This Data Processing Addendum (“DPA”) governs the processing of Customer Personal Data by recv on behalf of the Merchant in connection with the Service.
This DPA applies when and to the extent recv processes Customer Personal Data solely on behalf of the Merchant. In this context, Merchant acts as Controller and recv acts as Processor.
1.1. Scope: When recv processes Customer Personal Data solely on behalf of the Merchant, the Merchant acts as Data Controller and recv acts as Data Processor.
1.2. Instructions: recv shall process such data only on the Merchant’s documented instructions, including as set forth in the Agreement, unless required to do so by applicable law.
2.1. Confidentiality: recv shall ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.2. Security Measures: recv shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Customer Personal Data.
2.3. Subprocessors: recv shall impose equivalent data protection obligations on any subprocessors it engages, and remains liable to the Merchant for the performance of subprocessors' obligations.
2.4. Data Subject Requests: recv shall assist the Merchant, taking into account the nature of the processing, by appropriate technical and organizational measures, for the fulfillment of the Merchant's obligation to respond to requests for exercising data subjects' rights.
2.5. Breach Notification: recv shall notify the Merchant of any confirmed personal data breach affecting Customer Personal Data without undue delay after becoming aware of the breach.
2.6. Deletion or Return: recv shall, at the choice of the Merchant, delete or return all Customer Personal Data to the Merchant after the end of the provision of services, unless applicable law requires storage of the personal data.
2.7. Audits: recv shall make available to the Merchant all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits conducted by the Merchant or another auditor mandated by the Merchant.
3.1. Subject Matter and Duration: Processing of blockchain transaction routing, status confirmation, and associated notification metadata. The duration corresponds to the term of the Agreement.
3.2. Categories of Data: Transaction hashes (TXIDs), destination wallet addresses, payable amounts, timestamps, IP addresses, browser User-Agent strings, and optional custom invoice metadata (if provided by the Merchant).
3.3. Categories of Data Subjects: Customers (end-users) of the Merchant completing cryptocurrency payments via recv checkout links.
3.4. Technical and Organizational Security Measures: Standard encryption of stored database credentials, cryptographic signatures for session tokens, one-way hashing for API keys, secure access controls, and rate-limiting for edge routing protection.
3.5. Subprocessor List: The approved list of subprocessors is set forth in the Subprocessor List page.
3.6. International Data Transfers: Where transfer of data outside the EU/EEA/UK is required, recv utilizes standard contractual clauses or equivalent transfer mechanisms approved by competent regulatory authorities.
