Last updated: 21 May 2026
Background
In accordance with clause 10 of the Agreement, this Data Processing Addendum ("DPA") sets out the basis on which Astrada uses the Customer Personal Data (as defined below) for the purposes of providing the Astrada Service.
For the purposes of this DPA and the Data Protection Laws, the Customer is the controller and Astrada is the processor of Customer Personal Data.
In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.
Both parties will comply with all applicable requirements of the Data Protection Laws (as defined below). This DPA is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
Definitions
Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in clause 2 of the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
- "Customer Personal Data" means the "personal data" or "personal information" (as defined in the Data Protection Laws) of Users supplied by the Customer for the purposes of Astrada providing the Astrada Service as set out in Annex 2;
- "Data Protection Laws" means all laws relating to the use, protection and privacy of Customer Personal Data (including, without limitation, the privacy of electronic communications) which are from time to time applicable to the Customer, Astrada or the Astrada Service;
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data; and
- "Sub-processor" means any processor engaged by Astrada that receives from Astrada any Customer Personal Data.
Data Processing
Instructions for Data Processing
- Astrada will only process Customer Personal Data in accordance with Annex 2, unless processing is required by applicable laws to which Astrada is subject, in which case Astrada shall, to the extent permitted by such law, inform the Customer of that legal requirement before processing that Customer Personal Data.
- The Agreement (subject to any changes to the Astrada Service agreed between the parties), including this DPA, shall be the Customer's complete and final instructions to Astrada in relation to the processing of Customer Personal Data.
- Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Astrada on additional instructions for processing.
- Where Astrada considers that an instruction from the Customer infringes applicable Data Protection Laws, Astrada shall immediately inform the Customer and shall be entitled to suspend performance of the instruction until the Customer appropriately amends or withdraws the instruction.
Required Consents and Disclosures
Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained or will obtain all necessary consents, and has provided appropriate disclosures and notices, for the processing of Customer Personal Data by Astrada and the Card Networks in accordance with the Agreement (including the Permitted Use), including consent from Users to enable the Card Networks to collect, process and share Customer Personal Data relating to the Users for the purposes set out in the Agreement (including this DPA).
Transfer of Personal Data
Authorized Sub-processors
- The Customer agrees that Astrada may use subcontractors on Astrada's approved sub-processor list (shared upon request) ("Sub-processor List") to fulfill its contractual obligations under the Agreement, and Astrada shall ensure that it only appoints Sub-processors on the Sub-processor List. Astrada shall provide the Customer with at least 30 days' prior written notice of any changes to the Sub-processor List. The Customer may object to such new Sub-processor or change on reasonable data protection grounds by providing written notice to Astrada within 14 days of receiving notice. If the Customer objects, the parties shall discuss the objection in good faith. Astrada shall use reasonable efforts to address Customer's documented concerns, including by considering additional safeguards or alternative arrangements where reasonably feasible. If the parties cannot reach agreement within 14 days of the Customer's objection, the Customer or Astrada may terminate the Agreement upon 30 days' written notice.
- Astrada shall enter into a written agreement with Sub-processors which imposes materially the same obligations on the Sub-processor with regards to their processing of Customer Personal Data as are imposed on Astrada under this DPA.
Liability of Sub-processors
Astrada shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Sub-processor appointed by Astrada as if they were the acts and omissions of Astrada.
International Transfers
- EU/EEA/Swiss Transfers. Where Customer Personal Data originates from the (a) EU/EEA; or (b) Switzerland, the transfer from the EU/EEA or Switzerland to Astrada is covered by the European Commission's adequacy decision for the UK or Switzerland's adequacy recognition of the UK under Annex 1 of the Swiss Data Protection Ordinance, respectively, and does not require additional safeguards, and any onward transfer from Astrada (UK) to third countries is governed as set out below.
- UK Onward Transfers. Where Customer Personal Data:
- (i) originating in the EU/EEA is transferred from the UK to countries without an adequacy decision, the EU SCCs set out in European Commission Implementing Decision (EU) 2021/914, shall apply as amended by the UK IDTA. For such transfers: (A) Module 2 (Controller to Processor) or Module 3 (Processor to Processor) applies, with Customer as data exporter and Astrada as data importer; (B) Clause 9(a): Option 2 applies; (C) Clause 11(a): The optional language does not apply; (D) Clause 17: Governing law shall be England & Wales; (E) Clause 18: Disputes before courts of England & Wales; (F) Astrada shall complete and maintain a Transfer Risk Assessment for all such transfers.
- (ii) originating in Switzerland is transferred from the UK to countries without an adequacy decision, the EU SCCs shall apply adapted to comply with the Swiss Federal Act on Data Protection ("FADP"), with the FDPIC as supervisory authority, Swiss law as governing law, and Swiss law third-party beneficiary rights for data subjects.
