Global Online GDPR Centre


Last updated: 8 June 2022

Download PDF

Welcome to the Airwallex Global Online GDPR Centre

Airwallex is committed to protecting the privacy of everyone who engages with our platform. We also value the importance of transparency with respect to our privacy practices.

We created this Airwallex Privacy Center to help you find answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by Airwallex, and how Airwallex complies with international data protection laws, such as the General Data Protection Regulation (GDPR) of the UK and EU.

This content is not legal advice, has been published for your general information purposes only, may not be exhaustive or current and may be amended from time to time without notice to you.

What is the GDPR?

The GDPR is the data protection regulation that gives individuals more control over their personal data. The European Union (EU) and United Kingdom (UK) have separate but similar versions of the GDPR.

Under the GDPR, organisations must take great care when processing personal data. Organisations must ensure there is a legal basis for every data processing activity and they must tell people how and why data is used. Individuals also have greater rights under the GDPR, and organisations must be accountable for all processing.

In addition, certain requirements must be satisfied before EU / UK individuals’ personal data may be transferred outside the EU or the UK, unless the organisation receiving the personal data is located in a permitted jurisdiction white listed by the European Commission or UK government. The list of white listed permitted jurisdictions may be found on the European Commission’s website here or the UK government website here.

What is personal data?

Personal data is any information that is related to an identified or identifiable natural person (e.g. you), such as your name, email address, username, ID, bank account number, card details, telephone number, personnel number, number plate, appearance, customer number or address. The definition under the GDPR is broad, and can include information that could be used indirectly and/or with other information to identify a natural person – such as device identifiers or IP address.

What does ‘processing’ mean in this context?

Processing means any operation that is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Who does the GDPR apply to?

The GDPR applies to any data processor or data controller in the EU or UK that processes personal data, as well as any data processor or data controller outside the EU or UK that processes the personal data of individuals in the EU or UK residents where the processing activities are related to:

  1. offering goods or services to data subjects in the EU or UK (even if those goods or services are provided free of charge); or
  2. monitoring the behaviour of individuals taking place in the EU or the UK.

Global Privacy Policy

You can learn about how we collect, use and share information in our Global Privacy Policy. Our Global Privacy Policy can be found at this link.

Is Airwallex acting as a data controller or a data processor?

We can be either or both, depending on the exact context of the data processing.

A “data controller” is the entity that determines the purposes and means of the data processing taking place, i.e. the main decision maker that exercises overall control over the data processing. For example, a data controller would make decisions on what types of personal data to collect and for what purpose(s).

A “data processor” is an entity that acts on behalf of and at the direction of a data controller in processing personal data. As the data processor is acting on the instructions of the data controller, it does not exercise control or decision making over the processing of personal data.

Data controllers and data processors have different responsibilities under the GDPR – for example, controllers are in charge of identifying a lawful purpose or legal basis, and must facilitate individual rights requests.

Airwallex is a data controller where we decide the purposes and means of the data processing taking place. Such data processing activities include (among other things):

  1. providing the Airwallex products and services;
  2. developing new, or enhancing existing, products;
  3. providing customer support;
  4. monitoring, detecting and preventing fraudulent activities on our platform; and
  5. complying with the legal and regulatory obligations that apply to Airwallex.

Under the above, Airwallex decides what personal data needs to be collected in order to pursue these actions, hence it is acting as a data controller in respect of these activities.

Airwallex is a data processor where we are given personal data by a third party (e.g. a business partner or service provider) and where we follow another party’s instructions on how to process personal data. In this case, Airwallex would not exercise control over how the personal data is to be processed.

What ‘lawful purpose’ or ‘legal basis’ does Airwallex rely on to process personal data?

Airwallex relies upon a number of legal grounds to process personal data.

Please refer to section 4 of our Global Privacy Policy for an overview of the types of personal data we collect from you, and the applicable ‘legal basis’ for each.

What rights do I have over my data?

