Last updated: 5 December 2025

Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Master Services Agreement (as amended or modified from time to time, the “Agreement”) and is entered into by and between each of the Airwallex Affiliates (“Airwallex”) and each of the Customer Affiliates (“Customer”) that are Parties to the Agreement. Solely with respect to the subject matter of Personal Data handling and processing, this DPA applies to and takes precedence over any written agreement between the Parties, such as the Agreement, Product Terms, Regional Supplements, or additional Terms thereunder (including any documents incorporated by reference in the foregoing), to the extent of any conflict or inconsistency.  Capitalized terms used and not defined herein shall have the meaning given such terms in the Agreement.

Customer and Airwallex agree as follows:

PART A: DETAILS OF PROCESSING

PART A(1): List of Parties

PART A(2): Description of Processing

MODULE ONE: Transfer controller to controller

Data Exporter / Data Controller: relevant Customer Affiliate

Data Importer/ Data Controller: relevant Airwallex Affiliate

MODULE TWO: Transfer controller to processor

Data Exporter / Data Controller: relevant Customer Affiliate

Data Importer/ Data Processor: relevant Airwallex Affiliate

PART A(3): Competent Supervisory Authorities

PART B: DATA PROTECTION TERMS

1. Definitions. For purposes of this DPA:

   1. “Applicable Data Protection Laws” means all applicable laws, regulations and other legal requirements of any jurisdiction relating to privacy, data security, communications secrecy, Personal Data Breach notification and the Processing of Personal Data, including but not limited to the following: the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/419) and the UK Data Protection Act 2018 (together being “UK Data Protection Law”); the Swiss Federal Act on Data Protection (“FADP”); the U.S. Gramm-Leach-Bliley Act (“GLBA”); the California Consumer Privacy Act (as amended by the California Privacy Rights Act, and together with related regulations when effective, the “CCPA”); other applicable U.S. state comprehensive privacy laws; and any other federal or state privacy laws governing personal information or personal data (collectively, the “U.S. Privacy Laws”).

   2. “Authorized User” means an individual whom Customer designates and authorizes to access and use the Services on Customer’s behalf (e.g., employees, contractors, professional advisors), for whom Customer has created a user profile and granted permissions within the Airwallex Platform, and whose acts and omissions in connection with the Services are deemed those of Customer.

   3. “Controller”, “Independent Controller” “Processor”, “Data Subject”, and “Supervisory Authority” shall have the meanings ascribed to them in Data Protection Laws. “Controller” is deemed to include a “business” as defined in the CCPA, “processor” is deemed to include a “service provider” as defined in the CCPA, and “data subject” is deemed to include a “consumer” as defined in U.S. Privacy Laws.

   4. “Data Breach” means an unauthorized or unlawful processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a Party’s or its Affiliate’s, or a Party’s or its Affiliate’s agent’s or representative’s, possession or control.

   5. “Data Subject” means an identified or identifiable natural person to which Personal Data relates. Data Subject includes Representatives and End Users.

   6. “EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Lichtenstein.

   7. “End User” means an end user (individual) who uses Airwallex’s Service, regardless of whether the end user uses our Services for personal use or otherwise, as described in the Airwallex Global Privacy Policy.

   8. “Instructions” means any communication, including those provided through the Webapp, API, or otherwise through the Airwallex Platform, or via an agreement between Customer and Airwallex, through which a Controller instructs a Processor to perform specific Processing of Personal Data on behalf of that Controller.

   9. “Personal Data” means any information relating to an identified or identifiable individual or that is defined as “personally identifiable information,” “personal information,” or “personal data,” or any analogous term under Data Protection Laws that is Processed in connection with the Agreement. With respect to this DPA, Personal Data includes:

      1. Instructions Data: Personal Data Processed in connection with executing on Instructions, as defined above, where Airwallex acts as a Processor. For clarity, Airwallex acts as a Processor solely with respect to Instructions Data and acts as an Independent Controller with respect to Services Data and Transaction Data, defined below.

      2. Services Data: Personal Data Processed in connection with the provision of Airwallex Services, as defined in the Agreement, where Airwallex acts as an Independent Controller.

      3. Transaction Data: Personal Data Processed in connection with a Transaction, as defined below, where Airwallex acts as an Independent Controller.

   10. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

   11. “Information Security Addendum” means the addendum attached to the DPA in Annex B covering mutual security and privacy requirements.

