Skip to the main content.
Get A Demo
Get A Demo
2025 Loyalty Report

Is your brand tapping into these three unshakeable pillars of guest loyalty in 2025?

Download Now

Terms and Conditions

Paytronix Service Agreement

Service Level Agreement ("SLA")

Data Processing Addendum ("DPA")

Messaging Terms of Use

Data Processing Addendum ("DPA")

DATA PROCESSING ADDENDUM

Last updated and effective as of March 11, 2025 (the “Effective Date”).

This Data Processing Addendum (“DPA”), forms part of the Service Agreement or other agreement pursuant to which Paytronix makes its Offering available to Client and into which this DPA is incorporated by reference (the “Agreement”) between Paytronix Systems, Inc. (“Paytronix”) and the entity that has engaged Paytronix to provide the Offering (“Client”). 

Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Paytronix and Client is referred to in this DPA individually as a "party", collectively the "parties". By entering into the Agreement, the parties are deemed to 
have signed all Exhibits, Annexes, Attachments, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

1. Definitions. 
a. “Client Data” means any information Processed by Paytronix solely on behalf of 
Client, including without limitation any EU Personal Data, UK Personal Data, 
California Personal Data, Virginia Personal Data, Colorado Personal Data, Utah 
Personal Data, and/or Connecticut Personal Data.
b. “CPA” means (to the extent applicable) the Colorado Privacy Act, together with 
any regulations promulgated thereunder.
c. “CPRA” means (to the extent applicable) the California Privacy Rights Act of 
2020, together with any regulations promulgated thereunder.
d. “CTDPA” means (to the extent applicable) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, together with any regulations promulgated thereunder.
e. “European Data Protection Laws” means, collectively, the GDPR and the UK 
Data Protection Laws, as applicable.
f. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
g. “Personal Data” means any information relating to, linked to, or reasonably 
linkable to any identified or identifiable individual or household.
h. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means or manual means, including without 
limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by 
transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including 
the actions of a person directing a third party to Process data on behalf of such 
person. i. “Trigger Date” means July 1, 2023. j. “UCPA” means (to the extent applicable) the Utah Consumer Privacy Act, 
together with any regulations promulgated thereunder.
k. “UK” means the United Kingdom.
l. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 
2018 (“UK DPA 2018”).
m. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) 
(and as rplemented by section 205(4)) of the UK DPA 2018.
n. “Utah Trigger Date” means December 31, 2023.
o. “VCDPA” means (to the extent applicable) the Virginia Consumer Data Protection Act, together with any regulations promulgated thereunder.
2. (a) Paytronix shall maintain the security of, and manage, Client’s Account Information in accordance with the obligations of this DPA. Taking into account the risk of harm, Paytronix shall implement commercially reasonable technical and organizational measures intended to protect Account Information from any Security Incident (as defined 
in the Agreement). Paytronix's servers are located in a main data center (Main Facility) and at a disaster recovery data center (“DR Facility”), with each facility being managed by different, independent data center companies. Both facilities have multiple internet back bones, and multiple power sources with backup generators and backup batteries. Paytronix’s systems within the facilities have redundant systems for each known potential failure point. Paytronix has redundant networking equipment (routers, servers, firewalls, and load balancers) that run active-passive and failover automatically. Transactions are processed by a pool of application servers, so that if one fails, the others are designed to 
take over. More specifically for transactional data contained within Account Information, such transactional data comes into the Main Facility and into the primary transactional database in real-time. The transactional database is replicated in real-time to a high availability backup server. The high availability server is then replicated to the DR Facility, to an additional primary transactional database and a high availability database. 
All databases containing Account Information in both the Main and DR Facilities use RAID (Redundant Array of Independent Disks) disk storage. In addition, the primary transactional database at the Main Facility has its SQL server transaction logs and database backed up nightly. Data backup processes are verified by an SSAE 18 audit 
each year. Upon request from Client, Paytronix shall provide Client with a copy of all such SSAE 18 reports during the Term of the Agreement.

Paytronix shall be responsible for performing the above data storage management for all Account Information. Paytronix shall further ensure that in all instances and forms, including, but not limited to database instances, physical media, backup tapes, application servers, application code, and logical platforms, Client’s Account Information (as defined in the Agreement) shall be kept logically separated and instantiated such 
that it does not interact with other data present within the same physical environment, nor will such Account Information be visible or accessible to other Paytronix clients.

Such logical separations shall be maintained at all times for the duration of the Term of the Agreement.

Paytronix agrees that it will, or will cause any third-party vendor that supports Paytronix in providing the Services and Software provided to Client by Paytronix in accordance with the terms of the Agreement (collectively, the “Offering”) and that have access to Client’s Account Information, to use systems, tools and network security, including firewalls that provide a secure environment, monitor and prevent unauthorized access, redistribution, duplication, modification or uploading of Client’s Account Information.
(b) If there is any Security Incident of Client’s Account Information, subject to the direction of law enforcement and other limitations to the extent imposed by applicable laws, Paytronix shall promptly notify Client in writing of the details of such Security Incident and, to the extent such Security Incident is attributable to Paytronix’s negligent acts or omissions, Paytronix shall work diligently to resolve such Security Incident in a manner designed to prevent recurrence of such Security Incident. Any such notice shall 
be Paytronix’s Proprietary Information. Client shall have the right at the Client’s expense and at any point during the Term with sixty (60) days written notice to conduct a commercially reasonable audit of Paytronix’s security measures (and as soon as determined necessary by Client in Client’s sole discretion if based on the need for an audit due to any form of Security Incident attributable to Paytronix’s negligent acts or omissions). Auditor will be an independent third party that is familiar with conducting such audits and is subject to Paytronix’s approval, not to be unreasonably withheld. 
Auditors will comply with Paytronix’s reasonable confidentiality and security procedures. Paytronix shall reasonably cooperate in such audit(s) and any information disclosed in such audit(s) shall be Paytronix’s Proprietary Information.

