Skip to the main content.

Platform

What is Paytronix CXP?

Combining online ordering, loyalty, omnichannel messaging, AI insights, and payments in one platform. Paytronix delivers relevant, personal experiences, at scale, that help improve your entire digital marketing funnel by creating amazing frictionless experiences.

A Complete Customer Experience Platform
Online Ordering
Acquire new customers and capture valuable data with industry leading customization features.
Loyalty
Encourage More visits and higher spend with personalized promotions based on individual activity and preferences.
CRM
Build great customer relationships with relevant personal omnichannel campaigns delivered at scale.
Artificial Intelligence
Leverage the most data from the most customer transactions to power 1:1 marketing campaigns and drive revenue.
Payments
Drive brand engagement by providing fast, frictionless guest payments.

Solutions

Paytronix CXP Solutions

We use data, customer experience expertise, and technology to solve everyday restaurant and convenience store challenges.

Contactless Experiences
Accommodate your guests' changing preferences by providing safe, efficient service whether dining-in or taking out.
Customer Insights
Collect guest data and analyze behaviors to develop powerful targeted campaigns that produce amazing results.
Marketing Automation
Create and test campaigns across channels and segments to drive loyalty, incremental visits, and additional revenue.
Mobile Experiences
Provide convenient access to your brand, menus and loyalty program to drive retention with a branded or custom app.

Subscriptions
Create a frictionless, fun way to reward your most loyal customers for frequent visits and purchases while normalizing revenues.
Employee Dining
Attract and retain your employees with dollar value or percentage-based incentives and tiered benefits.
Order Experience Builder
Create powerful interactive, and appealing online menus that attract and acquire new customers simply and easily.

Multi-Unit Restaurant

Loyalty Programs
High-impact customizable programs that increase spend, visit, and engagement with your brand.
Online Ordering
Maximize first-party digital sales with an exceptional guest experience.
Integrations
Launch your programs with more than 450 existing integrations.

Small to Medium Restaurants

Loyalty Programs
Deliver the same care you do in person with all your digital engagements.
Online Ordering
Drive more first-party orders and make it easy for your crew.

Convenience Stores

Loyalty Programs
Digital transformations start here - get to know your guests.
Online Ordering
Add a whole new sales channel to grow your business - digital ordering is in your future.
Integrations
We work with your environment - check it out.

Company

About Paytronix

We are here to help clients build their businesses by delivering amazing experiences for their guests.

Meet The Team
Our exceptional customer engagement innovations are delivered by a team of extraordinary people.
News/Press
A collection of press and media about our innovations, customers, and people.
Events
A schedule of upcoming tradeshows, conferences, and events that we will participate in.
Careers
Support
Paytronix Login

Order & Delivery Login

Resources

Paytronix Resources

Learn how to create great customer experiences with our free eBooks, webinars, articles, case studies, and customer interviews.

See Our Product In Action
E-Books
Learn more about topics important to the restaurant and c-store customer experience.
Webinars
Watch brief videos for tips and strategies to connect with your customers.
Case Studies
Learn how brands have used the Paytronix platform to increase revenue and engage with guests.
Reports
See how your brand stacks up against industry benchmarks, analysis, and research.
Blog
Catch up with our team of in-house experts for quick articles to help your business.

2024 Online Ordering Guide

Growth-oriented insights for ambitious leaders

Data Processing Addendum ("DPA")

Last updated and effective as of March 11, 2024 (the “Effective Date”).

This Data Processing Addendum (“DPA”), forms part of the Service Agreement or other
agreement pursuant to which Paytronix makes its Offering available to Client and into which this DPA is incorporated by reference (the “Agreement”) between Paytronix Systems, Inc. (“Paytronix”) and the entity that has engaged Paytronix to provide the Offering (“Client”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Paytronix and Client is referred to in this DPA individually as a 
"party", collectively the "parties". By entering into the Agreement, the parties are deemed to have signed all Exhibits, Annexes, Attachments, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable

1. Definitions.

a. “Client Data” means any information Processed by Paytronix solely on behalf of Client, including without limitation any EU Personal Data, UK Personal Data, California Personal Data, Virginia Personal Data, Colorado Personal Data, Utah Personal Data, and/or Connecticut Personal Data.

