Data Processing Agreement (DPA) | PopaDex

Data Processing Agreement (DPA)

GDPR-compliant Data Processing Agreement for PopaDex business customers

Effective Date: October 6, 2025
Last Updated: October 6, 2025

This Data Processing Agreement (“DPA”) forms part of the agreement between PopaDex Ltd. (“Processor” or “PopaDex”) and the customer (“Controller” or “Customer”) for the provision of wealth management platform services.

1. Definitions and Interpretation

1.1 Definitions

“Applicable Data Protection Law”: GDPR, UK GDPR, and any other applicable data protection laws

“Controller”: The entity that determines purposes and means of processing Personal Data

“Data Subject”: An identified or identifiable natural person

“GDPR”: EU General Data Protection Regulation (EU) 2016/679

“Personal Data”: Any information relating to an identified or identifiable natural person

“Processing”: Any operation performed on Personal Data

“Processor”: The entity that processes Personal Data on behalf of the Controller

“Sub-processor”: Any third-party processor engaged by PopaDex

“Supervisory Authority”: An independent public authority established by an EU Member State

“UK GDPR”: GDPR as retained in UK law

1.2 Interpretation

This DPA supplements and forms part of the Terms of Service. In case of conflict, this DPA prevails for data protection matters.

2. Scope and Applicability

2.1 Scope of DPA

This DPA applies when:

  • Customer is a business entity (not individual consumer)
  • PopaDex processes Personal Data on behalf of Customer
  • Processing is subject to GDPR or UK GDPR

2.2 Roles

PopaDex as Processor:

  • Processes Personal Data per Customer instructions
  • Subject to this DPA and Applicable Data Protection Law

Customer as Controller:

  • Determines purposes and means of Processing
  • Responsible for lawfulness of Processing
  • Ensures rights to instruct Processing

2.3 Personal Data Processed

Categories of Data Subjects:

  • Customer’s employees
  • Customer’s clients (if applicable)
  • Authorized users of Customer’s account

Categories of Personal Data:

  • Identification data (name, email)
  • Financial data (account balances, transactions)
  • Authentication data (hashed passwords)
  • Usage data (login times, features used)

Special Categories: None (we don’t process sensitive data)

Processing Operations:

  • Collection, storage, organization
  • Retrieval, consultation, use
  • Disclosure, transmission
  • Deletion, destruction

3. Customer Obligations

3.1 Lawful Processing

Customer warrants that:

  • Has legal basis for Processing
  • Processing complies with Applicable Data Protection Law
  • Has obtained necessary consents
  • Has provided required privacy notices
  • Has authority to instruct PopaDex

3.2 Instructions

Customer’s instructions:

  • Use of PopaDex services as documented
  • Configuration settings chosen
  • Data export/deletion requests
  • Other written instructions

Out-of-scope instructions:

  • PopaDex not obligated to follow instructions outside documented functionality
  • Will notify if instruction violates Applicable Data Protection Law

3.3 Data Subject Rights

Customer responsible for:

  • Responding to Data Subject requests
  • Using PopaDex tools to fulfill requests (export, delete, etc.)
  • Verifying Data Subject identity

PopaDex will assist by providing tools and technical measures

4. PopaDex Obligations

4.1 Processing Instructions

PopaDex will:

  • Process Personal Data only on documented instructions
  • Not process for own purposes
  • Inform Customer if instructions violate law

4.2 Confidentiality

Authorized personnel:

  • Only authorized employees access Personal Data
  • All employees bound by confidentiality obligations
  • Training on data protection provided

Confidentiality breaches: Reported immediately to Customer

4.3 Security Measures

Technical measures:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Optional end-to-end encryption (E2EE)
  • Secure authentication (Argon2id password hashing)
  • Regular security audits

Organizational measures:

  • Access controls and authorization
  • Incident response procedures
  • Business continuity planning
  • Secure development lifecycle
  • Vendor security assessments

Security standards:

  • SOC 2 Type II compliance (in progress)
  • OWASP Top 10 mitigation
  • Regular penetration testing
  • Vulnerability management

See Security Whitepaper for details

4.4 Sub-processors

Current Sub-processors:

Sub-processor Service Location Safeguards
Amazon Web Services (AWS) Cloud hosting EU/US Standard Contractual Clauses
Plaid Inc. Bank connections (US) US Standard Contractual Clauses
GoCardless Ltd. Bank connections (EU) EU/UK GDPR compliant
Stripe Inc. Payment processing US Standard Contractual Clauses
Cloudflare Inc. CDN & Security Global Standard Contractual Clauses
Sentry Error tracking US DPA in place

Updated list: Available at popadex.com/subprocessors

New Sub-processors:

  • 30-day advance notice to Customer
  • Customer may object with legitimate grounds
  • If objection upheld, Customer may terminate