3. To the extent Paytronix Processes Personal Data regulated by the GDPR solely on behalf of Client (“EU Personal Data”), and to the extent Client is a controller (as defined in the GDPR) and the Paytronix is a processor (as defined in the GDPR) on behalf of Client with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set 
out in European Commission Decision 2021/914/EC, at https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor 
Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Client to Paytronix and to Paytronix’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit A. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard 
Contractual Clauses will control to the extent applicable to such EU Personal Data.

4. To the extent Paytronix Processes EU Personal Data, and to the extent Client is a processor (as defined in the GDPR) on behalf of a third party with respect to EU 
Personal Data and the Paytronix is a processor on behalf of Client with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, at https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor 
Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Client to Paytronix and to the Paytronix’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual 
Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit B. In the event of a conflict between the Agreement and the
Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal 
Data.

5. To the extent Paytronix Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Client (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’ Version B1.0, in force from March 21, 2022, 
at https://ico.org.uk/media/for-organisations/documents/4019535/addenduminternational-data-transfer.docx (the “UK Data Exhibit”) will apply to the transfer of such UK Personal Data by Client to Paytronix and to the Paytronix’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK Data Exhibit, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit C. In the event of a conflict between the Agreement and the UK Data Exhibit, the UK Data Exhibit will control to the extent applicable to the UK Personal Data.

6. To the extent Client makes available to Paytronix Personal Data regulated by the CPRA for a business purpose pursuant to the Agreement and/or to the extent Paytronix Processes Personal Data regulated by the CPRA solely on behalf of Client (“California Personal Data”), then to the extent required by the CPRA, the California Data Exhibit (attached hereto as Exhibit D, the “California Data Exhibit”) will apply to the Paytronix’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its
entirety. In the event of a conflict between the Agreement and the California Data 
Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.

7. To the extent Paytronix Processes Personal Data regulated by the VCDPA solely on behalf of Client (“Virginia Personal Data”), then to the extent required by the VCDPA, the Virginia Data Exhibit (attached hereto as Exhibit E, the “Virginia Data Exhibit”) will apply 
to the Paytronix’s Processing of such Virginia Personal Data and the parties hereby agree to comply with such Virginia Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Virginia Data Exhibit, the Virginia Data Exhibit will control to the extent applicable to the Virginia Personal Data.

8. This Section 8 and the Colorado Data Exhibit (as defined below) shall apply only from and after the Trigger Date (and not before). To the extent Paytronix Processes Personal Data regulated by the CPA solely on behalf of Client (“Colorado Personal Data”), then to the extent required by the Colorado, the Colorado Data Exhibit (attached hereto as Exhibit F, the “Colorado Data Exhibit”) will apply to the Paytronix’s Processing of such Colorado Personal Data and the parties hereby agree to comply with such Colorado 
Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Colorado Data Exhibit, the Colorado Data Exhibit will control to the extent applicable to the Colorado Personal Data.

9. This Section 9 and the Utah Data Exhibit (as defined below) shall apply only from and after the Utah Trigger Date (and not before). To the extent Paytronix Processes 
Personal Data regulated by the UCPA solely on behalf of Client (“Utah Personal Data”), then to the extent required by the UCPA, the Utah Data Exhibit (attached hereto as Exhibit G, the “Utah Data Exhibit”) will apply to the Paytronix’s Processing of such Utah Personal Data and the parties hereby agree to comply with such Utah Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict 
between the Agreement and the Utah Data Exhibit, the Utah Data Exhibit will control to the extent applicable to the Utah Personal Data.

