Crezaro
Get started Sign in

Data Processing Agreement

Effective date: April 1, 2026  ·  Last updated: April 1, 2026

This DPA is automatically incorporated into your agreement with Crezaro when you accept our Terms of Service. No separate signature is required. The DPA applies to all merchants processing transactions through the Crezaro platform where personal data of data subjects in the EEA, UK, Nigeria, or other regulated jurisdictions is involved.

This Data Processing Agreement ("DPA") is entered into between Bolrach Technologies Limited, a company incorporated in Nigeria (trading as Crezaro) ("Processor"), and you, the merchant ("Controller"), and forms an integral part of the Terms of Service. This DPA is executed pursuant to Article 28 of the EU General Data Protection Regulation (GDPR), Article 28 of the UK General Data Protection Regulation (UK GDPR), the Nigeria Data Protection Act 2023, and equivalent provisions of applicable data protection laws.

1. Definitions

Terms used in this DPA have the following meanings, and terms not defined here have the meanings assigned in the Terms of Service or applicable Data Protection Laws:

"Controller" means you, the merchant, who determines the purposes and means of the processing of Personal Data.

"Data Protection Laws" means, collectively: the EU GDPR (Regulation (EU) 2016/679); the UK GDPR and Data Protection Act 2018; the Nigeria Data Protection Act (NDPA) 2023; the Nigeria Data Protection Regulation (NDPR) 2019; the Canadian PIPEDA and applicable provincial privacy legislation; the CCPA/CPRA; and any subordinate legislation, guidance, or codes of practice issued thereunder, in each case as amended or replaced from time to time.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates — in this context, primarily your end-users and payers.

"Personal Data" means any information relating to an identified or identifiable natural person that Crezaro processes on your behalf in connection with the Services.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by or on behalf of Crezaro.

"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means Crezaro, who processes Personal Data on behalf of the Controller in accordance with the Controller's instructions.

"Special Category Data" has the meaning given in Article 9 GDPR, including biometric data where processed for the purpose of uniquely identifying a natural person.

"Sub-processor" means any third party engaged by Crezaro to carry out specific processing activities on Personal Data on behalf of the Controller.

2. Scope, Roles, and Subject Matter

2.1 Roles of the Parties

The Controller determines the purposes for collecting personal data from its Customers (for example, to process a payment). Crezaro, as Processor, processes that personal data on the Controller's behalf solely to provide the payment processing, settlement, refund, and reporting Services described in the Terms of Service.

To the extent Crezaro processes personal data for its own independent purposes (fraud prevention, platform security, regulatory compliance, or sanctions screening applicable to Crezaro directly), Crezaro acts as an independent Controller. Such processing is governed by Crezaro's Privacy Policy and is outside the scope of this DPA.

2.2 Crezaro's Processing Under This DPA

Crezaro processes Personal Data under this DPA to perform the following Services on the Controller's behalf:

  • Authorisation and processing of payment transactions initiated by Data Subjects on the Controller's platform
  • Tokenisation and secure storage of payment instrument data for recurring billing
  • Settlement calculations and disbursement of net proceeds to the Controller's bank account
  • Refund and chargeback processing
  • Generation of transaction reports and statements accessible through the Controller's dashboard
  • Webhook delivery of transaction events to the Controller's systems
  • Storage of transaction records for the Controller's access during the retention period

3. Details of Processing

3.1 Categories of Personal Data

The following categories of Personal Data are processed under this DPA:

  • Identification data: Data Subject's full name, email address, and phone number as submitted at checkout
  • Payment instrument data: Card BIN (first 6 digits), card last four digits, card brand, and card expiry month/year (stored in encrypted, tokenised form — full card numbers and CVV are never stored after authorisation)
  • Bank account data: For bank transfer collections: account name and account number of the paying account (as provided by the bank during the transfer)
  • Transaction data: Transaction amount, currency, timestamp, payment method, transaction status, authorisation codes, and failure reason codes
  • Transaction metadata: Customer references, order IDs, product descriptions, and custom metadata fields submitted by the Controller through the API
  • Device and network data: The Data Subject's IP address at the time of transaction

3.2 Special Category Data

This DPA does not authorise the processing of Special Category Data. The Controller must not submit Special Category Data (including health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data) through the Services' metadata fields or any other API parameter. Where the Controller requires processing of Special Category Data, it must notify Crezaro and obtain Crezaro's written consent prior to such submission.

