Data Processing Agreement

Last updated: 2026-05-10

This Data Processing Agreement ("DPA") forms part of the PayDam Terms of Service between Paldam LLC ("Processor", "we", "us") and the PayDam account holder or entity using PayDam ("Controller", "you"). It applies when Processor processes Personal Data about your end-customers on your behalf in connection with PayDam.

This DPA is intended to satisfy Article 28 of the EU GDPR and UK GDPR where those laws apply. It does not apply to account-holder data for which Paldam LLC acts as an independent controller, as described in the Privacy Policy.

1. Definitions

Terms such as "Personal Data", "Controller", "Processor", "Data Subject", "Processing", "Sub-processor", and "Personal Data Breach" have the meanings given in applicable Data Protection Laws. "Data Protection Laws" means privacy and data-protection laws that apply to the relevant processing, including GDPR, UK GDPR, and U.S. state privacy laws where applicable. "End-User Data" means Personal Data about your customers or users that PayDam processes to provide failed-payment recovery workflows.

2. Roles, instructions, and controller obligations

• You are the Controller of End-User Data. Processor processes End-User Data only on your documented instructions, which include this DPA, the Terms, your PayDam configuration, your Stripe connection, and support instructions you provide.
• You are solely responsible for determining whether PayDam is appropriate for your use case and whether your instructions comply with Data Protection Laws, anti-spam laws, consumer-protection laws, Stripe terms, and your own customer agreements.
• You must have all notices, consents, contracts, lawful bases, and rights needed for Processor and its Sub-processors to process End-User Data and send recovery communications on your behalf.
• You will not provide special categories of data, sensitive personal information, protected health information, payment card numbers, CVC codes, bank account numbers, government IDs, or children's data to PayDam unless we have expressly agreed in writing.
• Processor may refuse, suspend, or delay an instruction if it reasonably believes the instruction violates law, third-party terms, this DPA, or creates security, operational, reputational, or legal risk.

3. Processing details

• Subject matter: processing End-User Data to provide PayDam's Stripe failed-payment recovery workflows and related analytics.
• Nature: receiving Stripe webhooks and API data; reading invoice, subscription, customer, and payment-status records; sending branded recovery emails; generating or routing Stripe-powered update pages; recording engagement and recovery events; displaying dashboards; and supporting the service.
• Purpose: providing, securing, supporting, and improving PayDam as configured by you.
• Duration: for the term of your PayDam account and the retention periods described in this DPA and the Privacy Policy.
• Data subjects: your customers or customer representatives whose Stripe invoices, subscriptions, or payment statuses are processed through PayDam.
• Personal data: name, email address, Stripe IDs, invoice IDs, subscription IDs, invoice amount, currency, line-item descriptions, status, failure reason, retry timestamps, signed recovery URLs, and email engagement events.

4. Processor obligations

Processor will:

• process End-User Data only on documented instructions unless required by law;
• ensure personnel authorized to process End-User Data are subject to confidentiality obligations;
• implement technical and organizational measures designed to protect End-User Data, as described below;
• provide reasonable assistance with Data Subject requests, DPIAs, security obligations, and regulator inquiries, taking into account the nature of processing and information available to Processor;
• notify you if Processor believes an instruction infringes Data Protection Laws, unless prohibited by law; and
• delete or return End-User Data as described in Section 9.

Assistance that requires significant engineering, legal, security, or operational work may be provided at Processor's then-current rates or on another commercially reasonable cost-recovery basis, unless prohibited by applicable law.

5. Sub-processors

• You give Processor general authorization to engage the Sub-processors listed at /legal/sub-processors.
• Processor may add or replace Sub-processors by updating that page or providing notice by email, in-product notice, or another reasonable method at least thirty (30) days before the new Sub-processor begins processing End-User Data, unless an urgent security, legal, continuity, or service-provider transition requires shorter notice.
• You may object on reasonable data-protection grounds before the notice period ends. Your sole remedy if Processor cannot reasonably accommodate the objection is to stop using the affected feature or terminate the service. Unless required by law or expressly agreed, termination does not waive fees already incurred.
• Processor will impose data-protection obligations on Sub-processors that are materially no less protective than those in this DPA, taking into account the nature of the services provided by the Sub-processor.