10. This Section 10 and the Connecticut Data Exhibit (as defined below) shall apply only 
from and after the Trigger Date (and not before). To the extent Paytronix Processes 
Personal Data regulated by the CTDPA solely on behalf of Client (“Connecticut Personal 
Data”), then to the extent required by the CTDPA, the Connecticut Data Exhibit 
(attached hereto as Exhibit H, the “Connecticut Data Exhibit”) will apply to the 
Paytronix’s Processing of such Connecticut Personal Data and the parties hereby agree 
to comply with such Connecticut Data Exhibit, which is hereby incorporated into the 
Agreement in its entirety. In the event of a conflict between the Agreement and the 
Connecticut Data Exhibit, the Connecticut Data Exhibit will control to the extent 
applicable to the Connecticut Personal Data.
11. Client represents, warrants, and covenants that: (i) it has (and will have) Processed, 
collected, and disclosed all Client Data in compliance with applicable law and provided 
any notice and obtained all consents and rights required by applicable law to enable 
Paytronix to lawfully Process Client Data as permitted by the Agreement and/or this 
DPA; (ii) it has (and will continue to have) full right and authority to make the Client Data 
available to Paytronix under the Agreement and this DPA; and (iii) Paytronix's 
Processing of the Client Data in accordance with the Agreement, this DPA, and/or 
Client's instructions does and will not infringe upon or violate any applicable law or any 
rights of any third party. Client shall indemnify, defend and hold Paytronix harmless 
against any claims, actions, proceedings, expenses, damages and liabilities (including 
without limitation any governmental investigations, complaints and actions) and 
reasonable attorneys’ fees arising out of Client’s violation of this Section 11. 
Notwithstanding anything to the contrary in the Agreement, Client’s indemnification 
obligations under this Section 11 shall not be subject to any limitations of liability set 
forth in the Agreement.
12. Notwithstanding anything to the contrary in the Agreement (including this DPA), Client
acknowledges that Paytronix shall have a right to use and disclose data relating to the 
operation, support and/or use of the Offering (including without limitation contact details 
of representatives of Client) for its legitimate business purposes, such as product 
development and sales and marketing. To the extent any such data is considered 
personal data (as defined in, and regulated by the European Data Protection Laws),
then, to the extent Paytronix is subject to the European Data Protection Laws as a 
controller (as defined in the European Data Protection Laws), Paytronix is the controller 
(as defined in the European Data Protection Laws) of such data and accordingly shall 
Process such data in accordance with the European Data Protection Laws. To the extent 
any such data is considered personal information (as defined in, and regulated by, the 
CPRA), then, to the extent Paytronix is subject to the CPRA as a business (as defined in 
the CPRA), Paytronix is the business (as defined in the CPRA) with respect to such data 
and accordingly shall Process such data in accordance with the CPRA.
13. This DPA (together with the Agreement), constitutes the entire agreement between the 
parties and supersedes all prior undertakings and agreements between the parties, 
whether written or oral, with respect to the subject matter of this DPA. Paytronix reserves 
6 Paytronix Data Processing Agreement v1.8
the right, in its sole discretion, to change, modify, replace, add to, supplement or delete 
any terms and conditions of this DPA at any time by posting an updated version of this 
DPA on this webpage.
14. In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the 
context, words used in the present tense include the future tense and vice versa and 
words in the plural number include the singular number and vice versa; (ii) reference to 
any person includes such person’s successors and assigns but, if applicable, only if 
such successors and assigns are not prohibited by the Agreement; (iii) reference to any 
gender includes each other gender; (iv) reference to any agreement, document or 
instrument means such agreement, document or instrument as amended or modified 
and in effect from time to time in accordance with the terms thereof and includes all 
addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are 
used for convenience only and are not to be considered in construing or interpreting this 
DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed 
references to this DPA as a whole and not to any particular Section or Subsection of this 
DPA; (vii) “including” (including grammatically inflected forms thereof) means including 
without limiting the generality of any description preceding such term; (viii) all references 
to “days” refer to calendar days; and (ix) the word "or" is not exclusive. This DPA has 
been executed in English and the English language version shall control notwithstanding 
any translations of this DPA.
7 Paytronix Data Processing Agreement v1.8
Exhibit A
CONTROLLER TO PROCESSOR STANDARD CONTRACTUAL CLAUSES 
(a) For the purposes of the Controller to Processor Standard Contractual Clauses:
(1) Clause 7. The parties agree that the optional language in Clause 7 is included. 
(2) Clause 9(a). The parties agree that under Option 2, Paytronix has Client’s
general authorization to subcontract its processing activities to the list of subprocessors set out in Section (a)(11)(i). Paytronix will inform Client in writing of 
any intended changes to the list of sub-processors set out in Section (a)(11)(i) at 
least 10 days prior to engaging with any other sub-processor.
(3) Clause 11. The parties agree that the optional language in Clause 11 is 
excluded.
(4) Clause 13. The parties agree that the brackets are removed in the provisions in 
Clause 13(a) such that the appropriate provision will apply as applicable. 
(5) Clause 17. The Controller to Processor Standard Contractual Clauses shall be 
governed by the laws of Ireland.
(6) Clause 18. The parties agree that any dispute arising from the Controller to 
Processor Standard Contractual Clauses shall be resolved by the courts of 
Ireland.
(7) Annex I.A.
i. The name, address, and the name and contact details of the contact 
person of Client (which is the data exporter) are as set forth in the 
applicable Order Form. 
ii. The name, address, and the name and contact details of the contact 
person of Paytronix (which is the data importer) are as follows: 
Name: Paytronix Systems, Inc.
Address: 80 Bridge St., Newton, MA 02458
Contact person’s name, position and contact details: Marc Schultz, Head 