b. “CPA” means (to the extent applicable) the Colorado Privacy Act, together with any regulations promulgated thereunder.

c. “CPRA” means (to the extent applicable) the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder.

d. “CTDPA” means (to the extent applicable) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, together with any regulations promulgated thereunder.

e. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.

f. “GDPR” means the General Data Protection Regulation (EU) 2016/679.

g. “Personal Data” means any information relating to, linked to, or reasonably linkable to any identified or identifiable individual or household.

h. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means or manual means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including the actions of a person directing a third party to Process data on behalf of such person.

i. “Trigger Date” means July 1, 2023.

j. “UCPA” means (to the extent applicable) the Utah Consumer Privacy Act, together with any regulations promulgated thereunder.

k. “UK” means the United Kingdom.

l. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).

m. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as rplemented by section 205(4)) of the UK DPA 2018.

n. “Utah Trigger Date” means December 31, 2023.

o. “VCDPA” means (to the extent applicable) the Virginia Consumer Data Protection Act, together with any regulations promulgated thereunder.

2. (a) Paytronix shall maintain the security of, and manage, Client’s Account Information in accordance with the obligations of this DPA. Taking into account the risk of harm, Paytronix shall implement commercially reasonable technical and organizational measures intended to protect Account Information from any Security Incident (as defined in the Agreement).

Paytronix's servers are located in a main data center (Main Facility) and at a disaster recovery data center (“DR Facility”), with each facility being managed by different, independent data center companies. Both facilities have multiple internet back bones, and multiple power sources with backup generators and backup batteries. Paytronix’s systems within the facilities have redundant systems for each known potential failure point. Paytronix has redundant networking equipment (routers, servers, firewalls, and load balancers) that run active-passive and failover automatically. Transactions are processed by a pool of application servers, so that if one fails, the others are designed to take over. More specifically for transactional data contained within Account Information, such transactional data comes into the Main Facility and into the primary transactional database in real-time. The transactional database is replicated in real-time to a high availability backup server. The high availability server is then replicated to the DR Facility, to an additional primary transactional database and a high availability database. All databases containing Account Information in both the Main and DR Facilities use RAID (Redundant Array of Independent Disks) disk storage. In addition, the primary transactional database at the Main Facility has its SQL server transaction logs and database backed up nightly. Data backup processes are verified by an SSAE 18 audit each year. Upon request from Client, Paytronix shall provide Client with a copy of all such SSAE 18 reports during the Term of the Agreement.

Paytronix shall be responsible for performing the above data storage management for all Account Information. Paytronix shall further ensure that in all instances and forms, including, but not limited to database instances, physical media, backup tapes, application servers, application code, and logical platforms, Client’s Account Information (as defined in the Agreement) shall be kept logically separated and instantiated such that it does not interact with other data present within the same physical environment, nor will such Account Information be visible or accessible to other Paytronix clients. Such logical separations shall be maintained at all times for the duration of the Term of the Agreement.

Paytronix agrees that it will, or will cause any third-party vendor that supports Paytronix in providing the Services and Software provided to Client by Paytronix in accordance with the terms of the Agreement (collectively, the “Offering”) and that have access to Client’s Account Information, to use systems, tools and network security, including firewalls that provide a secure environment, monitor and prevent unauthorized access, redistribution, duplication, modification or uploading of Client’s Account Information.

(b) If there is any Security Incident of Client’s Account Information, subject to the direction of law enforcement and other limitations to the extent imposed by applicable laws, Paytronix shall promptly notify Client in writing of the details of such Security Incident and, to the extent such Security Incident is attributable to Paytronix’s negligent acts or omissions, Paytronix shall work diligently to resolve such Security Incident in a manner designed to prevent recurrence of such Security Incident. Any such notice shall be Paytronix’s Proprietary Information. Client shall have the right at the Client’s expense and at any point during the Term with sixty (60) days written notice to conduct a commercially reasonable audit of Paytronix’s security measures (and as soon as determined necessary by Client in Client’s sole discretion if based on the need for an audit due to any form of Security Incident attributable to Paytronix’s negligent acts or omissions). Auditor will be an independent third party that is familiar with conducting such audits and is subject to Paytronix’s approval, not to be unreasonably withheld. Auditors will comply with Paytronix’s reasonable confidentiality and security procedures. Paytronix shall reasonably cooperate in such audit(s) and any information disclosed in such audit(s) shall be Paytronix’s Proprietary Information.