   12. “Standard Contractual Clauses” means one or both of the following, as the context requires:

i. the “EU SCCs,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.

ii. the “UK Addendum,”  defined as the United Kingdom Information Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0 of which is available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), and completed as described in the “Data Transfers” section below.

M. “Representatives” means an individual who is the owner (including the Ultimate Beneficial Owner) of, or who acts on behalf of, Customer, including an Authorized User.

N. “Sub-processor” means any third party processor engaged by the Parties for the Processing of Personal Data.

O. “Transaction” means a particular transaction or activity that Customer or its End User, as applicable, requests Airwallex to complete as a result of interacting with the Services and confirming its election to engage in such transaction or activity, which, depending on the Service utilized, may comprise a payment transaction, currency conversion, card issuance or transaction, collection, billing, payout, fee splitting, investment transaction, or data orchestration, analysis, or management activity.  

P. “Ultimate Beneficial Owners (“UBO”) means the natural person who ultimately owns or controls an entity (including through direct or indirect ownership of 25% or more of ownership or voting rights) or otherwise exercises ultimate effective control, or on whose behalf a Transaction is conducted.

In the event of any conflict between definitions in this DPA and those in the Airwallex Global Privacy Policy, the definitions in this DPA shall control.

2. Roles of the Parties. 

a. Airwallex as a Processor. Airwallex shall Process Personal Data as a Processor to Customer solely with respect to Instructions Data, in order to execute Customer’s Instructions as part of the provision of the applicable Services.

b. Airwallex as an Independent Controller. Airwallex shall Process Personal Data as an Independent Controller with respect to Services Data and Transaction Data to provide Services and administer the Airwallex Platform; fulfill regulatory and compliance obligations; provide technical support; and for any purpose for which Customer provides Airwallex with Personal Data other than as specified in Section 2(a).

3. Compliance; Party Obligations. Each Party shall be individually and separately responsible for complying with its obligations that apply to it (whether as a Controller or Processor) pursuant to any applicable Data Protection Law. 

a. Where a Party acts as an Independent Controller of Personal Data Processed under the Agreement, it shall: 

i. Limit the collection, transfer, and Processing of Personal Data to what is reasonably necessary to provide or receive the Services, as applicable, comply with Applicable Law, or as otherwise agreed to, in writing, by the Parties; 

ii. Ensure that it has an appropriate legal basis for the collection, transfer, and Processing of Personal Data; and 

iii. Where required by Applicable Data Protection Laws, ensure an appropriate legal basis (which may include consent where necessary) for collection, transfer, and Processing.

iv. As an Independent Controller, Airwallex may retain Services Data and Transaction Data as permitted by Applicable Law and its legitimate interests, consistent with disclosed retention criteria.

b. Where Airwallex acts as a Processor of Personal Data, it shall:

i. Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; and (3) in compliance with Data Protection Law.  

ii. To the extent that US Privacy Laws apply to such data, Airwallex:

1. Shall not “sell” Personal Data or “share” or “process” Personal Data for “targeted advertising purposes”, as such terms are defined in the applicable US Privacy Laws;

2. Shall comply with any applicable restrictions under applicable US Privacy Laws on combining the Personal Data with personal data that Airwallex receives from, or on behalf of, another person or persons, or that Airwallex collects from any other interaction between it and a data subject; 

3. Shall not retain, use, or disclose Personal Data for any purpose other than for the business purposes necessary to perform the Instructions provided by the Customer when acting as a Processor;

4. Shall permit Customer to take reasonable and appropriate steps to ensure that Airwallex uses the Personal Data in a manner consistent with Customer’s obligations under the US Privacy Laws and, upon notice from Customer, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data; and 

5. Certifies that it understands the restrictions and obligations set forth in this DPA, including in this Section 3.b., and that it will comply with them.

iii. Ensure that the persons it authorizes to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

iv. Taking into account the nature of the Processing, Airwallex will implement appropriate measures to assist Customer in responding to data subject requests as required by Data Protection Law. Airwallex will promptly refer to Customer any data subject request, third-party complaint, or government request relating to Personal Data Processed on Customer’s behalf (unless prohibited by law), and will provide reasonable cooperation and assistance.  If prohibited from disclosing details of a government request, Airwallex shall inform Customer that it can no longer comply with Customer’s instructions without further detail and await Customer’s further instructions.

v. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed processing of Personal Data when required by applicable Data Protection Law, and at Customer’s reasonable expense.

vi. Promptly notify Customer if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Law; or (ii) in its opinion, an instruction from Customer infringes applicable Data Protection Law.