of Data Privacy and Security, mschultz@paytronix.com.
iii. The activities relevant to the data transferred are Paytronix’s provision of 
the Offering to Client as described in the Agreement and/or the applicable 
Order Form. 
iv. The signature and date are the signature and date set forth in the 
applicable Order Form.
v. The roles of the parties are as follows: Paytronix is a processor and Client
is a controller. 
(8) Annex I.B. 
i. The categories of data subject are customers of the data exporter who 
are members of the data exporter’s program(s) enabled by the Offering 
and representatives of the data exporter.
ii. The categories of personal data transferred are:
1. Personal data including details of customers of the data exporter, 
including name, address, email address, mobile number, date of 
birth, and transactional information, such as items purchased, 
amount spent, location and time where purchase took place and 
marketing, product or other preference information.
8 Paytronix Data Processing Agreement v1.8
2. Personal data of representatives of the data exporter, including 
name, business contact information, username, and password.
iii. The transfer of sensitive personal data is not presently contemplated by 
this arrangement. 
iv. The frequency of the transfer shall be on a continuous basis.
v. The nature of the processing is such that the personal data will be subject 
to basic processing, including but not limited to collection, recording, 
organization, storage, adaptation or alteration, retrieval, consultation, use, 
disclosure by transmission, dissemination or otherwise making available, 
alignment or combination, blocking, erasure or destruction for the purpose 
of providing the Offering by data importer to the data exporter in 
accordance with the terms of the Agreement.
vi. The purpose of the data transfer and further processing is provision of the 
Offering by data importer to data exporter.
vii. The duration of the processing under these Controller to Processor 
Standard Contractual Clauses shall continue as long as data importer 
carries out personal data processing operations on behalf of data 
exporter or until the termination of the Agreement (and all personal data 
has been returned or deleted in accordance with these Controller to 
Processor Standard Contractual Clauses).
viii. For transfers to sub-processors, personal data will be transferred to subprocessors in order for the data importer to provide the Offering to the 
data exporter. The nature of the processing by such sub-processors will 
be as follows: the personal data will be subject to basic processing, which 
may include without limitation collection, recording, organization, 
structuring, storage, adaptation or alteration, retrieval, consultation, use, 
disclosure by transmission, dissemination or otherwise making available, 
alignment or combination, blocking, erasure or destruction for the purpose 
of providing the Offering to the data exporter in accordance with the terms 
of the Agreement. The duration of the processing by such sub-processors 
shall continue as long as such sub-processors carry out personal data 
processing operations on behalf of the data importer.
(9) Annex I.C.
i. The data exporter’s competent supervisory authority will be determined in 
accordance with the GDPR.
(10) Annex II.
i. The data importer employs a number of technical and organisational 
measures as further specified in Section 2(a) of the DPA.
(11) Annex III. 
i. Client has authorized the use of the sub-processors listed at 
https://www.paytronix.com/terms-and-conditions/data-processingagreement/list-of-vendors/
9 Paytronix Data Processing Agreement v1.8
Exhibit B
PROCESSOR TO PROCESSOR STANDARD CONTRACTUAL CLAUSES
(a) For the purposes of the Processor to Processor Standard Contractual Clauses:
(1) Clause 7. The parties agree that the optional language in Clause 7 is included. 
(2) Clause 9(a). The parties agree that under Option 2, Paytronix has Client’s
general authorization to subcontract its processing activities to the list of subprocessors set out in Section (a)(11)(i). Paytronix will inform Client in writing of 
any intended changes to the list of sub-processors set out in Section (a)(11)(i) at 
least 10 days’ prior to engaging with any other sub-processor.
(3) Clause 11. The parties agree that the optional language in Clause 11 is 
excluded.
(4) Clause 13. The parties agree that the brackets are removed in the provisions in 
Clause 13(a) such that the appropriate provision will apply as applicable. 
(5) Clause 17. The Processor to Processor Standard Contractual Clauses shall be 
governed by the laws of Ireland.
(6) Clause 18. The parties agree that any dispute arising from the Processor to 
Processor Standard Contractual Clauses shall be resolved by the courts of 
Ireland.
(7) Annex I.A.
i. The name, address, and the name and contact details of the contact 
person of Client (which is the data exporter) are as set forth in the 
applicable Order Form. 
ii. The name, address, and the name and contact details of the contact 
person of Paytronix (which is the data importer) are as follows: 
Name: Paytronix Systems, Inc.
Address: 80 Bridge St., Newton, MA 02458
Contact person’s name, position and contact details: Marc Schultz, Head 
of Data Privacy and Security, mschultz@paytronix.com.
iii. The activities relevant to the data transferred are Paytronix’s provision of 
the Offering to Client as described in the Agreement and/or the applicable 
Order Form. 
iv. The signature and date are the signature and date set forth in the 
applicable Order Form.
v. The roles of the parties are as follows: Paytronix is a processor and Client
is a processor. 
(8) Annex I.B. 
i. The categories of data subject are customers of the data exporter who 
are members of the data exporter’s program(s) enabled by the Offering 
and representatives of the data exporter.
ii. The categories of personal data transferred are:
1. Personal data including details of customers of the data exporter, 
including name, address, email address, mobile number, date of 
birth, and transactional information, such as items purchased, 
amount spent, location and time where purchase took place and 
marketing, product or other preference information.
2. Personal data of representatives of the data exporter, including
name, business contact information, username, and password.
10 Paytronix Data Processing Agreement v1.8
iii. The transfer of sensitive personal data is not presently contemplated by 
this arrangement. 
iv. The frequency of the transfer shall be on a continuous basis.
v. The nature of the processing is such that the personal data will be subject 
