Data Processing Agreement

1. Definitions

• Data Controller: You, the Customer (business user), who determine the purposes and means of processing contractor and team member personal data.
• Data Processor: NectorPay, which processes personal data on your instructions.
• Personal Data: Any information relating to an identified or identifiable natural person (contractor, team member, etc.).
• Processing: Any operation performed on personal data (collection, storage, use, transfer, deletion, etc.).
• Subprocessor: A third party authorized by NectorPay to process personal data on its behalf (e.g., Supabase, Stripe, Sentry).

2. Scope & Nature of Processing

NectorPay acts as a processor for the following categories of personal data:

• Contractor details: name, email, phone, address, country, timezone
• Financial data: bank account details, tax IDs, payment preferences, invoices, payment history
• Team member information: email, name, role, permissions, activity logs
• Compliance documents: tax forms, identity verification documents, service descriptions
• Business profile data: company name, legal address, contact information, metadata
• Usage data: audit logs of actions, approval history, document access

Purpose of Processing: To provide the NectorPay platform, including contractor management, invoice processing, payment workflows, reporting, compliance, and security.

Duration: Processing continues for the duration of your subscription and as long as legally required (e.g., 6 years for financial records, 7 years for audit logs).

3. Customer Obligations

As the Data Controller, you must:

• Obtain Consent: Collect all necessary consents from contractors and team members before storing their personal data in NectorPay.
• Lawful Basis: Ensure you have a lawful basis (consent, contract, legitimate interest, etc.) for processing personal data under GDPR, CCPA, UK DPA 2018, or other applicable law.
• Inform Data Subjects: Provide privacy notices to contractors and team members explaining how their data is used.
• Data Accuracy: Ensure personal data is accurate and kept up to date.
• Limit Collection: Only provide NectorPay with data that is necessary for the purposes of contractor management and payment.
• Respond to Rights: Handle data subject requests (access, deletion, portability, correction) in accordance with applicable law. NectorPay will assist where reasonably necessary.

4. NectorPay Processor Obligations

NectorPay shall:

• Process Only on Instruction: Process personal data only in accordance with your documented instructions and this DPA. If a legal obligation requires processing beyond your instructions, NectorPay will notify you unless prohibited by law.
• Confidentiality: Ensure staff who access personal data are bound by confidentiality obligations.
• Security Measures: Implement and maintain technical and organizational security measures including:
  • Encryption in transit (TLS/HTTPS) and at rest for sensitive data
  • Role-based access controls and authentication
  • Regular security monitoring and vulnerability assessments
  • Audit logging of sensitive data access
  • Secure infrastructure with established cloud providers (Supabase/PostgreSQL)
  • Data backup and disaster recovery procedures
• Subprocessor Approval: Maintain a current list of authorized subprocessors and notify you of changes. You may object to subprocessors as detailed in Section 5.
• Data Subject Rights: Assist you in responding to data subject access requests, deletion requests, and portability requests within reasonable timeframes.
• Data Deletion: Delete or return personal data upon termination of your account, subject to legal retention obligations.
• Audit & Inspection: Allow reasonable audits and inspections of our security and processing practices (at your expense if more than once per year).

5. Subprocessors & International Transfers

NectorPay engages the following subprocessors to process personal data:

• Supabase: Cloud database hosting, data storage and retrieval (EU data centers available)
• Stripe: Payment processing and billing (US/EU)
• Sentry: Error monitoring and security logging (EU/US)
• Resend: Email delivery and notifications (US)
• FX Rate Providers: Exchange rate data for currency conversion (various)

A current, complete list is maintained at nectorpay.com/legal/subprocessors.

International Transfers: Personal data may be transferred to and processed in the United States and other countries where NectorPay or its subprocessors operate. When required by law, NectorPay relies on Standard Contractual Clauses (SCCs) or other appropriate safeguards to protect cross-border transfers.

Your Rights: You may object to the appointment of a new subprocessor by notifying us within 30 days of notification. If you object on reasonable grounds, we will work with you to resolve the matter or, if unresolved, allow you to terminate your account without penalty.

6. Data Retention & Deletion

• Personal Data: Retained for the duration of your subscription and deleted or anonymized within 12 months of account closure, subject to legal obligations.
• Financial Records: Invoices, payments, and related records retained for 6 years for tax and accounting compliance.
• Audit Logs: Retained for 7 years for compliance, fraud prevention, and dispute resolution. Personal data in logs is anonymized after 3 years unless a litigation hold applies.
• Data Exports: Export files available for download for 30 days, then automatically deleted after 90 days.

7. Standard Contractual Clauses (SCCs)

For transfers of personal data outside the UK or EEA, NectorPay incorporates Standard Contractual Clauses (Module One: Controller to Processor) as approved by the European Commission, available at:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

These clauses are deemed part of this DPA and are binding on both parties. In the event of a conflict between the SCCs and this DPA, the SCCs shall prevail to the extent required by law.

8. Data Breach Notification

If NectorPay becomes aware of a personal data breach, we will notify you without undue delay and provide reasonable assistance to meet your notification obligations under applicable data protection laws (e.g., GDPR Article 33-34). You are responsible for notifying data subjects and regulators as required by law.

9. Data Protection Impact Assessment (DPIA)

NectorPay will provide reasonable assistance to you in conducting Data Protection Impact Assessments (DPIAs) where required by applicable law, particularly for high-risk processing activities.

10. Term & Termination

This DPA is effective when you accept it during account setup and remains in effect for the duration of your subscription to NectorPay.

Upon termination of your account, NectorPay will, at your election: (a) delete all personal data, or (b) return all personal data in a structured, commonly-used, machine-readable format, subject to legal retention requirements. Certain data (financial records, audit logs) may be retained as required by law.

11. Governing Law & Dispute Resolution

This DPA is governed by the laws of England and Wales without regard to conflict of law principles. Any disputes shall be resolved in accordance with the dispute resolution procedures in the NectorPay Terms of Service.

12. Amendments

NectorPay may update this DPA to comply with legal requirements or improve security. Material changes will be communicated to you with at least 30 days' notice. Continued use of NectorPay after changes take effect constitutes acceptance.

13. Contact

Questions about this DPA or data processing practices can be directed to [email protected].