3. To the extent Paytronix Processes Personal Data regulated by the GDPR solely on behalf of Client (“EU Personal Data”), and to the extent Client is a controller (as defined in the GDPR) and the Paytronix is a processor (as defined in the GDPR) on behalf of Client with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Client to Paytronix and to Paytronix’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit A. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.

4. To the extent Paytronix Processes EU Personal Data, and to the extent Client is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and the Paytronix is a processor on behalf of Client with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Client to Paytronix and to the Paytronix’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit B. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.

5. To the extent Paytronix Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Client (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’ Version B1.0, in force from March 21, 2022, at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx (the “UK Data Exhibit”) will apply to the transfer of such UK Personal Data by Client to Paytronix and to the Paytronix’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK Data Exhibit, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit C. In the event of a conflict between the Agreement and the UK Data Exhibit, the UK Data Exhibit will control to the extent applicable to the UK Personal Data.

6. To the extent Client makes available to Paytronix Personal Data regulated by the CPRA for a business purpose pursuant to the Agreement and/or to the extent Paytronix Processes Personal Data regulated by the CPRA solely on behalf of Client (“California Personal Data”), then to the extent required by the CPRA, the California Data Exhibit (attached hereto as Exhibit D, the “California Data Exhibit”) will apply to the Paytronix’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.

7. To the extent Paytronix Processes Personal Data regulated by the VCDPA solely on behalf of Client (“Virginia Personal Data”), then to the extent required by the VCDPA, the Virginia Data Exhibit (attached hereto as Exhibit E, the “Virginia Data Exhibit”) will apply to the Paytronix’s Processing of such Virginia Personal Data and the parties hereby agree to comply with such Virginia Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Virginia Data Exhibit, the Virginia Data Exhibit will control to the extent applicable to the Virginia Personal Data.

8. This Section 8 and the Colorado Data Exhibit (as defined below) shall apply only from and after the Trigger Date (and not before). To the extent Paytronix Processes Personal Data regulated by the CPA solely on behalf of Client (“Colorado Personal Data”), then to the extent required by the Colorado, the Colorado Data Exhibit (attached hereto as Exhibit F, the “Colorado Data Exhibit”) will apply to the Paytronix’s Processing of such Colorado Personal Data and the parties hereby agree to comply with such Colorado Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Colorado Data Exhibit, the Colorado Data Exhibit will control to the extent applicable to the Colorado Personal Data.

9. This Section 9 and the Utah Data Exhibit (as defined below) shall apply only from and after the Utah Trigger Date (and not before). To the extent Paytronix Processes Personal Data regulated by the UCPA solely on behalf of Client (“Utah Personal Data”), then to the extent required by the UCPA, the Utah Data Exhibit (attached hereto as Exhibit G, the “Utah Data Exhibit”) will apply to the Paytronix’s Processing of such Utah Personal Data and the parties hereby agree to comply with such Utah Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Utah Data Exhibit, the Utah Data Exhibit will control to the extent applicable to the Utah Personal Data.

10. This Section 10 and the Connecticut Data Exhibit (as defined below) shall apply only from and after the Trigger Date (and not before). To the extent Paytronix Processes Personal Data regulated by the CTDPA solely on behalf of Client (“Connecticut Personal Data”), then to the extent required by the CTDPA, the Connecticut Data Exhibit (attached hereto as Exhibit H, the “Connecticut Data Exhibit”) will apply to the Paytronix’s Processing of such Connecticut Personal Data and the parties hereby agree to comply with such Connecticut Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Connecticut Data Exhibit, the Connecticut Data Exhibit will control to the extent applicable to the Connecticut Personal Data.

11. Client represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Client Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Paytronix to lawfully Process Client Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Client Data available to Paytronix under the Agreement and this DPA; and (iii) Paytronix's Processing of the Client Data in accordance with the Agreement, this DPA, and/or Client's instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Client shall indemnify, defend and hold Paytronix harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Client’s violation of this Section 11. Notwithstanding anything to the contrary in the Agreement, Client’s indemnification obligations under this Section 11 shall not be subject to any limitations of liability set forth in the Agreement.