to basic processing, including but not limited to collection, recording, 
organization, storage, adaptation or alteration, retrieval, consultation, use, 
disclosure by transmission, dissemination or otherwise making available, 
alignment or combination, blocking, erasure or destruction for the purpose 
of providing the Offering by data importer to the data exporter in 
accordance with the terms of the Agreement.
vi. The purpose of the data transfer and further processing is provision of the 
Offering by data importer to data exporter.
vii. The duration of the processing under these Processor to Processor 
Standard Contractual Clauses shall continue as long as data importer 
carries out personal data processing operations on behalf of data 
exporter or until the termination of the Agreement (and all personal data 
has been returned or deleted in accordance with these Processor to 
Processor Standard Contractual Clauses).
viii. For transfers to sub-processors, personal data will be transferred to subprocessors in order for the data importer to provide the Offering to the 
data exporter. The nature of the processing by such sub-processors will 
be as follows: the personal data will be subject to basic processing, which 
may include without limitation collection, recording, organization, 
structuring, storage, adaptation or alteration, retrieval, consultation, use, 
disclosure by transmission, dissemination or otherwise making available, 
alignment or combination, blocking, erasure or destruction for the purpose 
of providing the Offering to the data exporter in accordance with the terms 
of the Agreement. The duration of the processing by such sub-processors 
shall continue as long as such sub-processors carry out personal data 
processing operations on behalf of the data importer.
(9) Annex I.C.
i. The data exporter’s competent supervisory authority will be determined in 
accordance with the GDPR.
(10) Annex II.
i. Section (a)(10)(i) of Exhibit A is incorporated herein by reference.
(11) Annex III. 
i. Section (a)(11)(i) of Exhibit A is incorporated herein by reference. 
11 Paytronix Data Processing Agreement v1.8
Exhibit C
UK DATA EXHIBIT
(a) For the purposes of the UK Data Exhibit:
(1) For the purposes of Table 1 of the UK Data Exhibit, the start date shall be the 
later of the Effective Date or the date the Agreement is entered into by the 
parties, and the names of the parties, their roles and their details shall be as set 
out in Exhibit A Section (a)(7) and Exhibit B Section (a)(7), respectively;
(2) For the purposes of Tables 2 and 3 of the UK Data Exhibit, the Controller to 
Processor Standard Contractual Clauses and the Processor to Processor 
Standard Contractual Clauses, including the information set out in Exhibit A
Section (a)(8), (10), and (11)(i) and Exhibit B Section (a)(8), (10), and (11)(i), 
respectively, shall apply; and
(3) For the purposes of Table 4 of the UK Data Exhibit, data importer may end the 
UK Data Exhibit.
12 Paytronix Data Processing Agreement v1.8
Exhibit D
California Data Exhibit
1. This California Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and 
not otherwise defined herein shall have the meanings ascribed to them in the DPA or the 
Agreement (as applicable). 
2. CPRA Provisions.
a. In this Exhibit, the following terms have the meanings given in the CPRA: "business 
purpose", “personal information”, “processing”, “service provider”, “contractor”, “person”, 
“share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
b. Except as otherwise required by applicable law, Paytronix shall:
i. not sell or share California Personal Data;
ii. not retain, use, or disclose California Personal Data for any purpose other than for 
the business purposes specified in the Agreement for the Client, nor retain, use, or 
disclose California Personal Data for a commercial purpose other than the business 
purposes specified in the Agreement, or as otherwise permitted by the CPRA;
iii. not retain, use, or disclose California Personal Data outside of the direct business 
relationship between the parties; 
iv. not combine California Personal Data, which Paytronix receives pursuant to the 
Agreement or from or on behalf of Client, with personal information which it receives 
from or on behalf of another person or persons, or collects from its own interaction 
with the individual to whom such California Personal Data relates, except as 
otherwise expressly permitted by the CPRA;
v. reasonably cooperate with Client in responding to any requests from any individual 
regarding California Personal Data relating to such individual, including reasonably 
assisting Client in deletion, correction, or limitation of the use of such California 
Personal Data where required under the CPRA, and including instructing 
Paytronix’s service providers and/or contractors (if any) to so reasonably cooperate 
in such response;
vi. reasonably assist Client through appropriate technical and organizational measures 
in Client’s complying with the requirements of subdivisions (d) to (f), inclusive, of 
Section 1798.100 of the CPRA, taking into account the nature of the California 
Personal Data processing by Paytronix;
vii. implement and maintain commercially reasonable security procedures and 
practices appropriate to the nature of the California Personal Data intended to 
protect such California Personal Data from unauthorized access, destruction, use, 
modification, or disclosure;
viii. comply with all applicable obligations under the CPRA and provide the same level 
of privacy protection with respect to California Personal Data as required by the 
CPRA; 
13 Paytronix Data Processing Agreement v1.8
ix. notify Client if Paytronix determines it can no longer meet its obligations under the 
CPRA; and
x. comply with Section 1798.140(m) the CPRA with respect to deidentified data (as 
defined in the CPRA) received by Paytronix from Client.
To the extent Paytronix is a contractor, Paytronix certifies that Paytronix understands 
the restrictions provided in Sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply 
with them.
c. Paytronix acknowledges and agrees that the California Personal Data has been 
disclosed to it for the limited and specified purposes set forth in the Agreement and 
Paytronix further acknowledges and agrees Client shall have the right: (i) to take 
reasonable and appropriate steps to ensure that Paytronix uses California Personal 
Data in a manner consistent with Client’s obligations under the CPRA; and (ii) upon 
notice from Client to Paytronix, to take reasonable and appropriate steps to stop and 
remediate unauthorized use of California Personal Data.
d. To the extent required by the CPRA and to the extent Paytronix is a contractor, Paytronix