You may have certain rights to your personal data. If Airwallex is a data controller of your personal data then we are responsible for managing and responding to your request. You can read more about your rights and how you can exercise your rights in our Global Privacy Policy.

Who are Airwallex’s processors and sub-processors and how are they evaluated?

In circumstances where we are acting as a data controller, it may be necessary for us to provide personal data to our affiliates or third parties, in which case that affiliate or third party will usually be acting as an independent data controller (this means personal data is shared with another controller entity who processes the data for their own independent purposes). Airwallex also uses data processors or (where we ourselves act as a data processor) subprocessors to provide services to Airwallex such as technology and payment processing services. We make sure we have appropriate safeguards in place to protect any personal data that is processed, including through contractual obligations.

Before a particular data processor or sub-processor is engaged, Airwallex vets and evaluates that data processor or sub-processor through our vendor management program. As required under the GDPR, we enter into a contract with each data processor or sub-processor before sharing data with the data processor or sub-processor. All potential vendors are also vetted and approved through Airwallex’s information security review process before we use their services. This means we investigate their security standards, check their certifications, etc., before we consider sharing any data.

We have set out in the below table examples of where the above will occur:

Third PartyPurpose
Third party service providersWe engage a variety of service providers to enable us to provide our Services to you. For example, service providers may be used to: facilitate payment processing, support technology or infrastructure, cloud storage, conduct market research, marketing analytics, detect fraud, verify identity and perform audits or other functions. We will share your personal information with such service providers only to the extent necessary to allow the performance of their intended engagement. All service providers and business partners that receive your personal information are contractually bound to protect and use your information only in accordance with this Policy.
Our corporate affiliatesTo facilitate or support us in providing our Services to you, we may share your personal information within our worldwide corporate family of companies among entities that are related by common control or ownership. All related group companies may only use your personal information in accordance with this Policy.
Enterprise PartnersOur Services may be offered to you in conjunction with or facilitated by other financial institutions or other enterprise (an “Enterprise”). Such Enterprises may have access to your personal information but only to the extent required to enable use by you of such products.
Regulatory Authorities: regulators, judicial authorities and law enforcement agencies, and other third parties for safety, security, or compliance with the law.There are circumstances in which we are legally required to disclose information about you to authorities, such as to comply with a legal obligation or processes, address issues relating to security or fraud, or protect our users. These disclosures may be made with or without your consent, and with or without notice, in compliance with the terms of valid legal process such as a subpoena, court order, or search warrant. We are usually prohibited from notifying you of any such disclosures by the terms of the legal process. We may seek your consent to disclose information in response to a governmental entity’s request when that governmental entity has not provided the required subpoena, court order, or search warrant. We may also disclose your information to: enforce our User Agreement or other applicable agreements or policies, including investigation of any potential violation thereof; detect, prevent or otherwise address security, fraud or technical issues; protect our rights, property, privacy, or security, or that of others, as permitted by law; or comply with applicable law, legal process or governmental orders.
Social Media PlatformsSocial media networks such as Facebook, Twitter, Pinterest, and Instagram that offer functionalities, plugins, widgets, or tools in connection with our website or mobile application (e.g., to log into an account, or to share content with your friends and followers on social media). If you choose to use these functionalities, plugins, widgets, or tools, certain information may be shared with or collected by those social media companies—for more information about what information is shared or collected, and how it is used, see the applicable social media company's privacy policy.
Potential Acquirers of our businessIf we are the subject or are involved in any corporate merger, acquisition, consolidation, reorganisation, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with bankruptcy or similar proceedings), we may share data with third parties during negotiations. In the event your personal information becomes subject to a different privacy policy, we will make reasonable efforts to notify you beforehand. We also may need to disclose information to a third party in connection with a commercial transaction where we or any of our affiliates are seeking financing, investment or funding.
Other Authorised PartiesIf you provide your consent, we may share your information including your personal information with a third party not defined in this Policy. Such disclosure will only be carried out in the manner described to you at the time you agreed to the sharing. Authorising a third-party application or website to access your Airwallex account or participating in certain promotional activities constitutes such consent to share your information.

