Data processing addendum

EpochPay DPA — GDPR Art. 28 + CCPA service-provider.

Last updated 2026-05-16 · Version 1.0 · Forms part of the terms of service

This is the public template. Merchants needing a counter-signed DPA on letterhead — request via trust@epochpay.today; we'll issue an executable copy within 5 business days. EU/EEA / UK merchants automatically receive the SCC annexes.

1. Definitions.

"Controller", "Processor", "Personal Data", "Process / Processing", "Data Subject" have the meanings given in GDPR. "Personal Information", "Service Provider", "Sale" have the meanings given in the CCPA / CPRA. "Customer Data" means any personal data the merchant submits to EpochPay through the API or merchant dashboard.

2. Roles.

The merchant is the Controller (or Business under CCPA) for Customer Data.
EpochCore LLC is the Processor (or Service Provider under CCPA) — we process Customer Data only on documented instructions from the merchant, except where required by law.
For receipts that the merchant elects to publish to the public chain (the default for EpochPay's value proposition), the merchant authorizes the chain anchor as a documented instruction.

3. Subject-matter, duration, nature, purpose, types of data.

Subject-matter: Processing payment intents and receipts on the EpochPay payment rail.
Duration: For the duration of the merchant's subscription and the applicable regulatory retention period thereafter.
Nature & purpose: Signing, routing, sealing, and verifying payment intents and receipts; producing aggregate operational telemetry.
Types of Personal Data: Identifiers (payer ID, payee ID), amounts, currency, rail metadata, request metadata (IP, user-agent), OFAC screen results. No special categories of data (Art. 9) collected by default.
Categories of Data Subjects: The merchant's staff (account holders) and the merchant's end-customers if the merchant transmits identifiers.

4. Sub-processors.

The current sub-processor list is published at /trust/regulatory. By accepting this DPA the merchant authorizes the listed sub-processors. We provide 30 days notice of material changes via the changelog (forthcoming); the merchant may terminate the affected service if it reasonably objects to a new sub-processor.

5. Security measures.

Detail at /security. Summary:

ML-DSA-65 (FIPS 204) signing on every intent and receipt.
TLS 1.3 in transit; encryption at rest via Cloudflare-managed keys on D1, R2, KV.
Triple-hash WORM chain (SHA-256 + SHA3-512 + BLAKE3) with public verifiability.
Rate limiting per merchant + OFAC screening on enroll.
Sealed visual snapshots of every public page (anti-tamper).
SOC 2 Type II in progress (target Q4 2026); bridge letter on request.
Vulnerability disclosure policy at /security + RFC 9116 /.well-known/security.txt.

6. Data subject rights.

EpochPay provides API endpoints and admin tooling to assist the merchant in responding to data-subject access, rectification, deletion, portability, and objection requests. For records under regulatory retention, deletion is fulfilled via cryptographic blinding (we keep the hash, the cleartext is redacted, the link from hash to identity is severed). See /privacy.

7. Breach notification.

EpochPay notifies the merchant of any Personal Data Breach affecting the merchant's Customer Data within 72 hours of becoming aware.
Notice includes: nature of the breach, categories and approximate volume of records affected, likely consequences, mitigation actions taken, point of contact.
If 72-hour notice is not possible, we provide the information in phases and explain the delay.

8. International transfers.

For transfers of Customer Data from the EEA / UK / Switzerland to the US, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) by reference, as amended by the UK IDTA / UK addendum where applicable. Annexes I (parties & transfers), II (security measures), and III (sub-processors) are populated by the data at /trust/regulatory and at /security; counter-signed copies issued on request.

9. Audits.

The merchant may audit EpochPay's compliance once per 12 months on 30 days notice, during US business hours, at the merchant's expense. We satisfy this obligation by providing the SOC 2 Type II report (when available; until then, the bridge letter), the public security posture, and a written response to a reasonable security questionnaire.

10. Return / deletion.

On termination, EpochPay provides a complete export of Customer Data for 30 days. After 30 days, hot-storage mirrors are deleted; WORM chain anchors persist per /terms §8.

11. CCPA service-provider clauses.

EpochPay receives Customer Data solely to provide the service to the merchant.
EpochPay does not sell or share Customer Data.
EpochPay does not retain, use, or disclose Customer Data outside the direct business relationship.
EpochPay does not combine Customer Data with data from other sources for cross-context behavioral advertising.

12. Contact.

DPA inquiries: trust@epochpay.today · Privacy inquiries: privacy@epochpay.today · Postal: EpochCore LLC, Huntersville NC USA.