Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Ripple Holdings Limited ("Ripple Pay", the Data Processor) and you, the Client (the Data Controller), in connection with your use of the Ripple Pay platform.

1. Definitions

Data Controller: The Client — the business that determines the purposes and means of processing personal data.
Data Processor: Ripple Holdings Limited, which processes personal data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person (your customers).
Processing: Any operation performed on personal data, including collection, storage, retrieval, and deletion.

2. Scope of Processing

Ripple Pay processes the following categories of personal data on your behalf:

Category	Purpose
Name, email, phone number	Customer identification and communication
Bank account details (sort code, account number)	Direct Debit mandate creation and payment collection
Card payment details (via Cashflows hosted page)	Card subscription billing and recurring payments
Address	Identity verification and mandate requirements
Payment history	Reporting, reconciliation, and fraud prevention

      Note: Ripple Pay does not store full card numbers. Card details are captured via Cashflows' PCI DSS-compliant hosted payment page and tokenised by Cashflows. Ripple Pay only stores masked card references and transaction identifiers.
    

3. Processor Obligations

Ripple Pay agrees to:

Process personal data only on documented instructions from the Controller
Ensure persons authorised to process data are bound by confidentiality
Implement appropriate technical and organisational security measures
Not engage sub-processors without prior written consent, except for London & Zurich (L&Z) who are required to process Direct Debit mandates, and Cashflows Europe Limited who are required to process card transactions
Assist the Controller in responding to data subject requests (access, erasure, portability)
Delete or return all personal data upon termination of the agreement
Notify the Controller without undue delay of any personal data breach

4. Sub-Processors

The following sub-processors are engaged by Ripple Pay:

Sub-Processor	Purpose	Location
London & Zurich (L&Z)	BACS-approved Direct Debit bureau — processes mandate registrations and payment collections	United Kingdom
Cashflows Europe Limited	FCA-authorised payment institution — processes card transactions, tokenisation, and settlements	United Kingdom
SendGrid (Twilio Inc.)	Transactional email delivery (receipts, notifications, failed payment alerts)	United States (EU SCCs in place)
Railway Inc.	Cloud infrastructure hosting (application and database)	United States (EU SCCs in place)
Cloudflare Inc.	DNS, CDN, and security services	Global (EU SCCs in place)

The Controller is deemed to have consented to the use of these sub-processors by agreeing to these terms. Ripple Pay will notify you of any changes to sub-processors with at least 30 days' notice.

5. Security Measures

Ripple Pay implements the following security measures:

All data transmitted over HTTPS with TLS 1.2 or higher
Database encryption at rest (PostgreSQL with AES-256)
API authentication via secure keys and session tokens
Cloudflare Turnstile for bot protection on public forms
Role-based access controls for admin and client portals
Regular security reviews and dependency updates
PCI DSS SAQ A compliance pathway (card details handled entirely by Cashflows)

6. Data Subject Rights

Where a data subject (your customer) exercises their rights under data protection law (access, rectification, erasure, restriction, portability, or objection), Ripple Pay will:

Assist you in responding to such requests within the required timeframe
Provide you with the tools to export or delete customer data via the portal
Not respond directly to data subjects unless instructed by you

7. Data Breach Notification

In the event of a personal data breach, Ripple Pay will:

Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
Provide details of the nature of the breach, categories of data affected, and likely consequences
Take immediate steps to contain and remediate the breach
Cooperate with you and any supervisory authority in investigating the breach

8. International Transfers

Where personal data is transferred outside the Isle of Man, the UK, or the EEA (e.g. to sub-processors in the United States), Ripple Pay ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the relevant supervisory authority.

9. Duration & Termination

This DPA remains in effect for the duration of your use of Ripple Pay. Upon termination of the service agreement, Ripple Pay will delete or return all personal data within 30 days, unless retention is required by law.

10. Governing Law

This DPA is governed by the laws of the Isle of Man and is subject to the Isle of Man Data Protection Act 2018 and the UK GDPR as applied by the Data Protection (Application of GDPR) Order 2018.

11. Contact

For questions about this DPA or to exercise data protection rights, contact:

      Ripple Holdings Limited

      Data Protection Contact: Mark Terris

      Email: info@startyourripple.co.uk

      Website: portal.startyourripple.co.uk