6. Security measures

Processor maintains commercially reasonable administrative, technical, and organizational safeguards designed for the nature and risk of the processing. These safeguards may include:

• Access governance: controls intended to limit production access to authorized personnel with a legitimate business need.
• Protected transmission and storage: safeguards intended to protect personal data and connected-account credentials during transmission and storage.
• Credential handling: controls intended to reduce unauthorized access to service secrets, connected-account credentials, and administrative systems.
• Operational monitoring: logging, alerting, and review practices intended to support service reliability, fraud prevention, abuse response, and security investigations.
• Provider safeguards: use of reputable infrastructure, payment, communications, and security providers listed on the Sub-processors page.
• Vulnerability handling: periodic review and a disclosure channel at security@paydam.app.
• Payment-card boundary: PayDam is designed so raw card numbers, CVC codes, and bank account numbers are collected by Stripe rather than PayDam.

Security measures may change as PayDam evolves, provided the overall level of protection is not materially reduced.

To protect the service and other customers, Processor does not publish operational security architecture, detailed control configurations, logs, source code, penetration-test materials, or other information that could increase security risk. Additional security information, where available, may be provided at Processor's discretion under appropriate confidentiality terms.

7. Personal Data Breach

Processor will notify you without undue delay after confirming a Personal Data Breach affecting End-User Data. Where feasible, notice will include the nature of the breach, categories of affected data, likely consequences, and measures taken or proposed. Notice of a security incident is not an admission of fault or liability.

You are responsible for determining whether notice to Data Subjects, regulators, customers, or other parties is required, unless applicable law places that obligation directly on Processor.

8. Data Subject requests

If Processor receives a request from a Data Subject relating to End-User Data, Processor may redirect the request to you or, where appropriate, assist you in responding. You are responsible for verifying the request, deciding how to respond, and maintaining the customer relationship.

9. Return and deletion

• Upon termination or deletion of a PayDam account, Processor will delete End-User Data according to the Privacy Policy, generally within thirty (30) days for active application data.
• Processor may retain data where required or permitted for legal compliance, tax, billing, collections, dispute resolution, security, fraud prevention, backup retention, audit, or enforcement.
• Backup copies may persist until overwritten in the ordinary course of backup cycles, provided they remain protected from active processing except for restoration, continuity, security, or legal purposes.
• Where technically feasible and reasonably requested before deletion, Processor may provide an export of End-User Data in a commonly used format.

10. Audits

Processor will make available information reasonably necessary to demonstrate compliance with this DPA. To protect PayDam, other customers, and service security, audits must be remote-first, limited to relevant documentation, conducted no more than once per twelve (12) months unless required by law or after a confirmed Personal Data Breach, scheduled on at least thirty (30) days' written notice, and performed at your expense under confidentiality obligations.

Audits may not include access to production systems, source code, other customers' data, security-sensitive details, third-party confidential information, or information that would increase security risk. Processor may satisfy audit requests by providing security summaries, policies, subprocessors' reports, questionnaires, or equivalent documentation where available.

11. International transfers

End-User Data may be transferred to the United States and other countries where Processor or its Sub-processors operate. Where required for EEA, UK, or Swiss data, the parties incorporate the applicable Standard Contractual Clauses, UK International Data Transfer Addendum, adequacy mechanisms, or other lawful transfer safeguards. You are responsible for determining whether your use of PayDam requires additional transfer assessments, notices, or safeguards.

12. U.S. state privacy laws

Where U.S. state privacy laws apply to End-User Data, Processor acts as your service provider or processor. Processor will not sell End-User Data or share it for cross-context behavioral advertising. Processor will not retain, use, or disclose End-User Data outside the business purposes of providing PayDam, except as permitted by applicable law and this DPA.

13. Liability and indemnity

All liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability in the Terms of Service. This DPA does not expand Paldam LLC's liability or create remedies not provided in the Terms. You will indemnify Paldam LLC for claims arising from your instructions, your data, your customer relationships, your legal basis for processing, your communications, or your violation of this DPA, the Terms, or Data Protection Laws.

14. Order of precedence and term

If this DPA conflicts with the Terms solely regarding processing of End-User Data, this DPA controls for that conflict. The Terms control for all other matters, including billing, service access, disclaimers, liability, indemnity, and disputes. This DPA remains in effect while Processor processes End-User Data on your behalf.

15. Contact

Privacy-related notices under this DPA should be sent to privacy@paydam.app.

Paldam LLC · 2108 N St, Ste N, Sacramento, CA 95816 · privacy@paydam.app