Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Maxapp GmbH ("Processor") and the Customer ("Controller") for the processing of Personal Data in accordance with applicable data protection laws.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR and Swiss DSG.
- Processing: Any operation performed on Personal Data, such as collection, recording, storage, retrieval, use, disclosure, or deletion.
- Controller: The Customer using PayMatch services who determines the purposes and means of processing Personal Data.
- Processor: Maxapp GmbH, processing Personal Data on behalf of the Controller.
- Sub-Processor: Any third party engaged by PayMatch to process Personal Data.
2. Scope and Purpose
This DPA applies to all Personal Data processed by PayMatch on behalf of the Controller in connection with the PayMatch services, including:
- Invoice creation and management
- Customer and contact information
- Payment reconciliation data
- Bank account transaction information (if connected)
- User account and authentication data
- Usage and analytics data
3. Data Processing Details
3.1 Nature and Purpose of Processing
PayMatch processes Personal Data for the following purposes:
- Providing invoice management and QR-bill generation services
- Payment reconciliation
- Customer and product management
- Subscription billing and account management
- Platform maintenance and support
- Security monitoring and fraud prevention
3.2 Types of Personal Data
- Contact information (names, email addresses, phone numbers)
- Business information (company names, addresses, VAT numbers)
- Financial data (invoice amounts, payment records)
- Bank account information (IBAN, transaction history - if connected)
- User credentials (email, encrypted passwords)
- Technical data (IP addresses, device information, usage logs)
3.3 Categories of Data Subjects
- Customer's employees and authorized users
- Customer's business clients and customers
- Customer's suppliers and vendors
- Customer's business contacts
3.4 Duration of Processing
Personal Data will be processed for the duration of the service agreement and retained according to the retention periods specified in our Privacy Policy (generally 10 years for business records as required by Swiss commercial law).
4. Processor Obligations
4.1 Processing Instructions
PayMatch will process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The provision of services as described in the Terms and Conditions constitutes the Controller's complete instructions.
4.2 Confidentiality
PayMatch ensures that all persons authorized to process Personal Data are bound by confidentiality obligations and receive appropriate training on data protection requirements.
4.3 Security Measures
PayMatch implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication (including MFA support)
- Regular security assessments and vulnerability testing
- Automated backup and disaster recovery procedures
- Security monitoring and incident detection systems
- Regular security patches and updates
- Physical security of data centers (via certified hosting providers)
- Network security measures (firewalls, DDoS protection)
4.4 Data Breach Notification
In the event of a Personal Data breach, PayMatch will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- Nature of the breach and categories of data affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for further information
4.5 Data Subject Rights
PayMatch will, to the extent legally permitted, promptly notify the Controller of any requests from data subjects. PayMatch will assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing appropriate technical and organizational measures.
4.6 Data Protection Impact Assessment
PayMatch will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required by applicable law, by providing information about the processing activities and security measures.
4.7 Deletion and Return of Data
Upon termination of services, PayMatch will, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies (except where retention is required by law). Personal Data can be exported in machine-readable format (JSON/CSV).
4.8 Audit Rights
PayMatch will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Controller or an independent auditor. Such audits will be conducted upon reasonable notice and during business hours, no more than once per year unless required by a data breach or regulatory requirement.
5. Sub-Processors
5.1 General Authorization
The Controller provides general authorization for PayMatch to engage Sub-Processors. PayMatch will ensure that Sub-Processors are bound by data protection obligations equivalent to those in this DPA.
5.2 Current Sub-Processors
PayMatch currently uses the following Sub-Processors:
Vercel Inc. (USA)
Purpose: Application hosting and CDN
Data Location: Global (with EU/Swiss data residency options)
Safeguards: GDPR-compliant, Standard Contractual Clauses
Supabase Inc. (USA)
Purpose: Database hosting and authentication
Data Location: eu-central-2 (Zurich, Switzerland)
Safeguards: GDPR-compliant, EU data residency, SOC 2 Type II
Amazon Web Services (AWS)
Purpose: Data storage and infrastructure
Data Location: eu-central-2 (Zurich, Switzerland)
Safeguards: GDPR-compliant, ISO 27001, SOC 2
Stripe Payments Europe Ltd. (Ireland)
Purpose: Subscription payment processing
Data Location: European Union
Safeguards: GDPR-compliant, PCI-DSS Level 1
SIX Group AG (Switzerland)
Purpose: Bank account connectivity (bLink platform)
Data Location: Switzerland
Safeguards: Swiss banking secrecy, DSG-compliant
5.3 Changes to Sub-Processors
PayMatch will inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least 30 days in advance. The Controller may object to such changes on reasonable grounds relating to data protection. If the Controller objects, PayMatch will either not proceed with the change or the Controller may terminate the affected services.
5.4 Sub-Processor Liability
PayMatch remains fully liable to the Controller for the performance of Sub-Processor obligations under this DPA.
6. International Data Transfers
Personal Data may be transferred to and processed in countries outside of Switzerland and the European Economic Area (EEA). For such transfers, PayMatch ensures appropriate safeguards are in place:
- EU/EEA transfers: GDPR applies directly
- Switzerland: Recognized as providing adequate protection
- USA and other countries: Standard Contractual Clauses (SCCs) approved by the European Commission and Swiss Federal Data Protection and Information Commissioner (FDPIC)
- Preferred data residency: Data is primarily stored in the EU (Frankfurt, Germany)
7. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations set forth in the Terms and Conditions. The Controller is responsible for ensuring compliance with applicable data protection laws in its use of the services and the instructions provided to PayMatch.
8. Term and Termination
This DPA will remain in effect for the duration of the service agreement and will automatically terminate upon termination of the Terms and Conditions. Sections relating to data deletion, audit rights, and liability will survive termination to the extent necessary to fulfill their purposes.
9. Governing Law and Jurisdiction
This DPA is governed by Swiss law. The place of jurisdiction is Zurich, Switzerland. This DPA is subject to the provisions of GDPR (where applicable) and Swiss DSG.
10. Contact Information
For questions or concerns regarding this DPA or data processing practices:
Last Updated: November 2024
This Data Processing Agreement supplements the PayMatch Terms and Conditions and Privacy Policy.