Data Security, Audits and Security Notifications
Astrada Security Obligations
Astrada shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures set out in Annex 1.
Security Audits
Astrada shall make available to the Customer, and the Customer may audit (using independent third party auditors at Customer's cost, upon at least 30 days' notice, and at reasonable intervals but no more than once annually unless there are reasonable grounds for additional audits, including suspected breaches or regulatory requirements), all information reasonably necessary to demonstrate compliance with this DPA (including the technical and organizational measures as set out in Annex 1). The Customer's right to audit in this paragraph 5.2 is subject always to the confidentiality provisions of the Agreement. Customer acknowledges and agrees that Astrada may, at its discretion, provide a current audit report (such as PCI-DSS compliance audit) in lieu of granting audit access provided that such audit report adequately addresses the scope of processing under this DPA including Article 28 GDPR. Where such a report does not reasonably demonstrate compliance, Astrada shall provide additional information reasonably requested by the Customer and, if necessary, permit the Customer to exercise its audit rights in accordance with this Section 5.2.
Data Protection Impact Assessments
Astrada shall provide reasonable assistance to the Customer (at Customer's cost) with the Customer's obligations to conduct Data Protection Impact Assessments under applicable Data Protection Laws, taking into account the nature of processing and information available to Astrada.
Security Incident Notification
If Astrada or any Sub-processor becomes aware of a Security Incident, Astrada will (a) notify the Customer of the Security Incident within seventy-two (72) hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
Astrada Employees and Personnel
Astrada shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that:
- access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data; and
- any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
Individuals' Rights
Requests from Individuals
- Save as required (or where prohibited) under applicable law, Astrada shall notify the Customer of any request received by Astrada or any Sub-processor from an individual to exercise their rights in respect of their personal data included in the Customer Personal Data under Data Protection Laws ("Individual Requests"), and shall not respond to any such request.
- Astrada shall provide reasonable assistance to the Customer, by appropriate technical and organizational measures insofar as this is possible and at Customer's cost, to respond to Individual Requests as required under applicable Data Protection Laws, including by providing data exports, facilitating deletion, and providing relevant information about processing activities.
Government Disclosure
Astrada shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority), unless otherwise prohibited by law or a legally binding order of such body or agency.
Deletion of Data
Subject to paragraph 7.2 below, the Customer may in its absolute discretion notify Astrada in writing within thirty (30) days of the date of expiry or termination of the Agreement to require Astrada to delete and procure the deletion of all copies of Customer Personal Data processed by Astrada and Astrada shall, within 60 days:
- comply with any such written request; and
- delete and procure the deletion of all copies of Customer Personal Data processed by Astrada, or at the Customer's election (notified in writing), return such Customer Personal Data to the Customer in a commonly used electronic format;
- procure that its Sub-processors delete all Customer Personal Data processed by such Sub-processors; and
- Issue a written confirmation of deletion.
Astrada and its Sub-processors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Astrada shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. In such cases, Astrada and its Sub-processors will be considered controllers of that data, as it will only be processed to comply with legal obligations.
Annex 1 — Security Measures
Pursuant to Article 32 of Regulation (EU) 2016/679 ("GDPR"), Astrada has implemented and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons.
Information Security Governance and Program Oversight
Astrada maintains a formal, documented information security program approved by management and supported by written policies, standards, and procedures. The program is designed to:
- protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access;
- identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Customer Personal Data; and
- implement safeguards proportionate to identified risks and verify their effectiveness through periodic testing and review.
Astrada contractually requires its Sub-processors to implement technical and organizational measures that provide a level of protection no less protective than those described in this Annex.
Risk Assessment and Continuous Improvement
- Astrada performs periodic risk assessments to evaluate threats, vulnerabilities, and potential impacts to information systems and Customer Personal Data.
- The adequacy of Astrada's security controls is reviewed on a regular basis and following material changes to systems, infrastructure, or processing activities.
- Identified risks and control gaps are documented, tracked, and remediated in accordance with defined risk treatment procedures.
Access Control and Identity Management
Astrada implements administrative, technical, and logical access controls to ensure that access to Customer Personal Data and related systems is limited to authorized personnel with a legitimate business need, including:
- role-based access controls aligned with the principle of least privilege;
- unique user identification and authentication mechanisms;
- strong password and authentication policies;
- periodic access reviews and prompt removal or modification of access upon role change or termination; and
- logical segregation of environments and duties where appropriate.
Personnel Security and Training
- Astrada maintains a mandatory information security and data protection awareness training program for all employees.