For your reference, we have listed below Airwallex’s typical third party processors and sub-processors:

VendorDataPurpose of processingCountry of primary contracting entity
i2cUser data and user's customers' dataTransaction processing, card issuing and maintenanceUnited States
Google Cloud PlatformUser data and user's customers' dataCloud service providerUnited States
Alibaba Cloud PlatformUser data and user's customers' dataCloud service providerHong Kong
ZendeskUser data and information provided to Airwallex support by usersCustomer support servicesUnited States
Trulioo Information ServicesUser data and User's customers' dataUser identity verification and fraud detectionCanada
RefinitivUser data and User's customers' dataUser identity verification and fraud detectionUnited Kingdom
VisaUser data and User's customers' dataTransaction processing, card issuing, and maintenanceUnited States
MastercardUser data and User's customers' dataCard payment acquiringUnited States
MegaportEncrypted data shared between cloud providersNetwork connectivity between cloud providersUnited States
CloudflareUser data and User's customers dataNetwork security and anti-DDoSUnited States
ValitorUser data and User's customers dataCard payment acquiringIceland
SplunkAirwallex platform analytics and User dataPlatform analytics, outage detection, and security monitoringUnited States
GoogleLimited User data and internal dataDocument creation and processing, mail providerUnited States
Zoom Video CommunicationsUser data, insofar as that is shared in spoken word between the conversing parties, or recorded on the systemVideo conferencing systemUnited States
IdemiaCardholder name, PAN, CVV, expiration date, shipping addressPrinting the cards for issuingUnited States / Australia
ConcentrixCustomer dataCustomer service support functionPhilippines
SalesforceUser dataCustomer relationship management platform which stores User contact information as well as supporting information about the business relationshipUnited States
New RelicAirwallex platform analyticsPlatform analytics and outage detectionUnited States
SumologicAirwallex platform analyticsPlatform analytics and outage detectionUnited States
EquinixUser dataHardware data centre servicesUnited States
HubspotUser dataCustomer relationship managementUnited States

Our Affiliates

In addition to the above, any affiliate of our global corporate group that does not contract directly with customers may be a data processor or sub-processor of one or more of the Airwallex data controller(s) that are listed for your reference in Section 2 of our Global Privacy Policy.

What is a Data Processing Agreement and how can I get one with Airwallex?

A Data Processing Agreement (DPA) is a contract between a data controller and a data processor, which sets out the roles and responsibilities of the parties when personal data is processed. The GDPR sets out requirements that a DPA must satisfy in order to be compliant, including guarantees around security and that the processor will only act on our instructions. We have made our template DPAs available to our users. You may access our Data Processing Agreement here and our Data Sharing Agreement here, or you can request one using the contact details set out under the relevant heading below.

International data transfers

The information presented below is for general information purposes only and is not legal advice. As rules surrounding international data transfers may vary across jurisdictions, please consult with your own legal counsel to familiarise yourselves with the requirements that govern your specific situations.

How does Airwallex deal with international data transfers?

Airwallex uses a set of Standard Contractual Clauses (SCCs) published by the European Commission for cross-border data transfers (in the form of a legal contract) to provide a legal mechanism to transfer EU or UK personal data outside of the EEA/UK/Switzerland. These are required under European and UK data protection laws and are incorporated into our agreements.

Airwallex continues to adopt appropriate measures to ensure an adequate level of protection of personal data transferred outside the UK, EEA and Switzerland. Our measures include the SCCs to accommodate international data transfers, as well as a range of technical and organisational measures (described in more detail under the relevant heading below).