12. Notwithstanding anything to the contrary in the Agreement (including this DPA), Client acknowledges that Paytronix shall have a right to use and disclose data relating to the operation, support and/or use of the Offering (including without limitation contact details of representatives of Client) for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Paytronix is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Paytronix is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the CPRA), then, to the extent Paytronix is subject to the CPRA as a business (as defined in the CPRA), Paytronix is the business (as defined in the CPRA) with respect to such data and accordingly shall Process such data in accordance with the CPRA.

13. This DPA (together with the Agreement), constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA. Paytronix reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage.

14. In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word "or" is not exclusive. This DPA has been executed in English and the English language version shall control notwithstanding any translations of this DPA.

Exhibit A

CONTROLLER TO PROCESSOR STANDARD CONTRACTUAL CLAUSES

(a) For the purposes of the Controller to Processor Standard Contractual Clauses:
(1) Clause 7. The parties agree that the optional language in Clause 7 is included.
(2) Clause 9(a). The parties agree that under Option 2, Paytronix has Client’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Paytronix will inform Client in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
(3) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
(4) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
(5) Clause 17. The Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
(6) Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
(7) Annex I.A.
i. The name, address, and the name and contact details of the contact person of Client (which is the data exporter) are as set forth in the applicable Order Form.

ii. The name, address, and the name and contact details of the contact person of Paytronix (which is the data importer) are as follows:

Name: Paytronix Systems, Inc.
Address: 80 Bridge St., Newton, MA 02458
Contact person’s name, position and contact details: Marc Schultz, Head of Data Privacy and Security, mschultz@paytronix.com.

iii. The activities relevant to the data transferred are Paytronix’s provision of the Offering to Client as described in the Agreement and/or the applicable Order Form.
iv. The signature and date are the signature and date set forth in the applicable Order Form.
v. The roles of the parties are as follows: Paytronix is a processor and Client is a controller.
(8) Annex I.B.
i. The categories of data subject are customers of the data exporter who are members of the data exporter’s program(s) enabled by the Offering and representatives of the data exporter.
ii. The categories of personal data transferred are:
1. Personal data including details of customers of the data exporter, including name, address, email address, mobile number, date of birth, and transactional information, such as items purchased, amount spent, location and time where purchase took place and marketing, product or other preference information.
2. Personal data of representatives of the data exporter, including name, business contact information, username, and password.
iii. The transfer of sensitive personal data is not presently contemplated by this arrangement.
iv. The frequency of the transfer shall be on a continuous basis.
v. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering by data importer to the data exporter in accordance with the terms of the Agreement.
vi. The purpose of the data transfer and further processing is provision of the Offering by data importer to data exporter.
vii. The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
viii. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Offering to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
(9) Annex I.C.
i. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
(10) Annex II.
i. The data importer employs a number of technical and organisational measures as further specified in Section 2(a) of the DPA.
(11) Annex III.
i. Client has authorized the use of the sub-processors listed at https://www.paytronix.com/terms-and-conditions/data-processing-agreement/list-of-vendors/ 


Exhibit B

PROCESSOR TO PROCESSOR STANDARD CONTRACTUAL CLAUSES

(a) For the purposes of the Processor to Processor Standard Contractual Clauses:
(1) Clause 7. The parties agree that the optional language in Clause 7 is included.
(2) Clause 9(a). The parties agree that under Option 2, Paytronix has Client’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Paytronix will inform Client in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days’ prior to engaging with any other sub-processor.
(3) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
(4) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
(5) Clause 17. The Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
(6) Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
(7) Annex I.A.
i. The name, address, and the name and contact details of the contact person of Client (which is the data exporter) are as set forth in the applicable Order Form.
ii. The name, address, and the name and contact details of the contact person of Paytronix (which is the data importer) are as follows:

Name: Paytronix Systems, Inc.
Address: 80 Bridge St., Newton, MA 02458
Contact person’s name, position and contact details: Marc Schultz, Head of Data Privacy and Security, mschultz@paytronix.com.

