1. Parties & Scope
This DPA forms part of the agreement between Customer (acting as “Controller” or “Business”) and SMRT Payments LLC (acting as “Processor,” “Service Provider,” or “Contractor”) for the provision of services that involve the processing of personal data.
2. Roles & Instructions
Customer instructs SMRT Payments to process personal data solely to provide the services, as described in the agreement and Customer’s use of the services. SMRT Payments will follow Customer’s lawful instructions and notify Customer if an instruction infringes applicable law.
3. Nature & Purpose; Categories
- Purpose: payment services, communications (e.g., SMS timekeeping), support, security, and service improvement.
- Data Subjects: Customer’s employees, end users, contacts, or other individuals whose data Customer submits.
- Personal Data: identifiers (name, email, phone), timekeeping metadata, device/network data, and other data provided by Customer.
4. Confidentiality & Personnel
SMRT Payments ensures personnel are bound by confidentiality obligations and trained on data protection and security.
5. Security Measures
SMRT Payments implements appropriate technical and organizational measures, including access controls, encryption in transit, vulnerability management, logging/monitoring, and secure development practices. See our Data Security Policy for details.
6. Sub‑processors
Customer authorizes SMRT Payments to appoint affiliates and third parties as sub‑processors. SMRT Payments will require sub‑processors to meet materially equivalent obligations. Upon request, SMRT Payments will provide a current list of sub‑processors and notify Customer of material changes.
7. International Transfers
Where SMRT Payments transfers personal data outside the EEA/UK, the parties agree the EU Standard Contractual Clauses (Controller‑to‑Processor, Module 2; and UK addendum, where applicable) are incorporated by reference, with Customer as “data exporter” and SMRT Payments as “data importer.”
8. Assistance & Cooperation
Taking into account the nature of processing, SMRT Payments will assist Customer with data subject requests, security notices, DPIAs, and consultations with authorities, as required by law.
9. Incident Management
SMRT Payments will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer data and will provide information to assist Customer’s obligations.
10. Audit & Reports
Upon reasonable advance notice and subject to confidentiality, SMRT Payments will make available information necessary to demonstrate compliance and allow audits once per 12‑month period or following a material incident, using mutually agreeable scope and methods.
11. Return & Deletion
Upon termination, SMRT Payments will delete or return personal data within a reasonable period, except where retention is required by law or for legitimate archiving (e.g., fraud prevention, audit).
12. Service Provider (CPRA)
For California personal information, SMRT Payments acts as a “Service Provider/Contractor” and will not sell or share personal information, combine personal information across businesses except as permitted, or use it outside the business purpose.
13. Liability & Order of Precedence
Liability is governed by the underlying agreement. In the event of conflict, this DPA prevails over the agreement to the extent of the conflict on data protection matters.
Effective: January 1, 2025 · Last Updated: September 29, 2025