vii. At Customer’s direction, and in any event upon termination or expiration of the Agreement, except to the extent required by Data Protection Laws, promptly return to Customer or, if so directed by Customer, destroy and, upon request, certify the destruction of any and all Personal Data and direct its representatives and Sub-processors to do the same, except to the extent storage is (i) required for Airwallex to exercise its rights or perform its obligations under the Agreement; or (ii) required or authorized by applicable Data Protection Law or applicable law for a longer period.

c. Customer acknowledges and agrees that where Airwallex acts as a Processor of Personal Data, Airwallex may engage third-party sub-processors in connection with the processing of Personal Data. The permitted sub-processors as of the date of the Agreement or this DPA are listed in Annex A-III. Customer acknowledges and expressly agrees that Airwallex may engage new sub-processors, and subject to the provisions herein, each sub-processor will become a permitted sub-processor. Airwallex shall notify Customer of a new sub-processor and Customer may reasonably object on legitimate grounds to Airwallex’s use of a new sub-processor by notifying Airwallex promptly in writing within thirty (30) days after receipt of Airwallex’s notice. If Customer objects, the parties will work in good faith to resolve the concern. If resolution is not possible, and the affected Sub‑processor is essential to the relevant Service, Airwallex will not be obligated to provide that Service requiring the Sub‑processor, and the parties will cooperate on an alternative or a partial termination and pro‑rata refund for prepaid, unused fees for the affected Service.

d. Notwithstanding anything to the contrary in the Agreement or this DPA, to the extent Airwallex (or its Affiliates) acts in accordance with Customer’s lawful Instructions, Airwallex and its Affiliates will not be liable for any claim made by a Data Subject arising from or related to such acts or omissions.

4. Information Security

a. Each Party shall implement and maintain appropriate technical, physical, and administrative security controls to protect and safeguard the Personal Data under its control against accidental, unauthorized or unlawful access, use, disclosure, loss, destruction, or damage. Airwallex shall maintain the controls specified in Appendix B.

b. With respect to Personal Data for which the Parties act as independent Controllers, each Party shall be independently responsible for notifying data subjects and regulatory authorities of a data breach affecting the confidentiality, integrity, or availability of Personal Data within its custody and control, or within the custody and control of that Party’s processor or sub-processor, provided that each Party shall provide commercially reasonable assistance to the other in order to facilitate the data breach notifications described in this paragraph.

c. With respect to Personal Data for which Airwallex acts as a Processor, Airwallex shall notify Customer without undue delay and no later than seventy-two (72) hours after confirmation of any Data Breach of such Personal Data in its custody or control (or within the custody and control of a subprocessor) and will assist Customer with its Personal Data Breach-related obligations, including without limitation, by:

i. Taking commercially reasonable steps to mitigate the effects of the Personal Data Breach and reduce the risk to individuals whose Personal Data was involved; and

ii. Providing Customer with the following information, to the extent known: 

1. The nature of the Personal Data Breach, including, where possible, how the Personal Data Breach occurred, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned.

2. The likely consequences of the Personal Data Breach; and

3. Measures taken or proposed to be taken by Airwallex to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

iii. Providing timely updates of material developments in connection with the Personal Data Breach; 

iv. Not making announcements or filings that identify Customer (including to Regulators and/or affected Data Subjects) in relation to the Personal Data Breach without first consulting with Customer and obtaining their prior written approval (provided that such approval not to be unreasonably withheld or delayed).

d. Audit. Where Airwallex acts as a Processor, it will make available reasonable information, attestations, and independent assurance reports necessary to demonstrate compliance with this DPA and Data Protection Laws. Customer may submit targeted information requests. Solely where required by a competent regulator or where such assurance is unavailable or insufficient to satisfy a regulator’s specific request, Airwallex will allow and contribute to audits conducted by a mutually agreed third party, subject to reasonable limits on frequency, scope, confidentiality, and at least thirty (30) days’ prior notice.