3.3 Categories of Data Subjects

The Data Subjects whose Personal Data is processed under this DPA are:

  • The Controller's end-users, consumers, and customers who initiate payment transactions on the Controller's platform or in response to the Controller's payment requests

3.4 Nature and Purpose of Processing

Processing is carried out for the purpose of providing payment processing, settlement, and related financial services as described in the Terms of Service. The nature of processing includes: storage, retrieval, use, disclosure to sub-processors (Card Networks, banking partners, fraud screening), and deletion upon expiry of the retention period.

3.5 Duration of Processing

Processing continues for the duration of the Services agreement between the Controller and Crezaro, and thereafter for such period as is required by applicable law or regulation (see retention periods in Crezaro's Privacy Policy). Upon expiry of the legal retention period, data is securely deleted.

4. Obligations of Crezaro as Processor

4.1 Instructions

Crezaro will process Personal Data only on documented instructions from the Controller, unless required by applicable law to process Personal Data for other purposes. The Controller's instructions are deemed to include: (a) the Terms of Service; (b) this DPA; (c) the Controller's API configuration; and (d) any other written instructions agreed in writing. If Crezaro determines that an instruction infringes Data Protection Laws, it will notify the Controller promptly. In that case, Crezaro is entitled to refuse to carry out the instruction until it is lawfully modified or withdrawn.

4.2 Confidentiality of Processing

Crezaro ensures that all personnel authorised to process Personal Data are bound by contractual or statutory confidentiality obligations. Access to Personal Data is strictly limited to personnel who require it to perform their duties in connection with the Services, in accordance with the principle of least privilege.

4.3 Security of Processing

Crezaro implements and maintains the technical and organisational security measures described in Section 7 of this DPA.

4.4 Sub-processors

Crezaro will not engage Sub-processors without prior authorisation from the Controller, which is deemed to have been granted for the Sub-processors listed in Section 6 of this DPA and any additions notified in accordance with Section 6.3.

4.5 Assistance with Controller Obligations

Crezaro will assist the Controller in fulfilling its obligations under Data Protection Laws, including by:

  • Providing technical mechanisms for responding to Data Subject rights requests (access, deletion, portability) for data held by Crezaro on the Controller's behalf
  • Notifying the Controller within 48 hours if Crezaro receives a Data Subject rights request directly, and directing the Data Subject to the Controller without responding on the Controller's behalf (unless instructed otherwise)
  • Cooperating with the Controller in the event of a supervisory authority inquiry or investigation relating to the Controller's processing activities
  • Providing reasonable assistance with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities where required

5. Obligations of the Merchant as Controller

By accepting these Terms and this DPA, the Controller represents, warrants, and agrees that:

  • It has a valid legal basis under applicable Data Protection Laws for each instance of personal data it submits to Crezaro for processing, including for cross-border transfers of personal data to Crezaro
  • It has provided Data Subjects with a privacy notice that accurately describes the collection and processing of their payment data through the Crezaro platform, and includes disclosure of international transfers where applicable
  • It will not submit Special Category Data to the Services without prior written agreement from Crezaro
  • It will not submit personal data relating to Data Subjects who are minors (under 18) without appropriate parental consent or legal authorisation
  • It will maintain records of processing activities required under GDPR Article 30 to the extent applicable to its business
  • It will promptly notify Crezaro if it becomes aware of any matter that may adversely affect Crezaro's ability to comply with its obligations under this DPA or applicable Data Protection Laws
  • It is and will remain compliant with applicable Data Protection Laws in its own right as Controller, independent of Crezaro's obligations as Processor

6. Sub-processors

6.1 General Authorisation

The Controller provides general written authorisation for Crezaro to engage the Sub-processors listed in Section 6.2. For future Sub-processors, Crezaro will provide notice as described in Section 6.3 and the Controller's continued use of the Services constitutes acceptance.

