Data Processing Addendum
Last Updated: 7/14/2026 | Version 1.0
This Data Processing Addendum ("DPA") forms part of the agreement between Kashu, Inc. ("Kashu," "Processor") and a business customer ("Customer," "Controller") where and to the extent Kashu processes personal data on the Customer's behalf in providing its services. Where this DPA conflicts with the underlying agreement as to the processing of personal data, this DPA controls.
1. Definitions
"Personal Data," "Controller," "Processor," "Processing," "Data Subject," and "Personal Data Breach" have the meanings given under applicable data-protection law. "Applicable Data Protection Law" means the privacy and data-protection laws applicable to the processing of Personal Data under the agreement.
2. Roles and Scope of Processing
The Customer is the Controller and Kashu is the Processor with respect to Personal Data that Kashu processes on the Customer's behalf. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex A.
3. Customer Instructions
Kashu will process Personal Data only on the documented instructions of the Customer, including as set out in the agreement and this DPA, unless required to process by law, in which case Kashu will inform the Customer of that legal requirement unless prohibited from doing so.
4. Confidentiality
Kashu will ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
5. Security Measures
Kashu will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against a Personal Data Breach, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing.
6. Sub-processors
The Customer authorizes Kashu to engage sub-processors to process Personal Data, and to engage additional sub-processors, provided that Kashu imposes data-protection obligations on each sub-processor substantially similar to those in this DPA and remains responsible for its sub-processors' performance. Kashu maintains a current list of its sub-processors, which is available to the Customer on request. Kashu will provide a mechanism to notify the Customer of intended changes to its sub-processors so that the Customer may object on reasonable data-protection grounds.
7. Data Subject Requests
Taking into account the nature of the processing, Kashu will provide reasonable assistance to the Customer, by appropriate technical and organizational measures, in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.
8. Personal Data Breach
Kashu will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data, and will provide information reasonably available to it to assist the Customer in meeting its own notification obligations.
9. International Transfers
Where processing involves the transfer of Personal Data across borders, the parties will put in place an appropriate transfer mechanism required by Applicable Data Protection Law.
10. Deletion or Return
Upon termination of the services, Kashu will, at the Customer's choice, delete or return the Personal Data, and delete existing copies, unless retention is required by law.
11. Audits
Kashu will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, subject to appropriate confidentiality and security conditions and reasonable notice.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement.
Annex A: Details of Processing
Subject matter and duration: processing of Personal Data for the term of the agreement to provide the Kashu services. Nature and purpose: account provisioning, transaction processing and administration, identity verification, support, and related purposes. Types of Personal Data: identifiers and contact details, business and ownership information, transaction and account data, and verification data. Categories of Data Subjects: the Customer's authorized users, representatives, and, where applicable, the Customer's own customers.
Annex B: Sub-processors
Kashu engages a limited number of sub-processors to help provide the services, in categories such as money-movement and custody, card processing and settlement, identity verification, hosting, analytics, and customer communications. Kashu maintains a current list identifying each sub-processor and its processing purpose. This list is available to the Customer on request by contacting Kashu at the address below, and is provided subject to the confidentiality terms of the agreement. Kashu will notify the Customer of intended changes to its sub-processors as described in Section 6.
13. Contact Information
For questions or legal notices, you may contact us as follows:
Kashu, Inc.
Attn: Legal Department
1603 Capitol Ave, Ste 415 #674380
Cheyenne, WY 82001
Email: legal@kashupay.com