shall permit, subject to agreement of the parties, Client to monitor Paytronix’s 
compliance with this Exhibit through measures, including, but not limited to, ongoing 
manual reviews and automated scans, and regular assessments, audits, or other 
technical and operational testing once every twelve (12) months (each, an “Audit”), upon 
reasonable prior notice from Client, provided that no third-party auditor (each an 
“Auditor”) shall be a competitor of Paytronix, nor shall any Auditor be compensated on 
a contingency basis, and provided further that in no event shall Client have access to 
the information of any other client of Paytronix and the disclosures made pursuant to 
this Section 2(d) (“Audit Information”) shall be held in confidence as Paytronix’s 
confidential information and subject to any confidentiality obligations in the Agreement, 
and provided further that no Audit shall be undertaken unless or until Client has 
requested, and Paytronix has provided, information about Paytronix’s data protection 
practices and Client reasonably determines that an Audit remains necessary to 
demonstrate material compliance with the obligations laid down in this Exhibit. Without 
limiting the generality of any provision in the Agreement, Client shall employ the same 
degree of care to safeguard Audit Information that it uses to protect its own confidential 
and proprietary information and in any event, not less than a reasonable degree of care 
under the circumstances, and Client shall be liable for any improper disclosure or use of 
Audit Information by Client or its agents.
e. If Paytronix engages any other person to assist Paytronix in processing California 
Personal Data for a business purpose on behalf of Client, Paytronix shall notify Client of 
such engagement, and the engagement shall be pursuant to a written contract binding 
the other person to observe substantially similar requirements to those set forth in this 
Exhibit. Paytronix hereby notifies Client that Paytronix may engage the persons listed in 
Section (a)(11)(i) of Exhibit A to this DPA to assist Paytronix in processing California 
Personal Data for a business purpose on behalf of Client.
14 Paytronix Data Processing Agreement v1.8
15 Paytronix Data Processing Agreement v1.8
Exhibit E
Virginia Data Exhibit
1. Preamble. This Virginia Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms 
used and not otherwise defined herein shall have the meanings ascribed to them in the DPA 
or the Agreement (as applicable).
2. Instructions. Client hereby instructs Paytronix to Process Virginia Personal Data to the 
extent necessary to provide the Offering.
3. Nature of the Processing; Purpose of the Processing. The Virginia Personal Data will be 
subject to basic Processing hereunder, including but not limited to collection, recording, 
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by 
transmission, dissemination or otherwise making available, alignment or combination, 
blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to 
Client in accordance with the terms of the Agreement. The purpose of the Processing of 
Virginia Personal Data hereunder is the provision of the Offering by Paytronix to Client.
4. Types of Virginia Personal Data. The following types of Virginia Personal Data will be 
subject to Processing hereunder: Virginia Personal Data including details of customers of 
Client, including without limitation name, address, email address, mobile number, date of 
birth, and transactional information, such as items purchased, amount spent, location and 
time where purchase took place and marketing, product or other preference information.
5. Duration of Processing. The duration of the Virginia Personal Data Processing under this 
Exhibit shall continue, as long as Paytronix carries out Virginia Personal Data Processing 
operations on behalf of Client or until the termination of the Agreement (and all Virginia 
Personal Data has been returned or deleted in accordance with this Exhibit).
6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:
a. Ensure that each person Processing Virginia Personal Data on behalf of 
Paytronix is subject to a duty of confidentiality with respect to such Virginia 
Personal Data;
b. At Client’s direction, delete or return all Virginia Personal Data to Client as 
requested at the end of the provision of the Offering, unless retention of such 
Virginia Personal Data is required by law;
c. Upon the reasonable request of Client, make available to Client all information in 
its possession necessary to demonstrate Paytronix’s compliance with the 
obligations in the VCDPA (subject to any obligations of confidentiality in the 
Agreement);
d. Allow, and cooperate with, reasonable assessments by Client or Client’s 
designated assessor, provided that, as an alternative, Paytronix may arrange for 
a qualified and independent assessor to conduct an assessment of Paytronix’s 
policies and technical and organizational measures in support of the obligations 
under the VCDPA using a reasonably appropriate and accepted control standard 
or framework and assessment procedure for such assessments and Paytronix 
16 Paytronix Data Processing Agreement v1.8
shall provide a report of such assessment to Client upon request. No third-party 
assessor appointed by Client shall be a competitor of Paytronix, nor shall any 
such assessor be compensated on a contingency basis. In no event shall Client 
have access to the information of any other client of Paytronix and the 
disclosures made pursuant to this Section 6(d) (“Virginia Assessment 
Information”) shall be held in confidence as Paytronix’s confidential information 
and subject to any confidentiality obligations in the Agreement, and provided 
further that no assessment under this Section 6(d) shall be undertaken unless or 
until Client has requested, and Paytronix has provided, information about 
Paytronix’s data protection practices and Client reasonably determines that such 
an assessment remains necessary to demonstrate material compliance with the 
obligations laid down in the VCDPA. Without limiting the generality of any 
provision in the Agreement, Client shall employ the same degree of care to 
safeguard Virginia Assessment Information that it uses to protect its own 
confidential and proprietary information and in any event, not less than a 
reasonable degree of care under the circumstances, and Client shall be liable for 
any improper disclosure or use of Virginia Assessment Information by Client or 
its agents; and
e. Bind each subcontractor of Paytronix that will Process Virginia Personal Data to 
a written contract in accordance with Section 59.1-579 (C) of the VCDPA 