e. Data Transfers. Each Party shall protect all Personal Data it receives from a third country in a manner no less stringent than required by applicable law of the country in which the Personal Data originated. To the extent Personal Data shared or transferred by one Party to the other Party in connection with this Agreement originates in the EEA, Switzerland, Singapore, or the UK via a Restricted Transfer, or is otherwise subject to the GDPR or UK GDPR the Parties shall comply with the following:

i. European Transfers. In the event a Party exports any Personal Data from the EEA or that is otherwise subject to the GDPR to a Third Country, the Parties shall comply with the EU SCCs which are hereby incorporated into, and form an integral part of, this DPA, subject to the following: (i) the EU Standard Contractual Clauses shall be governed by the Module One clauses (Transfer controller to controller) for all Personal Data Processed by Airwallex as a Data Controller; and Module Two (Transfer controller to processor) for all Personal Data that a Party Processes as a Processor (ii) Clause 7 (Optional – Docking Clause) of the EU SCCs shall be deemed incorporated herein and applicable to the Parties and third parties; (iii) for purposes of Clause 11 (Redress) of the EU SCCs, the Parties agree that the optional wording shall not be incorporated therein; (iv) for purposes of Clause 13 of the EU SCCs (Supervision), the competent supervisory authority shall be the Dutch Data Protection Authority; (v) for purposes of Clause 17 (Governing law) of the EU SCCs, the Parties agree that the EU SCCs shall be governed by the law of the Netherlands and Clause 17, “Option 1” shall apply accordingly; (vi) for purposes of Clause 18 (Choice of forum and jurisdiction) of the EU SCCs, the Parties agree that any dispute arising from the EU SCCs shall be resolved by the Courts of the Netherlands and Clause 18(b) shall apply accordingly; (vii) Annex A-I of this DPA shall be incorporated into Annex I of the EU SCCs; and (viii) Annex A-II of this DPA shall be incorporated into Annex II of the EU SCCs.

ii. Swiss Transfers. In the event a Party exports any Personal Data from Switzerland, the Parties shall comply with the EU SCCs, subject to the following: (i) references to “Regulation (EU) 2016/679” or “that Regulation” in the EU SCCs are to be understood as references to the Swiss Federal Act on Data Protection (FADP); (ii) references to specific Article(s) of “Regulation (EU) 2016/679” are to be understood as references to the equivalent Article or provision of the Swiss FADP; (iii) the term “member state” in the EU SCCs shall not be interpreted in such a manner as to exclude data subjects in Switzerland from enforcing their rights in Switzerland, in accordance with Clause 18(c), provided Switzerland is their habitual residence; (iv) the “competent supervisory authority” under Part C of Annex II of the EU SCCs is the Swiss Federal Data Protection and Information Commissioner; (v) the applicable law for contractual claims under Clause 17 in the EU SCCs is Swiss law; and (vi) in relation to Clause 18(a), any disputes arising from the EU SCCs shall be resolved by the courts of Switzerland. 

iii. UK Transfers. In the event a Party exports any Personal Data from the United Kingdom or that is otherwise subject to the UK GDPR to a Third Country, the Parties shall comply with the EU SCCs, as updated and amended by the UK Addendum, provided that the UK Addendum shall be supplemented and completed, as appropriate, with the data processing descriptions and Party responsibilities, clause options, and similar criteria set forth in this DPA and the annexes attached hereto. For the purposes of supplementing and completing the UK Addendum, the Parties agree that any dispensation with the adopted format shall not adversely affect the appropriateness of the safeguards provided therein. For the avoidance of doubt, with respect to Personal Data transfers subject to the UK GDPR, in the event of a conflict between the EU SCCs and the UK Addendum, the terms and hierarchy set forth in the UK Addendum shall supersede and control with respect to such Personal Data transfers subject to the UK GDPR only. In the event that the version of the UK Addendum incorporated by this Agreement is subsequently varied, revoked or otherwise replaced in circumstances where Airwallex expects to incur consequential increases in costs or risk and provided that Airwallex has undertaken reasonable efforts to mitigate any such increases, then Airwallex may terminate its agreement with Customer, upon providing reasonable notice of the same to Customer in writing.

iv. Onward Transfers. A Party shall not transfer such Personal Data from the EEA, Switzerland, or the United Kingdom to any Third Country, except to the extent such transfer is in accordance with an applicable Data Protection Law.

f. GLBA. Notwithstanding anything to the contrary in the Agreement or this DPA, to the extent Personal Data is subject to the GLBA, each Party shall comply with the reuse and redisclosure obligations under GLBA, if and when applicable.

Annex A

Annexes A-I and A-II to the EU SCCs

ANNEX I

See the Agreement Details.

ANNEX A-III – LIST OF AIRWALLEX SUB-PROCESSORS

Airwallex’s subprocessors are listed in its Global Privacy Centre, accessible here: https://www.airwallex.com/us/terms/global-privacy-centre.