iii. The activities relevant to the data transferred are Paytronix’s provision of the Offering to Client as described in the Agreement and/or the applicable Order Form.
iv. The signature and date are the signature and date set forth in the applicable Order Form.
v. The roles of the parties are as follows: Paytronix is a processor and Client is a processor.
(8) Annex I.B.
i. The categories of data subject are customers of the data exporter who are members of the data exporter’s program(s) enabled by the Offering and representatives of the data exporter.
ii. The categories of personal data transferred are:
1. Personal data including details of customers of the data exporter, including name, address, email address, mobile number, date of birth, and transactional information, such as items purchased, amount spent, location and time where purchase took place and marketing, product or other preference information.
2. Personal data of representatives of the data exporter, including name, business contact information, username, and password.
iii. The transfer of sensitive personal data is not presently contemplated by this arrangement.
iv. The frequency of the transfer shall be on a continuous basis.
v. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering by data importer to the data exporter in accordance with the terms of the Agreement.
vi. The purpose of the data transfer and further processing is provision of the Offering by data importer to data exporter.
vii. The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
viii. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Offering to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
(9) Annex I.C.
i. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
(10) Annex II.
i. Section (a)(10)(i) of Exhibit A is incorporated herein by reference.
(11) Annex III.
i. Section (a)(11)(i) of Exhibit A is incorporated herein by reference.


Exhibit C

UK DATA EXHIBIT

(a) For the purposes of the UK Data Exhibit:
(1) For the purposes of Table 1 of the UK Data Exhibit, the start date shall be the later of the Effective Date or the date the Agreement is entered into by the parties, and the names of the parties, their roles and their details shall be as set out in Exhibit A Section (a)(7) and Exhibit B Section (a)(7), respectively;
(2) For the purposes of Tables 2 and 3 of the UK Data Exhibit, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Exhibit A Section (a)(8), (10), and (11)(i) and Exhibit B Section (a)(8), (10), and (11)(i), respectively, shall apply; and
(3) For the purposes of Table 4 of the UK Data Exhibit, data importer may end the UK Data Exhibit.


Exhibit D

California Data Exhibit
1. This California Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable).
2. CPRA Provisions.
a. In this Exhibit, the following terms have the meanings given in the CPRA: "business purpose", “personal information”, “processing”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
b. Except as otherwise required by applicable law, Paytronix shall:
i. not sell or share California Personal Data;
ii. not retain, use, or disclose California Personal Data for any purpose other than for the business purposes specified in the Agreement for the Client, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CPRA;
iii. not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
iv. not combine California Personal Data, which Paytronix receives pursuant to the Agreement or from or on behalf of Client, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CPRA;
v. reasonably cooperate with Client in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Client in deletion, correction, or limitation of the use of such California Personal Data where required under the CPRA, and including instructing Paytronix’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
vi. reasonably assist Client through appropriate technical and organizational measures in Client’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CPRA, taking into account the nature of the California Personal Data processing by Paytronix;
vii. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
viii. comply with all applicable obligations under the CPRA and provide the same level of privacy protection with respect to California Personal Data as required by the CPRA;
ix. notify Client if Paytronix determines it can no longer meet its obligations under the CPRA; and

x. comply with Section 1798.140(m) the CPRA with respect to deidentified data (as defined in the CPRA) received by Paytronix from Client.

To the extent Paytronix is a contractor, Paytronix certifies that Paytronix understands the restrictions provided in Sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply with them.

c. Paytronix acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Paytronix further acknowledges and agrees Client shall have the right: (i) to take reasonable and appropriate steps to ensure that Paytronix uses California Personal Data in a manner consistent with Client’s obligations under the CPRA; and (ii) upon notice from Client to Paytronix, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
d. To the extent required by the CPRA and to the extent Paytronix is a contractor, Paytronix shall permit, subject to agreement of the parties, Client to monitor Paytronix’s compliance with this Exhibit through measures, including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing once every twelve (12) months (each, an “Audit”), upon reasonable prior notice from Client, provided that no third-party auditor (each an “Auditor”) shall be a competitor of Paytronix, nor shall any Auditor be compensated on a contingency basis, and provided further that in no event shall Client have access to the information of any other client of Paytronix and the disclosures made pursuant to this Section 2(d) (“Audit Information”) shall be held in confidence as Paytronix’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no Audit shall be undertaken unless or until Client has requested, and Paytronix has provided, information about Paytronix’s data protection practices and Client reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this Exhibit. Without limiting the generality of any provision in the Agreement, Client shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Client shall be liable for any improper disclosure or use of Audit Information by Client or its agents.
e. If Paytronix engages any other person to assist Paytronix in processing California Personal Data for a business purpose on behalf of Client, Paytronix shall notify Client of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Exhibit. Paytronix hereby notifies Client that Paytronix may engage the persons listed in Section (a)(11)(i) of Exhibit A to this DPA to assist Paytronix in processing California Personal Data for a business purpose on behalf of Client.


