Global DPA
Instant Checkout Pty Ltd
|
Last Updated
18 March 2026
1. Purpose and scope
This Global Data Processing Addendum (DPA) forms part of the Agreement between Instant and the Merchant
This DPA applies where Instant processes Personal Data on behalf of the Merchant in connection with the Services
This DPA is intended to satisfy the requirements of the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and other Applicable Data Protection Laws (as defined below).
2. Definitions
Applicable Data Protection Laws means all laws relating to privacy, data protection, and cross-border data transfers applicable to the processing of Personal Data under the Agreement.
Controller, Processor, Business, Service Provider, Personal Data, Process/Processing, and similar terms have the meanings given to them in Applicable Data Protection Laws.
Security Incident means unauthorised access, disclosure, loss, alteration, or destruction of Personal Data.
Sub-processor meansany third party engaged by Instant to Process Personal Data.
Roles of the parties
Merchant is the Controller (or Business, as applicable) and Instant is the Processor (or Service Provider, as applicable).
Instant processes Personal Data on the Merchant’s documented instructions, as necessary to provide the Services, and as required by Applicable Data Protection Laws. Instant will inform the Merchant if an instruction, in its opinion, violates Applicable Data Protection Laws.
Details of processing
Nature and purpose: providing retention marketing, analytics, identity resolution, communications and related SaaS services.
Categories of data subjects: Customers, End Users, employees, and contractors.
Categories of personal data: contact data, device identifiers, online identifiers, behavioural data, transaction data, and related marketing data.
Duration: for the duration of the Agreement unless otherwise instructed.
Confidentiality
Instant ensures personnel authorised to process Personal Data are bound by confidentiality obligations.
Security of processing
Instant implements appropriate technical and organisational measures, including: encryption in transit and at rest, access controls and authentication, logging and monitoring, vulnerability management, incident response procedures, regular security testing and independent audits.
Instant will make available information reasonably necessary to demonstrate compliance with this DPA, including relevant security documentation and third-party audit reports, upon reasonable request.
7. Sub-processors
Merchant provides general authorisation for Instant to engage Sub-processors to process Personal Data.
A current list of Sub-processors is available upon written request.
Instant will provide at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor. Merchant may object to a new Sub-processor on reasonable data protection grounds within the notice period. If the parties cannot resolve the objection in good faith, Merchant may terminate the affected Services in accordance with the Agreement.
Instant will ensure each Sub-processor is bound by written obligations that are no less protective than those set out in this DPA.
Assistance to Merchant
Taking into account the nature of processing, Instant will provide reasonable assistance to the Merchant to support data subject requests, DPIAs, and consultations with regulators.
Security Incident notification
Instant will notify the Merchant without undue delay after becoming aware of a Security Incident and provide reasonable cooperation.
Deletion or return of data
Upon termination or expiry of the Services, and at the Merchant’s written request, Instant will delete or return Personal Data processed on behalf of the Merchant, unless retention is required by applicable law or necessary for the continued operation of the Services or the Agreement. Deletion will be performed in accordance with Instant’s standard data retention and backup policies and may take place over a reasonable period.
11. International data transfers
Where Personal Data is transferred outside the EEA, United Kingdom, or Switzerland, the parties agree that the following transfer mechanisms are incorporated into this DPA and apply to such transfers as required by Applicable Data Protection Laws:
the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor);
the UK International Data Transfer Addendum to the EU Standard Contractual Clauses; and
the Swiss Federal Data Protection and Information Commissioner adaptations to the EU Standard Contractual Clauses, where applicable.
For the purposes of these transfer mechanisms, Merchant is the data exporter and Instant is the data importer.
Where applicable, transfers may also rely on the EU-U.S. Data Privacy Framework or other lawful transfer mechanisms recognised under Applicable Data Protection Laws.
12. CCPA/CPRA Terms
To the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act, or other applicable U.S. state privacy laws apply, Instant acts as a Service Provider and will process Personal Data solely for the purposes of providing the Services and in accordance with the Agreement.
Instant will not sell or share Personal Data and will not retain, use, or disclose Personal Data outside of the direct business relationship between the parties except as permitted by applicable law.
13. Order of precedence
In the event of any conflict between this DPA and the Agreement, this DPA will prevail to the extent of such conflict with respect to the processing of Personal Data.