ANNEX B – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

This Information Security Addendum (this “Addendum”) forms part of the Agreement and applies to each party (each, a “Party”) to the extent it Processes Personal Data for the other Party under the Agreement. Capitalized terms not defined herein have the meanings given in the Agreement or the DPA.

SECURITY PROGRAM 

Each Party shall implement and maintain an information security program appropriate to the nature, scope, context, and purposes of Processing and the risks to individuals, aligned with recognized industry standards (e.g., ISO/IEC 27001, SOC 2, NIST CSF), and may be updated from time to time provided the overall level of protection is not materially diminished.

The program shall include documented policies and standards, which are reviewed at least annually; and assigned security responsibilities including a CISO or equivalent position. , periodic risk assessments, and third‑party risk management commensurate with risk.

1. BASELINE TECHNICAL AND ORGANIZATIONAL MEASURES. Without limitation, each Party shall implement and maintain the following controls:

1.1. Access Control. Unique user IDs for all personnel, with mandatory multi‑factor authentication for remote and administrative access. Role‑based access grants according to principles of least privilege. Timely provisioning and de‑provisioning of access, with periodic user access reviews. Any system account credentials appropriately protected with credential management tools.

1.2. Network and System Security. Secure configurations are implemented for all endpoints, including endpoint protection. All networks are appropriately partitioned and protected using firewalls/ACLs. 

1.3. Vulnerability Management. All infrastructure is routinely scanned for vulnerabilities, and patches are applied without undue delay. Independent penetration testing is conducted at least annually, with prompt remediation of findings.

1.4. Encryption. Strong modern encryption is used for Sensitive and Personal Data, both in transit and at rest. Appropriate key management is implemented for all cryptographic materials, with separation of duties in encryption management where possible.

1.5. Logging and Monitoring. Security event logging is collected from production endpoints. Alerting and regular reviews are in place to detect and respond to anomalous activity. Log retention is defined and is appropriate to function and risk.

1.6. Change Management and Secure Development. Appropriate change control processes and secure development practices are documented and enforced. Separation is consistently enforced between development, test, and production environments.

1.7. Business Continuity and Disaster Recovery. BC/DR plans including regular backups are documented and in place. All plans are tested, including backup restoration testing at appropriate intervals.

1.8. Personnel Security and Training. A Code of Conduct exists, outlining ethical standards and Acceptable Use. All personnel acknowledge documented confidentiality obligations, and complete security and privacy awareness training at least annually. Documented onboarding/offboarding procedures exist, including background checks. 

1.9. Physical and Environmental Security. Facilities hosting systems that store or Process Personal Data have controlled access and appropriate environmental safeguards. Facilities are appropriately monitored, and access records retained.

2. INCIDENT MANAGEMENT AND NOTIFICATION,. Each Party shall maintain an incident response process which includes the following provisions: 

2.1. Upon confirming a Data Breach affecting the other Party’s Sensitive or Personal Data, the impacted Party shall notify the other Party without undue delay and no later than seventy‑two (72) hours.

2.2. The notification shall include known details of the breach, likely consequences, and mitigation steps. Each Party shall reasonably cooperate with the other Party regarding investigation, mitigation, and remediation.

2.3. No Party shall notify regulators or affected individuals in the other Party’s name without prior written approval unless required by law.

2.4. Each Party shall keep a clear record of all security incidents, including a post-incident review for follow-up actions.

3. DATA MANAGEMENT

3.1. Collection of Sensitive and Personal data is limited to only that which is necessary for the provision of service. All sensitive data will be logically or technically segregated from that belonging to other parties. Data is protected via role-based access controls, and  pseudonymization of data is performed where appropriate.

3.2. Upon termination or expiry of the Agreement (or upon written request where feasible), each Party shall delete or return the other Party’s Sensitive and Personal Data, unless retention is required (i) for Airwallex to exercise its rights or perform its obligations under the Agreement; or (ii) required or authorized by applicable Data Protection Law or other applicable law for a longer period. 

3.3. Data will be disposed of securely in all cases, including the sanitization or destruction of media and systems used to store Personal Data, in accordance with industry standards and applicable law. Backup media shall be overwritten in accordance with standard retention cycles.

4. GOVERNANCE AND UPDATES

4.1. Each Party shall review its security program at least annually and after material changes or incidents to ensure continued effectiveness, and shall remediate identified material gaps without undue delay.

4.2. Each Party may independently update its security measures from time to time to reflect evolving risks and technologies, provided the overall level of protection is not materially diminished.