Processing

Data Processing Addendum

This DPA forms part of the agreement between PayLoad (“Processor”) and the customer (“Controller”) for Services where PayLoad processes Personal Data on the Controller’s behalf. PayLoad is operated by Nugent Brothers Enterprises LTD (company number NI719078) trading as “PayLoad.” Capitalized terms have the meaning in applicable data protection laws (e.g., GDPR, UK GDPR).

Roles and scope

  • Controller determines the purposes and means of processing Customer Personal Data uploaded or generated through the Service.
  • Processor processes Customer Personal Data only on documented instructions from Controller, including via configuration of the Service and API calls, except where required by law.
  • Processor is a separate controller for account data, billing records, fraud prevention, and security telemetry needed to operate the Service.

Nature, purpose, types, and subjects

  • Nature/Purpose — Storage, transmission, transformation, delivery (shares, email jobs), access control, audit logging, billing, and support.
  • Data types — Files and associated metadata, share tokens, invite data, email job data, user identifiers, usage logs, IP/user agent, and billing identifiers (non-card data).
  • Data subjects — Controller’s users, invitees, end recipients of shares or emails, and authorized admins.
  • Duration — For the term of the Agreement plus any retention required to meet legal obligations or facilitate orderly deletion/return.

Instructions

Processor will process Customer Personal Data only per Controller’s instructions documented in the Agreement, this DPA, and Controller’s configured use of the Service. Processor will inform Controller if instructions infringe applicable law.

Subprocessors

  • Controller authorizes Processor to use subprocessors for infrastructure, storage, email delivery, monitoring, analytics, and payments (e.g., hosting provider, email provider, Stripe). Current subprocessors and regions are available on request.
  • Processor will impose data protection terms on subprocessors consistent with this DPA and remains responsible for their acts/omissions.
  • Processor will provide notice of material subprocessor changes and allow Controller to object on reasonable grounds. If unresolved, Controller may terminate affected services.

Security

  • Administrative, technical, and physical measures including TLS in transit, encryption at rest, access controls, least privilege, audit logging, key management, and secure software practices.
  • Customer controls include retention settings, invite permissions, caps, API key scope/rotation, and TOTP. Controller is responsible for configuring these controls.
  • Processor will maintain policies for vulnerability management, logging/monitoring, and staff confidentiality.

Data subject rights

Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organizational measures to respond to requests to exercise rights (access, rectification, erasure, restriction, portability, objection). Controller is responsible for validating and directing such requests.

Incident notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing information to help Controller meet its obligations to notify authorities or individuals.

Audits

Processor will provide information necessary to demonstrate compliance with this DPA and applicable law. Upon reasonable notice, Controller may perform audits (including by independent auditor) limited to Processor’s relevant controls, subject to confidentiality, frequency limits, and safeguarding of other customers’ data and Processor IP.

International transfers

For transfers from the EEA/UK/Switzerland to countries without adequacy, the EU SCCs/UK Addendum (as applicable) apply, with Processor as “data importer” and Controller as “data exporter.” Controller authorizes Processor to sign SCCs with subprocessors on Controller’s behalf where required.

Deletion and return

Upon termination or Controller’s request, Processor will delete or return Customer Personal Data in accordance with Controller’s instructions and Service capabilities, unless retention is required by law. Backups will expire on their normal schedule.

Government and law enforcement requests

Processor will, to the extent legally permitted, notify Controller of any government or law enforcement request for Customer Personal Data and will challenge unlawful requests. Processor will disclose only what is legally required.

Liability

Liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except to the extent prohibited by law.

Miscellaneous

If any provision of this DPA is held invalid, the remainder remains in effect. In case of conflict between this DPA and the Agreement, this DPA controls with respect to data protection. Parties will cooperate in good faith to update this DPA to address changes in applicable law.

Contact

All privacy, security, and DPO correspondence: NBE@nugentweb.online.