4.5 International Transfers

EU to Third Countries:

  • Standard Contractual Clauses (2021/914)
  • Adequate safeguards in place
  • Transfer Impact Assessment conducted

Data residency:

  • EU customers: Primary storage in EU (Ireland)
  • UK customers: Primary storage in UK or EU
  • US customers: Primary storage in US (Virginia)

Cross-border transfers: Only when necessary for service provision

4.6 Data Subject Rights

PopaDex will assist Customer with:

  • Right of access: Data export functionality
  • Right to rectification: Account settings, data editing
  • Right to erasure: Account deletion tool
  • Right to restriction: Account suspension (upon request)
  • Right to data portability: CSV, JSON export
  • Right to object: Opt-out of non-essential processing

Response timeframe: Provide assistance within 10 business days of Customer request

4.7 Personal Data Breach

Breach notification:

  • Notify Customer without undue delay (target: 24 hours)
  • Describe nature of breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences
  • Measures taken or proposed

Cooperation:

  • Assist Customer in notifying Supervisory Authority (if required)
  • Assist in notifying Data Subjects (if required)
  • Provide information for Customer’s assessment

Documentation: Maintain record of all breaches

4.8 Audits and Inspections

Customer’s rights:

  • Audit PopaDex’s compliance with this DPA
  • Inspect relevant documentation
  • Conduct on-site inspections (with reasonable notice)

Frequency: Once per year, unless breach occurs

Third-party audits: Customer may appoint independent auditor

PopaDex obligations:

  • Cooperate with audits
  • Provide requested information
  • Allow access to relevant facilities
  • Make available audit results (SOC 2, penetration tests)

Limitations:

  • Reasonable advance notice (30 days)
  • During business hours
  • Subject to confidentiality obligations
  • Customer bears costs unless non-compliance found

5. Data Deletion and Return

5.1 Upon Termination

Customer’s choice (within 30 days of termination):

  • Return: Export all Personal Data (CSV, JSON)
  • Deletion: Permanently delete all Personal Data

If no instruction: Deletion after 30-day grace period

5.2 Deletion Process

Immediate deletion:

  • Personal Data from production databases
  • Backups overwritten per retention schedule
  • Certified destruction of physical media (if any)

Retained data (anonymized):

  • Financial transaction metadata (7 years, regulatory requirement)
  • Anonymized analytics (cannot identify Data Subjects)

Deletion certification: Provided upon request

5.3 E2EE Data

End-to-end encrypted data:

  • PopaDex cannot decrypt
  • Deletion removes encrypted blobs
  • Encryption keys deleted
  • Data unrecoverable even if backups exist

6. Liability and Indemnification

6.1 Allocation of Liability

Each party liable for breaches of own obligations under this DPA

Customer liable for:

  • Unlawful Processing instructions
  • Failure to obtain necessary consents
  • Breach of Data Subject rights (unless PopaDex failed to assist)

PopaDex liable for:

  • Unauthorized Processing
  • Breach of security obligations
  • Failure to assist with Data Subject rights

6.2 Limitation of Liability

Governed by: Main Terms of Service

Exception: Liability for data protection breaches limited to:

  • Greater of (a) €10,000 or (b) amount paid by Customer in past 12 months
  • Maximum: Amount recoverable under GDPR (up to €20M or 4% global revenue)

Cannot be limited:

  • Fraud or willful misconduct
  • Gross negligence
  • Liabilities under GDPR that cannot be limited by agreement

6.3 Indemnification

PopaDex indemnifies Customer against claims arising from:

  • PopaDex’s breach of this DPA
  • Unauthorized Processing by PopaDex
  • PopaDex’s failure to comply with Applicable Data Protection Law

Customer indemnifies PopaDex against claims arising from:

  • Unlawful Processing instructions
  • Customer’s breach of Applicable Data Protection Law
  • Customer’s failure to obtain necessary consents

7. Term and Termination

7.1 Term

This DPA takes effect upon Customer’s acceptance and continues while:

  • Services agreement is in force
  • PopaDex processes Personal Data on Customer’s behalf

7.2 Termination

Terminates:

  • Upon termination of main services agreement
  • If Processing no longer subject to GDPR
  • By mutual written agreement

Survival: Sections on deletion, liability, confidentiality survive termination

7.3 Effect of Termination

Upon termination:

  • PopaDex ceases Processing (except for deletion/return)
  • Customer exports or instructs deletion of data
  • Obligations in Section 5 (deletion/return) apply

8. General Provisions

8.1 Conflict

Order of precedence (conflict between documents):

  1. This DPA
  2. Standard Contractual Clauses (if applicable)
  3. Main Terms of Service
  4. Other agreements

8.2 Amendments

Changes to DPA:

  • Material changes: 60-day advance notice
  • Minor changes: 30-day advance notice
  • Customer may object (may terminate if objection upheld)

Changes to Sub-processors: See Section 4.4

8.3 Severability

If any provision is unenforceable:

  • Remaining provisions remain in force
  • Parties negotiate replacement provision
  • Does not affect validity of DPA

8.4 Governing Law

EU customers: Irish law
UK customers: English law
US customers: Delaware law

Jurisdiction: Courts of Ireland (EU), England (UK), Delaware (US)

8.5 Supervisory Authority

Right to lodge complaint:

  • Customer or Data Subjects may complain to Supervisory Authority
  • Does not affect other remedies

Cooperation: PopaDex will cooperate with Supervisory Authority investigations

9. Standard Contractual Clauses

9.1 Applicability

When SCCs apply:

  • Transfer of Personal Data from EU/EEA to third countries
  • Recipient country not subject to adequacy decision
  • No other transfer mechanism available

SCC version: EU Commission Decision 2021/914

9.2 Module Selection

Module Two (Controller to Processor):

  • PopaDex is Processor
  • Customer is Controller
  • Most common scenario

Module Three (Processor to Sub-processor):

  • Applies to Sub-processor relationships
  • Customer is data exporter (in Sub-processor chain)

9.3 Incorporation

SCCs incorporated by reference into this DPA

SCC terms prevail over DPA in case of conflict (for international transfers only)

Docking clause: Available for multi-party transfers

9.4 SCC Specifics

Annex I (Data details):

  • Categories of Data Subjects: See Section 2.3
  • Categories of Personal Data: See Section 2.3
  • Sensitive data: None
  • Processing operations: See Section 2.3
  • Purpose: Wealth management platform services
  • Duration: While services agreement in force

Annex II (Security):

  • Technical measures: See Section 4.3
  • Organizational measures: See Section 4.3

Annex III (Sub-processors):

  • Current Sub-processors: See Section 4.4
  • Updated list: popadex.com/subprocessors

Clause 7 (Docking clause): Available upon request

Clause 9 (Use of Sub-processors): General authorization with notification

Clause 11 (Redress): Third-party beneficiary rights for Data Subjects

Clause 13 (Supervision): Irish Data Protection Commission (EU customers)

Clause 17 (Governing law): Irish law (EU customers)

Clause 18 (Choice of forum): Courts of Ireland (EU customers)

10. UK International Data Transfer Addendum

10.1 UK Addendum Applicability

When UK Addendum applies:

  • Transfer from UK to third countries
  • Not subject to UK adequacy regulations
  • No other transfer mechanism

UK Addendum version: B.1.0 (issued March 2022)

10.2 UK Addendum Terms

Incorporated by reference into this DPA

Tables (as per UK Addendum):

  • Table 1: Parties (Customer and PopaDex)
  • Table 2: Selected SCCs (Module Two)
  • Table 3: Annexes (as per Section 9.4)
  • Table 4: Ending date (while services agreement in force)

Supervisory Authority: UK Information Commissioner’s Office (ICO)

11. Contact Information

Data Protection Officer:
Email: [email protected]

EU Representative:
Email: [email protected]

UK Representative:
Email: [email protected]

Legal Department:
Email: [email protected]

Security Team:
Email: [email protected]

Mailing Address:
PopaDex Ltd.
Attn: Data Protection Officer
[Address to be added]

12. Signature and Acceptance

12.1 Electronic Acceptance

By using PopaDex services as a business customer, Customer accepts this DPA electronically.

Date of acceptance: Date of account creation or DPA acceptance in account settings

12.2 Signed Copy

Request signed copy: Email [email protected]

Execution: DocuSign or wet signature available

Counterparts: May be executed in counterparts

Appendices

Appendix A: Sub-processor List

See current list at: popadex.com/subprocessors

Updated monthly (notification if changes)

Appendix B: Security Measures

See detailed measures at: Security Whitepaper

Updated annually or upon material changes

Appendix C: Data Processing Details

Purpose: Wealth management platform services

Duration: While services agreement in force + 30 days (grace period)

Nature of Processing: Automated processing, storage, retrieval, deletion

Type of Personal Data: Identification, financial, usage data (see Section 2.3)

Categories of Data Subjects: Employees, authorized users (see Section 2.3)

Version History

  • v1.2 (Oct 6, 2025): Current version - UK Addendum added
  • v1.1 (May 15, 2025): Updated Sub-processors, security measures
  • v1.0 (Jan 1, 2025): Initial DPA (post-Schrems II)

Questions about this DPA? Contact [email protected] or [email protected]

Download: PDF version Word version

Was this article helpful?

Last updated: October 06, 2025

Questions? Contact Support