Legal

Data Processing Agreement

Last updated: July 2, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Furlpay (“Processor”) and the individual or entity using Furlpay services (“Controller”), pursuant to Article 28 of Regulation (EU) 2016/679 (the “GDPR”).

1. Definitions

Unless otherwise defined herein, capitalised terms have the meanings given to them in the GDPR. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller. “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and erasure.

2. Controller & Processor roles

The Controller determines the purposes and means of Processing Personal Data. Furlpay acts as the Processor, processing Personal Data solely on the Controller’s documented instructions and for the purposes described in this DPA and the Terms of Service.

Where Furlpay processes Personal Data as required by applicable law (e.g., KYC/AML obligations), Furlpay acts as an independent Controller for that limited processing. In such cases, Furlpay’s Privacy Policy governs the processing.

3. Categories of data processed

The following categories of Personal Data may be processed under this DPA:

  • Identity data: Full name, date of birth, nationality, government-issued ID numbers (processed and stored by Persona; Furlpay retains only verification status and tokenized references).
  • Contact data: Email address, phone number, residential address.
  • Financial data: Bank account details, card details (tokenized via Marqeta/Stripe), transaction history, wallet addresses.
  • Technical data: IP address, device identifiers, browser fingerprint, WebAuthn public keys.
  • Usage data: Feature usage analytics, session metadata, error logs (collected via PostHog with IP anonymization enabled).
  • Compliance data: Sanctions-screening results, risk scores, Travel Rule originator/beneficiary data.

Data subjects include: registered Furlpay users, beneficial owners, and authorized representatives of business accounts.

4. Processing instructions

The Processor shall process Personal Data only in accordance with the Controller’s documented instructions, unless required to do so by Union or Member State law to which the Processor is subject. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data-protection provisions.

Documented instructions include: providing the Furlpay services described in the Terms of Service, maintaining account security, fulfilling regulatory obligations, and responding to Controller-initiated data-subject requests.

5. Security measures

Furlpay implements and maintains the following technical and organizational measures to protect Personal Data, in accordance with Article 32 of the GDPR:

  • Encryption at rest: All databases use AES-256 encryption. Wallet key shares are encrypted using hardware-backed enclaves (Turnkey).
  • Encryption in transit: All network communication uses TLS 1.3. HSTS is enforced across all domains with a minimum max-age of 1 year.
  • Access controls: Role-based access control (RBAC) with mandatory multi-factor authentication for all employees accessing production systems. Access logs are retained for 12 months.
  • Network security: Production infrastructure is hosted on isolated VPCs with WAF, DDoS protection, and continuous intrusion-detection monitoring.
  • Key management: MPC key shares ensure that no single party (including Furlpay) can access user wallet funds unilaterally. Turnkey HSMs are SOC 2 Type II certified.
  • Pseudonymization: KYC document data is tokenized at the point of collection by Persona. Furlpay stores only verification outcomes and token references.
  • Vulnerability management: Continuous dependency scanning, quarterly penetration testing by independent auditors, and a public bug bounty program.
  • Employee training: All personnel with access to Personal Data complete annual data-protection and security-awareness training.

6. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is maintained at furlpay.com/legal/subprocessors.

The Processor shall: (a) notify the Controller at least 30 calendar days before adding or replacing a sub-processor by updating the sub-processor list and sending an email notification to the Controller’s registered address; (b) impose data-protection obligations no less protective than those in this DPA on each sub-processor via a written contract; and (c) remain fully liable for the acts and omissions of its sub-processors.

If the Controller objects to a new sub-processor on reasonable data-protection grounds, the Controller must notify Furlpay within 14 calendar days of receiving notice. The parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.

7. Data breach notification

72-hour notification commitment

In the event of a Personal Data breach, Furlpay shall notify the Controller without undue delay — and in any case within 72 hours of becoming aware of the breach — in accordance with Article 33 of the GDPR.

The breach notification shall include:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
  • The name and contact details of the Data Protection Officer or other contact point.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.

Furlpay shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each breach. Furlpay shall not communicate directly with data-protection authorities on behalf of the Controller unless explicitly authorized in writing.

8. Data subject rights

Furlpay shall assist the Controller in fulfilling data-subject requests under Articles 15 through 22 of the GDPR, including requests for access, rectification, erasure, data portability, restriction of processing, and objection. Furlpay shall forward any data-subject request it receives directly to the Controller within 2 business days, unless legally prohibited.

Users can exercise data-subject rights directly through the Furlpay app via Settings → Privacy → Data Rights, or by emailing privacy@furlpay.com.

9. International data transfers

When Personal Data is transferred outside the European Economic Area (EEA), Furlpay ensures appropriate safeguards are in place. Transfers to the United States rely on the EU-U.S. Data Privacy Framework (DPF) certifications of our sub-processors where available. For sub-processors not certified under the DPF, Furlpay executes Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented by transfer impact assessments.

10. Audit rights

The Controller (or an independent third-party auditor appointed by the Controller) may audit Furlpay’s compliance with this DPA, subject to the following conditions:

  • Audit requests must be submitted at least 30 calendar days in advance in writing.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt Furlpay’s operations.
  • The Controller bears the costs of the audit, unless the audit reveals a material non-compliance by Furlpay.
  • Furlpay shall make available all information reasonably necessary to demonstrate compliance, including SOC 2 Type II reports, penetration-test summaries, and relevant policy documentation.
  • Audits are limited to once per 12-month period, unless a data breach has occurred or a supervisory authority orders an audit.

11. Data retention & deletion

Upon termination of the services or upon the Controller’s written request, Furlpay shall delete or return all Personal Data within 30 calendar days, unless retention is required by applicable law (e.g., AML record-keeping requirements, which mandate retention for 5 years after account closure). Furlpay shall certify deletion in writing upon the Controller’s request.

12. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service, except that neither party limits its liability for breaches of data protection law that result in material harm to data subjects.

13. Governing law

This DPA is governed by the laws of the jurisdiction specified in the Terms of Service. Where the Controller is established in the EEA, disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland.