Data Processing Agreement
Last updated: April 1, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Bolrach Technologies Limited, trading as Crezaro ("Processor," "we," or "us"), and you, the merchant ("Controller," "you," or "your"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
1. Definitions
"Data Protection Laws" means the GDPR, UK GDPR, Nigeria Data Protection Regulation (NDPR), PIPEDA, CCPA, and any other applicable data protection legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
2. Scope and Role of the Parties
You are the Controller of the Personal Data of your customers and end-users. We act as the Processor of such data when processing it on your behalf to provide the Services (payment processing, settlement, reporting). To the extent we process Personal Data for our own purposes (fraud detection, platform improvement, regulatory compliance), we act as an independent Controller as described in our Privacy Policy.
3. Processing Instructions
3.1 Scope of Processing
We will process Personal Data only in accordance with your documented instructions, which are deemed to include: (a) the Terms of Service; (b) this DPA; (c) your configuration of the Services; and (d) any other written instructions mutually agreed upon.
3.2 Categories of Data
The Personal Data processed under this DPA includes:
- Customer identification data: Names, email addresses, phone numbers, IP addresses
- Financial data: Payment card details (encrypted), bank account information, transaction amounts
- Transaction metadata: Order references, product descriptions, custom metadata fields
- Device and technical data: Browser fingerprints, device identifiers, geolocation
3.3 Data Subjects
The data subjects are your customers, end-users, and payers who interact with the Services.
3.4 Duration
Processing will continue for the duration of the Services agreement and for such additional period as required by applicable law or regulation (see data retention periods in our Privacy Policy).
4. Obligations of the Processor
4.1 Confidentiality
We ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations. Access to Personal Data is restricted to personnel who require it for the performance of their duties, in accordance with the principle of least privilege.
4.2 Security Measures
We implement and maintain appropriate technical and organisational security measures, including but not limited to:
- Encryption: AES-256 encryption at rest; TLS 1.3 for data in transit
- Access control: Role-based access control (RBAC), multi-factor authentication, principle of least privilege
- Network security: Firewalls, intrusion detection/prevention systems, DDoS mitigation
- Monitoring: 24/7 security monitoring, real-time alerting, immutable audit logs
- Physical security: Data centres with ISO 27001 certification, biometric access controls, 24/7 surveillance
- Business continuity: Automated backups, disaster recovery with RTO < 4 hours, geo-redundant infrastructure
- Vulnerability management: Regular penetration testing, automated vulnerability scanning, responsible disclosure programme
- PCI-DSS: Level 1 compliance for all card data handling
4.3 Assistance with Data Subject Rights
We will assist you in fulfilling your obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing the technical mechanisms and cooperation necessary. We will notify you promptly if we receive a data subject request directly, unless prohibited by law.
4.4 Data Protection Impact Assessments
We will provide reasonable assistance with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities where required, taking into account the nature of the processing and the information available to us.
5. Sub-processors
5.1 Authorisation
You provide general authorisation for us to engage Sub-processors to assist in providing the Services. We maintain an up-to-date list of Sub-processors, and you may subscribe to receive notifications of changes.
5.2 Current Sub-processors
Our current Sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud Infrastructure Provider | Hosting and data storage | EU / US |
| Card Network Processors | Card payment processing | Global |
| Identity Verification Provider | KYC/KYB document verification | Nigeria / UK |
| Email Service Provider | Transactional email delivery | EU |
| Fraud Detection Provider | Transaction risk scoring | UK / US |
| Sanctions Screening Provider | AML/CFT sanctions checks | UK |
5.3 Objection to Sub-processors
We will notify you at least thirty (30) days before engaging a new Sub-processor. If you have a reasonable objection based on data protection grounds, you may notify us in writing within fifteen (15) days. We will work in good faith to address your concerns. If we cannot resolve the objection, you may terminate the affected Services without penalty.
5.4 Sub-processor Obligations
We impose data protection obligations on all Sub-processors that are no less protective than those set out in this DPA, through written contracts in accordance with Article 28(4) GDPR. We remain fully liable for the acts and omissions of our Sub-processors.
6. Data Breach Notification
6.1 Notification Timeline
In the event of a Data Breach affecting Personal Data processed on your behalf, we will notify you without undue delay and in any event within 48 hours of becoming aware of the breach. This enables you to meet your obligation to notify supervisory authorities within 72 hours under GDPR Article 33.
6.2 Notification Contents
Our breach notification will include, to the extent available:
- Description of the nature of the breach, including categories and approximate number of data subjects and records affected
- Name and contact details of our Data Protection Officer
- Description of the likely consequences of the breach
- Description of measures taken or proposed to address the breach and mitigate its effects
6.3 Cooperation
We will cooperate fully with you in investigating and remediating the breach, and will provide all reasonable assistance in complying with your notification obligations to supervisory authorities and affected data subjects.
7. International Transfers
Where Personal Data is transferred outside the EEA, UK, or other jurisdiction with data transfer restrictions, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Processor) as approved by European Commission Implementing Decision (EU) 2021/914, supplemented by a Transfer Impact Assessment where required.
8. Audit Rights
You have the right to audit our compliance with this DPA. We will make available all information necessary to demonstrate compliance and allow for audits, including inspections, by you or an independent auditor. Audits are subject to reasonable notice (at least 30 days), conducted during normal business hours, and limited to once per twelve-month period unless a Data Breach or supervisory authority investigation requires an additional audit.
9. Return and Deletion of Data
Upon termination of the Services, we will, at your election, return or delete all Personal Data processed on your behalf, unless applicable law requires us to retain it. We will certify deletion in writing upon request. Data retained for legal compliance purposes will continue to be protected under this DPA.
10. Liability
The liability provisions in the Terms of Service apply to this DPA. Each party shall be liable for damages caused by processing that infringes Data Protection Laws, in accordance with Article 82 GDPR.
11. Contact
For questions about this DPA, contact:
Data Protection Officer
Bolrach Technologies Limited
Email: [email protected]