requiring such subcontractor to comply with obligations of processors (as defined 
in the VCDPA) under the VCDPA and to meet equivalent obligations with respect 
to such Virginia Personal Data as this Exhibit.
f. Comply with the VCDPA with respect to de-identified data (as defined in the 
VCDPA) received by Paytronix from Client to the extent the VCDPA is applicable 
to such de-identified data.
17 Paytronix Data Processing Agreement v1.8
Exhibit F
Colorado Data Exhibit
1. Preamble. This Colorado Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized 
terms used and not otherwise defined herein shall have the meanings ascribed to them in 
the DPA or the Agreement (as applicable). This Exhibit shall apply only from and after the 
Trigger Date (and not before).
2. Instructions. Client hereby instructs Paytronix to Process Colorado Personal Data to the 
extent necessary to provide the Offering.
3. Nature of the Processing; Purpose of the Processing. The Colorado Personal Data will be 
subject to basic Processing hereunder, including but not limited to collection, recording, 
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by 
transmission, dissemination or otherwise making available, alignment or combination, 
blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to 
Client in accordance with the terms of the Agreement. The purpose of the Processing of 
Colorado Personal Data hereunder is the provision of the Offering by Paytronix to Client.
4. Types of Colorado Personal Data. The following types of Colorado Personal Data will be 
subject to Processing hereunder: Colorado Personal Data including details of customers of 
Client, including without limitation name, address, email address, mobile number, date of 
birth, and transactional information, such as items purchased, amount spent, location and 
time where purchase took place and marketing, product or other preference information.
5. Duration of Processing. The duration of the Colorado Personal Data Processing under this 
Exhibit shall continue, as long as Paytronix carries out Colorado Personal Data Processing 
operations on behalf of Client or until the termination of the Agreement (and all Colorado 
Personal Data has been returned or deleted in accordance with this Exhibit).
6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:
a. At the choice of Client, Paytronix shall delete or return all Colorado Personal 
Data to Client as requested at the end of the provision of the Offering, unless 
retention of the Colorado Personal Data is required by applicable law;
b. Make available to Client all information reasonably necessary to demonstrate 
compliance with the obligations in CPA;
c. Ensure that each person Processing Colorado Personal Data on behalf of 
Paytronix is subject to a duty of confidentiality with respect to such Colorado 
Personal Data;
d. Allow for, and contribute to, reasonable audits and inspections by Client or 
Client's designated auditor, provided that, as an alternative, Client hereby 
consents for Paytronix to arrange for a qualified and independent auditor to 
conduct, at least annually and at Paytronix’s expense, an audit of Paytronix's 
policies and technical and organizational measures in support of the obligations 
under the CPA using a reasonably appropriate and accepted control standard or 
framework and audit procedure for the audits as applicable and Paytronix shall 
18 Paytronix Data Processing Agreement v1.8
provide a report of the audit to Client upon request. No third-party auditor 
appointed by Client shall be a competitor of Paytronix, nor shall any such auditor 
be compensated on a contingency basis. In no event shall Client have access to 
the information of any other client of Paytronix and the disclosures made 
pursuant to this Section 6(d) (“Colorado Audit Information”) shall be held in 
confidence as Paytronix’s confidential information and subject to any 
confidentiality obligations in the Agreement, and provided further that no audit 
under this Section 6(d) shall be undertaken unless or until Client has requested, 
and Paytronix has provided, information about Paytronix’s data protection 
practices and Client reasonably determines that such an audit remains 
necessary to demonstrate material compliance with the obligations laid down in 
the CPA. Without limiting the generality of any provision in the Agreement, Client 
shall employ the same degree of care to safeguard Colorado Audit Information 
that it uses to protect its own confidential and proprietary information and in any 
event, not less than a reasonable degree of care under the circumstances, and 
Client shall be liable for any improper disclosure or use of Colorado Audit 
Information by Client or its agents;
e. Taking into account the context of Processing, Paytronix shall implement 
reasonably appropriate technical and organizational measures designed to 
ensure a level of security with respect to the Colorado Personal Data reasonably 
appropriate to the risk as set out in Section 2; and 
f. Engage a subcontractor to Process Colorado Personal Data on behalf of 
Paytronix only after providing Client with an opportunity to object and pursuant to 
a written contract in accordance with Section 6-1-1305(5) of the CPA that 
requires the subcontractor to comply with obligations of processors (as defined in 
the CPA) under the CPA and meet equivalent obligations to those of this Exhibit 
with respect to such Colorado Personal Data.
g. Comply with Section 6-1-1303(11) the CPA with respect to de-identified data (as 
defined in the CPA) received by Paytronix from Client.
19 Paytronix Data Processing Agreement v1.8
Exhibit G
Utah Data Exhibit
1. Preamble. This Utah Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms 
used and not otherwise defined herein shall have the meanings ascribed to them in the DPA 
or the Agreement (as applicable). This Exhibit shall apply only from and after the Utah 
Trigger Date (and not before).
2. Instructions. Client hereby instructs Paytronix to Process Utah Personal Data to the extent 
necessary to provide the Offering.
3. Nature of the Processing; Purpose of the Processing. The Utah Personal Data will be 
subject to basic Processing hereunder, including but not limited to collection, recording, 
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by 
transmission, dissemination or otherwise making available, alignment or combination, 
blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to 
Client in accordance with the terms of the Agreement. The purpose of the Processing of 
Utah Personal Data hereunder is the provision of the Offering by Paytronix to Client.
4. Types of Utah Personal Data. The following types of Utah Personal Data will be subject to 
