Last updated on March 9, 2026
This Data Processing Agreement (“DPA”) supplements the Merchant Services Agreement and governs Pandabase’s processing of personal data on behalf of the Merchant (“Controller”) in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
By using Pandabase, you agree to this DPA.
1. Definitions
- “Personal Data” — Any information relating to an identified or identifiable natural person.
- “Processing” — Any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
- “Controller” — The Merchant, who determines the purposes and means of processing.
- “Processor” — Pandabase, which processes Personal Data on behalf of the Controller.
- “Sub-processor” — A third party engaged by Pandabase to process Personal Data.
2. Scope and Purpose
Pandabase processes Personal Data solely to provide the services described in the Merchant Services Agreement, including:
- Processing transactions and payments.
- Fraud detection and prevention.
- Tax calculation and remittance.
- Customer support and dispute resolution.
- Platform analytics and improvement.
3. Data Categories
| Category | Data Types |
|---|---|
| Buyer Data | Name, email, billing address, IP address, payment method details, purchase history |
| Merchant Data | Name, email, business details, bank account information, tax identifiers |
| Usage Data | Device info, browser type, pages visited, timestamps |
4. Pandabase’s Obligations
Pandabase will:
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures.
- Assist the Controller in responding to data subject rights requests.
- Delete or return Personal Data upon termination of services, unless retention is required by law.
- Make available information necessary to demonstrate compliance and allow for audits.
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach.
5. Sub-processors
Pandabase uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | United States |
| Cloudflare | CDN, DDoS protection, DNS | United States |
| Akamai (Linode) | Cloud infrastructure | United States |
| Sumsub | Identity verification and KYC | United Kingdom |
| Sentry | Error monitoring and debugging | United States |
| Axiom | Logging and observability | United States |
| Mailgun | Transactional email delivery | United States |
| Twilio | SMS and communications | United States |
| Sinch | SMS and voice communications | Sweden |
| PostHog | Product analytics | United States |
| Stripe | Payment processing | United States |
| Adyen | Payment processing | Netherlands |
| PayPal | Payment processing | United States |
| Checkout.com | Payment processing | United Kingdom |
Pandabase will notify the Controller at least 30 days before engaging a new sub-processor. The Controller may object within 14 days by contacting legal@pandabase.io. If the objection cannot be reasonably resolved, the Controller may terminate the Agreement.
All sub-processors are bound by data processing obligations no less protective than those in this DPA.
6. International Transfers
Where Personal Data is transferred outside the EU/EEA, Pandabase relies on:
- EU Standard Contractual Clauses (SCCs).
- Adequacy decisions by the European Commission.
- Other approved transfer mechanisms under applicable law.
7. Data Subject Rights
Pandabase will assist the Controller in fulfilling data subject requests including access, rectification, erasure, portability, restriction, and objection, within the timelines required by applicable law.
8. Security Measures
All data is stored in secure data centers located in Ashburn, Virginia. Pandabase implements the following measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls and multi-factor authentication for internal systems.
- Regular security assessments and penetration testing.
- Incident response procedures and breach notification protocols.
- Automated backups with geographic redundancy.
9. Data Breach Notification
In the event of a Personal Data breach, Pandabase will:
- Notify the Controller within 72 hours of becoming aware of the breach.
- Provide details of the breach including the nature, categories of data affected, approximate number of data subjects, and measures taken or proposed.
- Cooperate with the Controller in investigating and mitigating the breach.
10. Term and Termination
This DPA remains in effect for the duration of the Merchant Services Agreement. Obligations regarding data deletion and confidentiality survive termination.
11. Contact
For questions about this DPA or data processing, contact legal@pandabase.io.