration

This DPA shall remain in effect for the duration of the Principal Agreement and thereafter as long as Bayarcash retains any Personal Data on behalf of the Controller.

17. Governing Law and Jurisdiction

This DPA shall be governed by the laws of [Jurisdiction - e.g., Republic of the Philippines / Singapore / United Kingdom / etc.], and any disputes shall be subject to the exclusive jurisdiction of the courts of [Location].

18. Entire Agreement

This DPA forms part of and is subject to the terms of the Principal Service Agreement between Bayarcash and the Controller.
In the event of a conflict, the provisions of this DPA shall prevail concerning data protection matters.

Signatures

For the Controller
Name: ___________
Title: ___________
Date: ___________
Signature: __________

For Bayarcash (Processor)
Name: ___________
Title: ___________
Date: ___________
Signature: __________

Schedule A - Data Processing Details