6.2 Current Sub-processors

The following Sub-processors are currently authorised to process Personal Data on behalf of the Controller:

Sub-processor Purpose Data Processed Location
Visa Inc. / Mastercard International / Verve International Card payment authorisation and settlement Card BIN, last four digits, transaction data Global (US / UK / Nigeria)
Acquiring banking partner(s) Transaction clearing and settlement disbursement Transaction records, merchant bank account details Nigeria / UK / Canada / US
Identity verification provider (KYC/KYB) Merchant identity and business verification; BVN/NIN validation Merchant identity documents, BVN/NIN, selfie data Nigeria / UK
Sanctions and AML screening provider Real-time screening of transaction parties against OFAC SDN, UN, HM Treasury, and CBN watchlists Payer name and transaction details UK
Fraud detection and risk scoring (ML engine) Real-time transaction fraud risk assessment Transaction data, IP address, device fingerprint Nigeria (primary); EU (DR)
Primary database (PostgreSQL 18) Persistent storage of transaction records, merchant data, and audit logs All Personal Data under this DPA Nigeria (Lagos data centre)
In-memory data store (Redis 7) Session management, queue processing, rate limiting, transient transaction state Session tokens, temporary transaction state (no persistent personal data) Nigeria (Lagos data centre)
Analytics datastore (ClickHouse) Transaction analytics, reporting, and aggregated business intelligence Pseudonymised transaction event data Nigeria (Lagos data centre)
Cloudflare, Inc. CDN, DDoS mitigation, WAF, and TLS termination IP addresses and HTTP request metadata (ephemeral) Global (US-headquartered; EU and global edge nodes)
Transactional email provider Delivery of transaction receipts, notifications, and system alerts Recipient email address and notification content EU
SMS provider Delivery of OTP and transaction alerts via SMS Mobile phone number and OTP/alert message Nigeria

6.3 New Sub-processors

Crezaro will notify the Controller at least thirty (30) calendar days before engaging a new Sub-processor or making a material change to an existing Sub-processor's role, by publishing an update to this DPA page and sending an email notification to the Controller's registered address. Subscribers to DPA change notifications receive email alerts automatically — enable this in your dashboard under Settings > Legal > DPA notifications.

6.4 Objections

If the Controller has a reasonable, specific, and documented objection to a new Sub-processor on data protection grounds, it may notify Crezaro in writing at [email protected] within fifteen (15) calendar days of the notification. Crezaro will work in good faith to address the objection. If the objection cannot be resolved, the Controller may terminate the Services upon written notice, without penalty, provided termination occurs before the new Sub-processor begins processing. If no objection is raised within 15 days, the new Sub-processor is deemed approved.

6.5 Sub-processor Agreements

Crezaro imposes data protection obligations on all Sub-processors that are no less protective than those set out in this DPA, through written contracts compliant with GDPR Article 28(4), UK GDPR, and applicable Data Protection Laws. Crezaro remains fully liable to the Controller for the acts and omissions of its Sub-processors.

7. Security Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons, Crezaro implements and maintains the following technical and organisational security measures:

7.1 Encryption

  • At rest: AES-256 encryption for all stored Personal Data; database-level encryption applied to primary and replica instances; encrypted backups with keys stored separately from data
  • In transit: TLS 1.3 for all data in transit between clients and Crezaro systems; TLS 1.2 minimum for all inter-service communications; HSTS enforced with minimum 12-month max-age; deprecated cipher suites (RC4, DES, 3DES, export-grade) disabled
  • Payment data: Full card numbers are never stored post-authorisation; CVV/CVC values are never stored at any point; payment instruments are tokenised using an industry-standard vaulting approach compliant with PCI-DSS

7.2 Access Controls

  • Role-based access control (RBAC) with the principle of least privilege applied to all personnel
  • Multi-factor authentication (MFA) required for all access to systems containing Personal Data
  • Privileged access management (PAM) system for administrative and database access; all privileged sessions are logged and recorded
  • Time-limited access tokens with automatic expiry; no standing privileged access to production systems
  • Dual approval required for sensitive administrative operations (bulk data access, schema changes, export)
  • Quarterly access reviews with automatic de-provisioning for leavers and role changes