Exhibit E

Virginia Data Exhibit

1. Preamble. This Virginia Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable).

2. Instructions. Client hereby instructs Paytronix to Process Virginia Personal Data to the extent necessary to provide the Offering.

3. Nature of the Processing; Purpose of the Processing. The Virginia Personal Data will be subject to basic Processing hereunder, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to Client in accordance with the terms of the Agreement. The purpose of the Processing of Virginia Personal Data hereunder is the provision of the Offering by Paytronix to Client.

4. Types of Virginia Personal Data. The following types of Virginia Personal Data will be subject to Processing hereunder: Virginia Personal Data including details of customers of Client, including without limitation name, address, email address, mobile number, date of birth, and transactional information, such as items purchased, amount spent, location and time where purchase took place and marketing, product or other preference information.

5. Duration of Processing. The duration of the Virginia Personal Data Processing under this Exhibit shall continue, as long as Paytronix carries out Virginia Personal Data Processing operations on behalf of Client or until the termination of the Agreement (and all Virginia Personal Data has been returned or deleted in accordance with this Exhibit).

6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:

a. Ensure that each person Processing Virginia Personal Data on behalf of Paytronix is subject to a duty of confidentiality with respect to such Virginia Personal Data;

b. At Client’s direction, delete or return all Virginia Personal Data to Client as requested at the end of the provision of the Offering, unless retention of such Virginia Personal Data is required by law;

c. Upon the reasonable request of Client, make available to Client all information in its possession necessary to demonstrate Paytronix’s compliance with the obligations in the VCDPA (subject to any obligations of confidentiality in the Agreement);

d. Allow, and cooperate with, reasonable assessments by Client or Client’s designated assessor, provided that, as an alternative, Paytronix may arrange for a qualified and independent assessor to conduct an assessment of Paytronix’s policies and technical and organizational measures in support of the obligations under the VCDPA using a reasonably appropriate and accepted control standard or framework and assessment procedure for such assessments and Paytronix shall provide a report of such assessment to Client upon request. No third-party assessor appointed by Client shall be a competitor of Paytronix, nor shall any such assessor be compensated on a contingency basis. In no event shall Client have access to the information of any other client of Paytronix and the disclosures made pursuant to this Section 6(d) (“Virginia Assessment Information”) shall be held in confidence as Paytronix’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no assessment under this Section 6(d) shall be undertaken unless or until Client has requested, and Paytronix has provided, information about Paytronix’s data protection practices and Client reasonably determines that such an assessment remains necessary to demonstrate material compliance with the obligations laid down in the VCDPA. Without limiting the generality of any provision in the Agreement, Client shall employ the same degree of care to safeguard Virginia Assessment Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Client shall be liable for any improper disclosure or use of Virginia Assessment Information by Client or its agents; and

e. Bind each subcontractor of Paytronix that will Process Virginia Personal Data to a written contract in accordance with Section 59.1-579 (C) of the VCDPA requiring such subcontractor to comply with obligations of processors (as defined in the VCDPA) under the VCDPA and to meet equivalent obligations with respect to such Virginia Personal Data as this Exhibit.

f. Comply with the VCDPA with respect to de-identified data (as defined in the VCDPA) received by Paytronix from Client to the extent the VCDPA is applicable to such de-identified data.

Exhibit F

Colorado Data Exhibit

1. Preamble. This Colorado Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable). This Exhibit shall apply only from and after the Trigger Date (and not before).

2. Instructions. Client hereby instructs Paytronix to Process Colorado Personal Data to the extent necessary to provide the Offering.

3. Nature of the Processing; Purpose of the Processing. The Colorado Personal Data will be subject to basic Processing hereunder, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to Client in accordance with the terms of the Agreement. The purpose of the Processing of Colorado Personal Data hereunder is the provision of the Offering by Paytronix to Client.

