This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Terms and Conditions, Merchant Services Agreement, and other applicable agreements (collectively, the “Agreement”) between United Software Developers Inc., DBA USD GoPay (“Company,” “Processor,” “we,” “us”) and the customer or merchant (“Customer,” “Controller”).

Purpose and Scope

This DPA governs the processing of Personal Data by the Company on behalf of Customer in connection with the Services. It is intended to meet the requirements of applicable data protection laws, including (where applicable) the General Data Protection Regulation (“GDPR”), UK GDPR, and similar laws.

If there is a conflict between this DPA and the Agreement with respect to data protection, this DPA controls.

Historical Services and Policy Updates

The Company has provided software platforms, merchant technology, and related services for many years prior to the Effective Date of this DPA.

This DPA represents a consolidated and updated framework governing continued and future processing of Personal Data as of the Effective Date, regardless of when the Customer first began using the Services. Continued use of the Services on or after the Effective Date constitutes acceptance of this DPA.

Definitions

• “Personal Data” means information relating to an identified or identifiable natural person processed under the Agreement.
• “Processing” means any operation performed on Personal Data (e.g., collection, use, disclosure).
• “Controller” means the entity that determines the purposes and means of Processing.
• “Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Sub‑processor” means a third party engaged by the Processor to process Personal Data.

Roles of the Parties

Customer is the Controller of Personal Data.

Company acts as a Processor when processing Personal Data on Customer’s behalf.

For its own business data (e.g., billing, compliance), Company may act as an independent Controller as described in the Privacy Policy.

Subject Matter, Duration, Nature, and Purpose of Processing

Subject Matter: Provision of software platforms, CRM, merchant services technology, messaging, e‑signature functionality, data services, and support.

Duration: The term of the Agreement and any retention period required by law.

Nature of Processing: Hosting, storage, transmission, display, token‑based transaction facilitation, support operations.

Purpose: To provide and support the Services per Customer’s instructions and the Agreement.

Categories of Data and Data Subjects

Data Subjects: Customer’s users, merchants, employees, contractors, customers, and end users.

Personal Data: Contact information, identifiers, business data, communications, uploaded documents.

Payment Data Clarification: The Company may briefly receive payment card data (PAN/expiry/CVV) solely to transmit it to a third‑party payment gateway (e.g., TSYS) for tokenization. The Company does not store card numbers or sensitive authentication data and retains tokens only for permitted transaction use.

Customer Obligations

Customer represents and warrants that it:

• Has all necessary rights, notices, and lawful bases to provide Personal Data to the Company;
• Will process Personal Data in compliance with applicable laws;
• Will not instruct the Company to process data in violation of law.

Processor Obligations

The Company shall:

• Process Personal Data only on documented instructions from Customer (including through use of the Services).
• Ensure personnel are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to protect Personal Data.
• Assist Customer, where applicable, with data subject requests, security inquiries, and regulatory obligations.
• Promptly notify Customer of a Personal Data Breach without undue delay, consistent with applicable law.

Security Measures

The Company maintains commercially reasonable safeguards and is SOC 2 Certified, reflecting controls for security, availability, and confidentiality.

Measures include access controls, encryption in transit, monitoring, incident response procedures, and secure cloud infrastructure.

Sub‑processors

Authorized Sub‑processors

Customer authorizes the Company to engage Sub‑processors, including:

• Amazon Web Services (AWS) – cloud hosting and infrastructure
• Amazon S3 – document storage
• AWS‑certified managed IT services provider – infrastructure administration and monitoring
• Third‑party payment processors/acquiring banks (e.g., TSYS) – transaction processing and tokenization
• Messaging and telecom providers – SMS delivery

The Company will impose data protection obligations on Sub‑processors consistent with this DPA.

Sub‑processor Changes

The Company may add or replace Sub‑processors. Continued use of the Services after notice constitutes acceptance. Customer may object on reasonable data protection grounds.

International Data Transfers

Personal Data may be processed in the United States or other jurisdictions where Sub‑processors operate.

Where required, transfers are supported by appropriate safeguards (e.g., standard contractual clauses or equivalent mechanisms).

Assistance with Data Subject Rights

Taking into account the nature of processing, the Company will provide reasonable assistance to enable Customer to respond to data subject requests under applicable law.

Deletion or Return of Data

Upon termination of the Agreement, the Company will, upon Customer’s request and subject to legal requirements, delete or return Personal Data within a reasonable period.

Audits

Upon reasonable notice and at Customer’s expense, the Company may provide relevant information or summaries necessary to demonstrate compliance, including SOC 2 reports or security documentation, subject to confidentiality.

Limitation of Liability

Any liability under this DPA is subject to the limitations and exclusions set forth in the Agreement. The Company’s total liability will not exceed the fees paid in the preceding twelve (12) months, to the extent permitted by law.

Governing Law

This DPA is governed by the laws specified in the Agreement (New York), without regard to conflict‑of‑law principles.

Order of Precedence

In the event of a conflict, the following order applies:

• This DPA
• The Agreement (including Merchant Services Agreement)
• Other incorporated policies