7.3 Network and Infrastructure Security

  • Web application firewall (WAF) and DDoS mitigation via Cloudflare
  • Network segmentation between public-facing services, application tiers, and database tiers
  • Intrusion detection and prevention systems (IDS/IPS)
  • Regular vulnerability scanning and quarterly penetration testing by independent security consultants
  • Patch management programme with critical security patches applied within 48 hours of release

7.4 Monitoring and Audit Logging

  • 24/7 security monitoring with automated alerting for anomalous access patterns
  • Immutable audit logs for all data access, modifications, exports, and administrative actions — retained for 7 years and cannot be altered or deleted
  • Centralized log management with integrity verification

7.5 Physical Security

  • Primary data centres hold ISO 27001 certification
  • Biometric and multi-factor physical access controls for server rooms
  • 24/7 on-site security personnel and CCTV surveillance
  • Environmental controls including fire suppression, climate control, and uninterruptible power supply

7.6 Business Continuity and Disaster Recovery

  • Automated encrypted backups with daily full backup and continuous incremental backups
  • Point-in-time recovery available for up to 35 days
  • Geo-redundant disaster recovery node in the European Union
  • Recovery Time Objective (RTO): less than 4 hours for a full infrastructure failure
  • Recovery Point Objective (RPO): less than 15 minutes
  • Annual business continuity testing with documented results

7.7 PCI-DSS Compliance

Crezaro's card data handling environment is independently audited and certified annually as a PCI-DSS Level 1 Service Provider. A copy of Crezaro's current Attestation of Compliance (AOC) is available to merchants upon written request to [email protected] under a mutual non-disclosure agreement.

7.8 Personnel and Training

  • Background checks (where legally permissible) for all employees with access to Personal Data before employment commences
  • Mandatory data protection and security training at onboarding and annually thereafter
  • Binding confidentiality obligations for all employees and contractors
  • Clear desk and clear screen policy for all office environments
  • Defined procedures for secure disposal of physical documents containing Personal Data

8. Data Breach Notification

8.1 Processor Notification to Controller

In the event Crezaro becomes aware of a Personal Data Breach affecting Personal Data processed under this DPA, Crezaro will notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. This timeline enables the Controller to comply with its obligation under GDPR Article 33 to notify the competent supervisory authority within 72 hours of becoming aware.

The initial notification may be delivered before all information is available; in that case, Crezaro will provide updates as further information becomes known.

8.2 Content of Notification

Crezaro's breach notification to the Controller will include, to the extent information is available at the time of notification:

  • Description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected, and the categories and approximate volume of Personal Data records affected
  • Name and contact details of Crezaro's Data Protection Officer
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
  • Reference number and timeline of discovery

8.3 Cooperation

Crezaro will cooperate fully with the Controller in investigating, remediating, and managing the Personal Data Breach, and will provide all reasonable assistance required to enable the Controller to comply with its notification obligations to supervisory authorities (GDPR Art. 33) and affected Data Subjects (GDPR Art. 34) within applicable time limits.

8.4 Controller Obligations

The Controller is responsible for determining whether a breach requires notification to a supervisory authority or Data Subjects under applicable Data Protection Laws, and for making any required notifications. Crezaro's notification to the Controller does not constitute an acknowledgement of fault or liability.

9. International Data Transfers

9.1 Transfer Mechanisms

Where Personal Data is transferred from the EEA or UK to countries or organisations not subject to an adequacy decision, Crezaro relies on the following transfer mechanisms:

  • EU Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor) and Module 3 (Processor to Processor), as applicable, supplemented by a Transfer Impact Assessment (TIA) where required
  • UK International Data Transfer Agreements (IDTAs): For transfers from the UK, pursuant to the Data Protection Act 2018 and the Secretary of State's approval under GDPR Article 46

This DPA, together with the Terms of Service, constitutes the execution of the applicable SCCs and IDTAs for transfers of Personal Data processed under this DPA. Where required, the Annexes to the SCCs are completed by reference to the details set out in Section 3 (Details of Processing) of this DPA.

9.2 Transfer Impact Assessments

Crezaro has conducted Transfer Impact Assessments for transfers to Nigeria from the EEA and UK. A summary of TIA findings is available to the Controller upon written request to [email protected].