4. Types of Colorado Personal Data. The following types of Colorado Personal Data will be subject to Processing hereunder: Colorado Personal Data including details of customers of Client, including without limitation name, address, email address, mobile number, date of birth, and transactional information, such as items purchased, amount spent, location and time where purchase took place and marketing, product or other preference information.

5. Duration of Processing. The duration of the Colorado Personal Data Processing under this Exhibit shall continue, as long as Paytronix carries out Colorado Personal Data Processing operations on behalf of Client or until the termination of the Agreement (and all Colorado Personal Data has been returned or deleted in accordance with this Exhibit).

6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:

a. At the choice of Client, Paytronix shall delete or return all Colorado Personal Data to Client as requested at the end of the provision of the Offering, unless retention of the Colorado Personal Data is required by applicable law;

b. Make available to Client all information reasonably necessary to demonstrate compliance with the obligations in CPA;

c. Ensure that each person Processing Colorado Personal Data on behalf of Paytronix is subject to a duty of confidentiality with respect to such Colorado Personal Data;

d. Allow for, and contribute to, reasonable audits and inspections by Client or Client's designated auditor, provided that, as an alternative, Client hereby consents for Paytronix to arrange for a qualified and independent auditor to conduct, at least annually and at Paytronix’s expense, an audit of Paytronix's policies and technical and organizational measures in support of the obligations under the CPA using a reasonably appropriate and accepted control standard or framework and audit procedure for the audits as applicable and Paytronix shall provide a report of the audit to Client upon request. No third-party auditor appointed by Client shall be a competitor of Paytronix, nor shall any such auditor be compensated on a contingency basis. In no event shall Client have access to the information of any other client of Paytronix and the disclosures made pursuant to this Section 6(d) (“Colorado Audit Information”) shall be held in confidence as Paytronix’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no audit under this Section 6(d) shall be undertaken unless or until Client has requested, and Paytronix has provided, information about Paytronix’s data protection practices and Client reasonably determines that such an audit remains necessary to demonstrate material compliance with the obligations laid down in the CPA. Without limiting the generality of any provision in the Agreement, Client shall employ the same degree of care to safeguard Colorado Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Client shall be liable for any improper disclosure or use of Colorado Audit Information by Client or its agents;

e. Taking into account the context of Processing, Paytronix shall implement reasonably appropriate technical and organizational measures designed to ensure a level of security with respect to the Colorado Personal Data reasonably appropriate to the risk as set out in Section 2; and

f. Engage a subcontractor to Process Colorado Personal Data on behalf of Paytronix only after providing Client with an opportunity to object and pursuant to a written contract in accordance with Section 6-1-1305(5) of the CPA that requires the subcontractor to comply with obligations of processors (as defined in the CPA) under the CPA and meet equivalent obligations to those of this Exhibit with respect to such Colorado Personal Data.

g. Comply with Section 6-1-1303(11) the CPA with respect to de-identified data (as defined in the CPA) received by Paytronix from Client.


Exhibit G

Utah Data Exhibit

1. Preamble. This Utah Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable). This Exhibit shall apply only from and after the Utah Trigger Date (and not before).

2. Instructions. Client hereby instructs Paytronix to Process Utah Personal Data to the extent necessary to provide the Offering.

3. Nature of the Processing; Purpose of the Processing. The Utah Personal Data will be subject to basic Processing hereunder, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to Client in accordance with the terms of the Agreement. The purpose of the Processing of Utah Personal Data hereunder is the provision of the Offering by Paytronix to Client.

4. Types of Utah Personal Data. The following types of Utah Personal Data will be subject to Processing hereunder: Utah Personal Data including details of customers of Client, including without limitation name, address, email address, mobile number, date of birth, and transactional information, such as items purchased, amount spent, location and time where purchase took place and marketing, product or other preference information.

5. Duration of Processing. The duration of the Utah Personal Data Processing under this Exhibit shall continue, as long as Paytronix carries out Utah Personal Data Processing operations on behalf of Client or until the termination of the Agreement (and all Utah Personal Data has been returned or deleted in accordance with this Exhibit).