Airwallex’s technical and organisational measures

We apply technical and organisational measures to protect the security of personal data. These include an information security management system aligned with ISO27001 and SOC2 Type II as described below:

A.5: Information security policies

Airwallex has implemented security policies and standards that are constantly reviewed in line with the overall direction of the organisation’s information security practices. Risk assessments are performed on a regular basis and agreed mitigating controls are included in the policies, standards and procedures to address security globally.

A.6: Organization of information security

Airwallex’s information security policies and standard assign responsibilities for information security related tasks. It ensures that the organisation has established a framework that can adequately implement and maintain information security practices within the organisation supported by senior leadership.

A.7: Human resource security

Airwallex ensures individuals are screened before employment, makes sure that employees and contractors understand their responsibilities and addresses their responsibilities when they no longer hold that role – either because they’ve left the organisation or changed positions.

A.8: Asset management

Airwallex identifies, classifies information assets to define the appropriate level of defence required and defines appropriate protection responsibilities for them. Endpoints are hardened, protected and monitored to help prevent the unauthorised disclosure, modification, removal or destruction of sensitive data.

A.9: Access control

Policies and procedures for logical security are formally established and documented. User accounts belonging to Airwallex’s employees and contractors are approved, added, modified, or disabled in a timely manner and are reviewed on a periodic basis.

A.10: Cryptography

Airwallex deploys industry standard encryption technologies to protect business data and confidential information at rest and in transit and applies proper key management to the protection of its cryptographic keys.

A.11: Physical and environmental security

Airwallex offices have implemented rigorous physical and environmental controls for its security. Airwallex uses security certified GCP and Aliyun data centers and follows its Supplier relationship management process and controls.

A.12: Operations security

Airwallex applies management controls, operation controls and technological controls to protect business data and confidential information to provide for sustainable operation of business and application systems. Endpoints are protected against malware to mitigate the risk of infections, critical systems are logged and monitored, systems are hardening following CIS Benckmarks, periodically tested via automatic and manual means.

A.13: Communications security

Airwallex networks are managed and controlled in order to protect information within systems and applications. Airwallex uses technology to perform endpoint verification, has implemented firewalls to segregate environments, has clear segregation between production and non-production environments, access control lists, 2 factor authentication (i.e. software and hard token). Airwallex has also implemented strict endpoint controls for employees connecting to public networks (e.g. WFH arrangements) to consider the increased risk levels and to manage these risks. Airwallex also monitors its platforms to detect any anomalies that may present a threat to the company.

A.14: System acquisition, development and maintenance (13 controls)

Airwallex has implemented a DevSecOps model and embedded security into the SDLC. It has integrated the security, availability and confidentiality into product design, and provides related functions to meet the user entities’ requirements on security, availability and confidentiality. It has applied a secured change management process which encapsulates secure coding, configuration, scanning, patching monitoring and frequent testing.

A.15: Supplier relationships (5 controls)

Before onboarding Subprocessors, Airwallex conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Airwallex has assessed the risks presented by the Subprocessor, then subject to the engagement requirements the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

A.16: Information security incident management

Security incidents and unauthorized disclosures of customer data are communicated to customers, relevant legal and regulatory authorities, and others as required by law, contract, or at the advice of legal counsel, as per defined in the information security management and data breach standards.”

A.17: Information security aspects of business continuity management

Airwallex has established corresponding service cycles and service availability commitments to provide high availability of user entities’ business and systems.

A.18: Compliance

Airwallex has implemented compliance processes to guarantee it addresses internal requirements, such as policies and standards, and with external requirements, such as laws and regulations and contractual requirements to mitigate the risks of non-compliance and the penalties that come with that.

Your rights and choices

Please refer to section 7 of our Global Privacy Policy.

Contact Us

If you would like to make any inquiries about our privacy policy, please contact us at:

● Airwallex information security team: [email protected]

● Airwallex privacy team: [email protected]

Cookies on the Airwallex website

We use cookies to give you a better experience on our website. If you continue without changing your settings, we’ll assume that you are happy to receive cookies. However, if you would like to, you can change your cookie settings at any time here