10. Data Subject Rights Assistance

Crezaro provides the following technical capabilities to assist the Controller in responding to Data Subject rights requests for Personal Data held by Crezaro under this DPA:

  • Access: Controllers can export transaction data for a specific Customer (identified by email or customer ID) via the dashboard API
  • Deletion: Controllers can request deletion of Personal Data (excluding data subject to mandatory legal retention) via a dashboard request or by contacting [email protected]
  • Portability: Transaction data is exportable in JSON or CSV format via the API
  • Rectification: Incorrect metadata can be corrected through the dashboard; note that financial transaction records are immutable once settled

The Controller remains responsible for verifying the identity of the Data Subject before instructing Crezaro to action a rights request.

11. Data Protection Impact Assessments

Where the Controller is required to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35 in relation to processing activities involving Crezaro's Services, Crezaro will provide reasonable assistance, including:

  • Providing information about the technical and organisational measures described in this DPA
  • Completing DPIA questionnaires or information requests within a reasonable timeframe (not exceeding 20 business days for standard requests)
  • Reviewing the Controller's draft DPIA and providing feedback where requested
  • Participating in prior consultation with supervisory authorities if required

Crezaro may charge a reasonable fee for assistance with DPIA requests that are unusually extensive or time-consuming.

12. Audit Rights

12.1 Information and Cooperation

Crezaro will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the conditions in Section 12.2.

12.2 Conditions for Audit

Audit requests are subject to the following conditions:

  • At least thirty (30) calendar days' prior written notice to [email protected]
  • Audits are conducted during normal business hours (08:00–18:00 WAT, Monday to Friday, excluding public holidays)
  • Audits are limited to once per twelve-month period unless a Personal Data Breach or supervisory authority investigation necessitates an additional audit
  • The auditor must sign a non-disclosure agreement acceptable to Crezaro before accessing any Crezaro systems or confidential information
  • Audits must not interfere with the operation of the Services or the rights and freedoms of other Crezaro customers
  • The Controller bears the reasonable costs of audit, including Crezaro staff time at a rate of USD 250/hour

12.3 Third-Party Certifications

The Controller acknowledges that independent third-party certifications (including PCI-DSS AOC, ISO 27001 certificate, and SOC 2 Type II report — where applicable) may be provided as an alternative or complement to a direct audit, and agrees to accept such certifications as evidence of compliance for the scope they cover.

13. Return and Deletion of Data

Upon termination or expiry of the Services agreement, Crezaro will, at the Controller's election (to be notified within sixty (60) days of termination):

  • Return: Provide the Controller with a complete export of Personal Data processed under this DPA in JSON or CSV format, delivered securely; or
  • Delete: Securely delete all Personal Data processed under this DPA that is not subject to mandatory legal retention obligations, and provide written certification of deletion within thirty (30) days of deletion

Personal Data retained after termination pursuant to legal obligations (including the 7-year financial records retention period) will continue to be protected by the security measures and confidentiality obligations in this DPA throughout the retention period. Crezaro will notify the Controller when legally-retained data is deleted.

14. Liability

The liability provisions in the Terms of Service apply to this DPA and are incorporated herein by reference. Each party is liable for damages caused by processing that infringes Data Protection Laws in accordance with the applicable provisions of those laws, including GDPR Article 82. Where both parties are responsible for the same damage, they are jointly and severally liable to the Data Subject. As between the parties, liability is apportioned according to each party's degree of responsibility for the damage caused.

15. Term and Termination

This DPA enters into force upon the Controller's acceptance of the Terms of Service and remains in effect for the duration of the Services agreement. This DPA automatically terminates upon termination of the Services agreement, subject to the survival of provisions relating to the security of retained data (Section 13), liability (Section 14), and audit rights with respect to the period during which Crezaro processed Personal Data under this DPA.

In the event of any conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA shall prevail.

16. Contact

For questions, requests, or concerns regarding this DPA or Crezaro's data processing activities, contact:

Data Protection Officer
Bolrach Technologies Limited
1 Amore Street, Wuse 2
Abuja, FCT 900271
Nigeria

Email: [email protected]
Compliance inquiries: [email protected]