6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:

a. Ensure that each person Processing Utah Personal Data on behalf of Paytronix is subject to a duty of confidentiality with respect to such Utah Personal Data; and

b. Bind each subcontractor of Paytronix that will Process Utah Personal Data to a written contract requiring such subcontractor to comply with obligations of processors (as defined in the UCPA) under the UCPA and to meet equivalent obligations with respect to such Utah Personal Data as this Exhibit.

c. Comply with Section 13-61-101(14)(b)(i) and Section 13-61-101(14)(b)(ii) of the UCPA with respect to deidentified data (as defined in the UCPA) received by Paytronix from Client.


Exhibit H

Connecticut Data Exhibit

1. Preamble. This Connecticut Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable). This Exhibit shall apply only from and after the Trigger Date (and not before).

2. Instructions. Client hereby instructs Paytronix to Process Connecticut Personal Data to the extent necessary to provide the Offering.

3. Nature of the Processing; Purpose of the Processing. The Connecticut Personal Data will be subject to basic Processing hereunder, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Offering by Paytronix to Client in accordance with the terms of the Agreement. The purpose of the Processing of Connecticut Personal Data hereunder is the provision of the Offering by Paytronix to Client.

4. Types of Connecticut Personal Data. The following types of Connecticut Personal Data will be subject to Processing hereunder: Connecticut Personal Data including details of customers of Client, including without limitation name, address, email address, mobile number, date of birth, and transactional information, such as items purchased, amount spent, location and time where purchase took place and marketing, product or other preference information.

5. Duration of Processing. The duration of the Connecticut Personal Data Processing under this Exhibit shall continue, as long as Paytronix carries out Connecticut Personal Data Processing operations on behalf of Client or until the termination of the Agreement (and all Connecticut Personal Data has been returned or deleted in accordance with this Exhibit).

6. Obligations. Except as otherwise required or permitted by applicable law, Paytronix shall:

a. Ensure that each person Processing Connecticut Personal Data on behalf of Paytronix is subject to a duty of confidentiality with respect to such Connecticut Personal Data;

b. At Client’s direction, delete or return all Connecticut Personal Data to Client as requested at the end of the provision of the Offering, unless retention of such Connecticut Personal Data is required by applicable law;

c. Upon the reasonable request of Client, make available to Client all information in its possession reasonably necessary to demonstrate Paytronix’s compliance with the obligations in Sections 1 to 11, inclusive, of the CTDPA;

d. Engage a subcontractor to Process Connecticut Personal Data on behalf of Paytronix only after providing Client with an opportunity to object and pursuant to a written contract in accordance with Section 6-1-1305(5) of the CPA that requires the subcontractor to comply with obligations of processors (as defined in the CTDPA) under the CTDPA and to meet equivalent obligations to those of this Exhibit with respect to such Connecticut Personal Data; and

e. Allow, and cooperate with, reasonable assessments by Client or Client’s designated assessor, or, as an alternative, Paytronix may arrange for a qualified and independent assessor to conduct an assessment of Paytronix’s policies and technical and organizational measures in support of Paytronix’s obligations under Sections 1 to 11, inclusive, of the CTDPA, using a reasonably appropriate and accepted control standard or framework and assessment procedure for such assessments and Paytronix shall provide a report of such assessment to Client upon request. No third-party assessor appointed by Client shall be a competitor of Paytronix, nor shall any such assessor be compensated on a contingency basis. In no event shall Client have access to the information of any other client of Paytronix and the disclosures made pursuant to this Section 6(e) (“Connecticut Assessment Information”) shall be held in confidence as Paytronix’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no assessment under this Section 6(e) shall be undertaken unless or until Client has requested, and Paytronix has provided, information about Paytronix’s data protection practices and Client reasonably determines that such an assessment remains necessary to demonstrate material compliance with the obligations laid down in the CTDPA. Without limiting the generality of any provision in the Agreement, Client shall employ the same degree of care to safeguard Connecticut Assessment Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Client shall be liable for any improper disclosure or use of Connecticut Assessment Information by Client or its agents.

7. De-identified Data. With respect to de-identified data (as defined in the CTDPA) received by Paytronix from Client, Paytronix shall: (A) take reasonable measures to ensure that such data cannot be associated with an individual; and (B) publicly commit to process such data only in a de-identified fashion and not attempt to re-identify such data.