Processing hereunder: Utah Personal Data including details of customers of Client, 
including without limitation name, address, email address, mobile number, date of birth, and 
transactional information, such as items purchased, amount spent, location and time where 
purchase took place and marketing, product or other preference information.
5. Duration of Processing. The duration of the Utah Personal Data Processing under this 
Exhibit shall continue, as long as Paytronix carries out Utah Personal Data Processing 
operations on behalf of Client or until the termination of the Agreement (and all Utah 
Personal Data has been returned or deleted in accordance with this Exhibit).
6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:
a. Ensure that each person Processing Utah Personal Data on behalf of Paytronix 
is subject to a duty of confidentiality with respect to such Utah Personal Data; 
and 
b. Bind each subcontractor of Paytronix that will Process Utah Personal Data to a 
written contract requiring such subcontractor to comply with obligations of 
processors (as defined in the UCPA) under the UCPA and to meet equivalent 
obligations with respect to such Utah Personal Data as this Exhibit.
c. Comply with Section 13-61-101(14)(b)(i) and Section 13-61-101(14)(b)(ii) of the 
UCPA with respect to deidentified data (as defined in the UCPA) received by 
Paytronix from Client.
20 Paytronix Data Processing Agreement v1.8
Exhibit H
Connecticut Data Exhibit
1. Preamble. This Connecticut Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized 
terms used and not otherwise defined herein shall have the meanings ascribed to them in 
the DPA or the Agreement (as applicable). This Exhibit shall apply only from and after the 
Trigger Date (and not before).
2. Instructions. Client hereby instructs Paytronix to Process Connecticut Personal Data to the 
extent necessary to provide the Offering.
3. Nature of the Processing; Purpose of the Processing. The Connecticut Personal Data will 
be subject to basic Processing hereunder, including but not limited to collection, recording, 
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by 
transmission, dissemination or otherwise making available, alignment or combination, 
blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to 
Client in accordance with the terms of the Agreement. The purpose of the Processing of 
Connecticut Personal Data hereunder is the provision of the Offering by Paytronix to Client.
4. Types of Connecticut Personal Data. The following types of Connecticut Personal Data will 
be subject to Processing hereunder: Connecticut Personal Data including details of 
customers of Client, including without limitation name, address, email address, mobile 
number, date of birth, and transactional information, such as items purchased, amount 
spent, location and time where purchase took place and marketing, product or other 
preference information.
5. Duration of Processing. The duration of the Connecticut Personal Data Processing under 
this Exhibit shall continue, as long as Paytronix carries out Connecticut Personal Data 
Processing operations on behalf of Client or until the termination of the Agreement (and all 
Connecticut Personal Data has been returned or deleted in accordance with this Exhibit).
6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:
a. Ensure that each person Processing Connecticut Personal Data on behalf of 
Paytronix is subject to a duty of confidentiality with respect to such Connecticut
Personal Data;
b. At Client’s direction, delete or return all Connecticut Personal Data to Client as 
requested at the end of the provision of the Offering, unless retention of such 
Connecticut Personal Data is required by applicable law;
c. Upon the reasonable request of Client, make available to Client all information in 
its possession reasonably necessary to demonstrate Paytronix’s compliance with 
the obligations in Sections 1 to 11, inclusive, of the CTDPA;
d. Engage a subcontractor to Process Connecticut Personal Data on behalf of 
Paytronix only after providing Client with an opportunity to object and pursuant to 
a written contract in accordance with Section 6-1-1305(5) of the CPA that 
requires the subcontractor to comply with obligations of processors (as defined in 
21 Paytronix Data Processing Agreement v1.8
the CTDPA) under the CTDPA and to meet equivalent obligations to those of this 
Exhibit with respect to such Connecticut Personal Data; and
e. Allow, and cooperate with, reasonable assessments by Client or Client’s 
designated assessor, or, as an alternative, Paytronix may arrange for a qualified 
and independent assessor to conduct an assessment of Paytronix’s policies and 
technical and organizational measures in support of Paytronix’s obligations under 
Sections 1 to 11, inclusive, of the CTDPA, using a reasonably appropriate and 
accepted control standard or framework and assessment procedure for such 
assessments and Paytronix shall provide a report of such assessment to Client 
upon request. No third-party assessor appointed by Client shall be a competitor 
of Paytronix, nor shall any such assessor be compensated on a contingency 
basis. In no event shall Client have access to the information of any other client 
of Paytronix and the disclosures made pursuant to this Section 6(e) (“Connecticut 
Assessment Information”) shall be held in confidence as Paytronix’s confidential 
information and subject to any confidentiality obligations in the Agreement, and 
provided further that no assessment under this Section 6(e) shall be undertaken 
unless or until Client has requested, and Paytronix has provided, information 
about Paytronix’s data protection practices and Client reasonably determines that 
such an assessment remains necessary to demonstrate material compliance with 
the obligations laid down in the CTDPA. Without limiting the generality of any 
provision in the Agreement, Client shall employ the same degree of care to 
safeguard Connecticut Assessment Information that it uses to protect its own 
confidential and proprietary information and in any event, not less than a 
reasonable degree of care under the circumstances, and Client shall be liable for 
any improper disclosure or use of Connecticut Assessment Information by Client 
or its agents.
7. De-identified Data. With respect to de-identified data (as defined in the CTDPA) received 
by Paytronix from Client, Paytronix shall: (A) take reasonable measures to ensure that 
such data cannot be associated with an individual; and (B) publicly commit to process 
such data only in a de-identified fashion and not attempt to re-identify such data.