- Training is provided upon onboarding and refreshed periodically thereafter.
- Employees are required to acknowledge applicable security and data protection policies.
- Personnel with access to Customer Personal Data are subject to confidentiality obligations.
Data Retention and Secure Deletion
- Astrada retains Customer Personal Data only for the duration necessary to fulfill its contractual obligations and to comply with applicable legal, regulatory, or contractual retention requirements.
- Astrada maintains documented data retention and deletion policies that define retention periods based on the nature of the data and the purposes of processing. Upon expiration of the applicable retention period, or upon termination of the applicable agreement (subject to legally required retention), Customer Personal Data is securely deleted in accordance with Astrada's internal data disposal standards and industry-accepted secure deletion practices.
- Secure deletion processes are designed to prevent the reconstruction, recovery, or further processing of Customer Personal Data.
Security Incident and Breach Management
Astrada maintains documented security incident response and breach management procedures designed to:
- Detect, assess, contain, and remediate security incidents in a timely manner;
- Escalate incidents to appropriate internal stakeholders;
- Assess the impact on the confidentiality, integrity, and availability of Customer Personal Data;
- Support Customer compliance with applicable data breach notification obligations under the GDPR.
Monitoring, Logging, and Vulnerability Management
- Astrada maintains monitoring controls to identify anomalous activity, security events, and potential vulnerabilities across its systems.
- Logs relevant to security events are collected and reviewed in accordance with internal procedures.
- Vulnerabilities are assessed, prioritized, and remediated based on risk.
Security Testing, Audits, and Certifications
Astrada regularly evaluates the effectiveness of its information security controls, including through:
- Periodic testing of key technical and organizational controls;
- Independent audits and certifications, including:
- PCI-DSS Level 1 Service Provider certification;
- Penetration testing conducted:
- at least annually; and
- following significant changes to systems, infrastructure, or application architecture.
Findings from testing and audits are reviewed and remediation activities are tracked to completion where appropriate.
Endpoint and Device Security
Astrada implements security controls for endpoint devices used to access Customer Personal Data, including:
- endpoint Detection and Response (EDR) solutions providing malware and virus detection and prevention on all employee laptops;
- centralized device management, including configuration and patch management, to ensure devices remain on supported software versions;
- full disk encryption enabled on all employee devices using industry-standard encryption with a minimum of AES-128 bit; and
- secure configuration baselines applied to endpoints.
Sub-processor Security Management
Astrada conducts due diligence on Sub-processors prior to engagement and contractually requires them to implement appropriate technical and organizational security measures. Astrada periodically reviews Sub-processor security assurances as part of its vendor management process.
Review and Updates
Astrada reviews and updates these Technical and Organizational Security Measures periodically and in response to material changes in applicable laws, processing activities, or the threat landscape.
Annex 2 — Details of Processing
Subject Matter and Duration of Processing
- Subject Matter. The processing of personal data necessary for the provision of Astrada Services, (including the Permitted Use) including but not limited to fraud detection, data analytics, and platform maintenance and development (such development to cover those activities strictly necessary to provide and maintain the Astrada Services to Customer).
- Duration. During the Term, personal data relating to enrolled and valid Payment Cards will be deleted within 13 months of the date of receipt of such personal data, unless the Payment Card expires (and is not renewed or replaced), in which case such personal data will be deleted within 60 days of expiry, provided that, in all cases, the personal data in question will not be deleted if retention is required by applicable law.
Nature and Purpose of Processing
- Nature. Collecting Payment Card details from Customer. Transmission of Payment Card details to relevant Card Network for authentication and enrollment. Tokenisation of some Payment Card details (PAN and expiry date) for secure storage.
- Purpose. Enrollment of Payment Cards with Card Network for use in relation to the Astrada Services by Customer in support of Customer client's spend management services.
Location of Processing
- Processor. United Kingdom.
- Sub-processor Locations. Processing may occur in the locations where Sub-processors operate, as specified in the Sub-processor List;
- International Transfers. Customer Personal Data may be transferred to the United States where Sub-processors (as set out in the Sub-processor List); and
- Such transfers from the UK/EEA/Switzerland to the US are governed by the EU SCCs and UK IDTA or Swiss FADP as incorporated in Section 4 of this DPA.
- Astrada shall ensure all Sub-processors located in third countries are bound by equivalent transfer mechanisms.
Categories of Data Subjects
Users of the Customer platform who attempt to enroll Payment Cards.
Types of Personal Data
- Payment Card details. Cardholder name, PAN, expiry date, CSV.
- In addition, other personal data elements (such as employee ID, email address, or similar identifiers) to the extent requested by the Customer and strictly necessary for Astrada to provide customer-requested customisations to the Services.