Data Processing Agreement

1. Purpose & Incorporation

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between ePayments Network ("EPN", "Processor", "we") operated by EverExpanse LLC, and each merchant who has accepted EPN's Terms & Conditions ("Merchant", "Controller", "you"). It governs EPN's processing of personal information submitted by or collected on behalf of the Merchant through EPN's payment processing platform and related services (the "Services").

This DPA is effective as of the date the Merchant accepted EPN's Terms & Conditions and supersedes any prior data processing terms between the parties. In the event of a conflict between this DPA and the Terms & Conditions, this DPA governs with respect to data processing matters.

EPN's Services are offered exclusively in the United States. This DPA is governed by U.S. federal and state privacy law, including the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and applicable state data protection statutes.

2. Definitions

"Personal Information" — Any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual, including cardholder data, contact information, and transaction records, as defined under applicable U.S. privacy law.

"Controller" — The Merchant, who determines the purposes and means of processing personal information of end users (cardholders and customers) in connection with the Services.

"Processor" — EPN, which processes personal information on behalf of and under the documented instructions of the Merchant.

"Sub-Processor" — Any third-party engaged by EPN to process personal information in connection with delivering the Services (e.g., acquiring banks, cloud infrastructure providers, identity verification vendors).

"Processing" — Any operation performed on personal information, including collection, storage, use, disclosure, transfer, deletion, or destruction.

"Security Incident" — Any confirmed unauthorized access to, acquisition of, disclosure of, or destruction of personal information that triggers notification obligations under applicable U.S. state breach notification laws.

"Cardholder Data" — Payment card information as defined by the PCI DSS, including primary account numbers (PAN), cardholder names, expiration dates, and service codes.

"CCPA Service Provider" — EPN's role under the CCPA/CPRA as a business that receives personal information from a merchant for a business purpose pursuant to a written contract that prohibits selling or retaining, using, or disclosing personal information outside the direct business relationship.

3. Roles of the Parties

Merchant as Controller — The Merchant acts as the Controller with respect to personal information of its end users (cardholders and customers) that is submitted to or collected through EPN's payment platform. The Merchant is responsible for ensuring it has a lawful basis for collecting personal information and for providing adequate notice to end users about how their data will be shared with EPN for payment processing.

EPN as Processor — EPN acts as a Processor with respect to personal information it processes solely on behalf of and under the instructions of the Merchant for payment processing, settlement, reporting, and related Services.

EPN as Independent Controller — EPN acts as an independent Controller (not a Processor on your behalf) with respect to personal information it processes for its own business purposes, including:

- Fraud prevention and AML/BSA compliance obligations
- Financial recordkeeping required by FinCEN, IRS, and card network rules
- Aggregate analytics and platform security monitoring
- Regulatory reporting (SARs, 1099-K, etc.)

For these independent controller purposes, EPN's Merchant & Site Privacy Policy and End User Privacy Policy govern the processing, not this DPA.

4. Processing Instructions

Documented Instructions — EPN will process personal information only on documented instructions from the Merchant as set out in this DPA, the Terms & Conditions, and the Merchant's configuration of the Services. The Merchant instructs EPN to process personal information for the following purposes:

- Authorizing, capturing, settling, and reconciling payment transactions
- Issuing transaction confirmations and receipts
- Processing refunds and resolving chargebacks as directed by the Merchant
- Generating transaction reports accessible in the Merchant's dashboard
- Enabling recurring billing and subscription management as configured

Scope Limitations — EPN will not process personal information for purposes other than those described above and in Section 3 (Independent Controller Processing) without prior written authorization from the Merchant, except where required by applicable U.S. law.

Legal Obligations — If EPN is required by U.S. federal or state law, FinCEN regulations, or a valid legal process to process personal information in a manner inconsistent with the Merchant's instructions, EPN will notify the Merchant before such processing to the extent permitted by law.

5. Confidentiality of Processing

EPN will ensure that all personnel authorized to process personal information under this DPA are subject to binding obligations of confidentiality, whether through employment agreements or standalone confidentiality agreements. Access to personal information is limited to personnel who require such access to perform their duties in connection with the Services.

EPN will not disclose Merchant's personal information to any third party except as permitted under this DPA, the Terms & Conditions, or as required by applicable U.S. law. Where EPN is required to disclose personal information pursuant to a subpoena, government investigation, or legal process, EPN will provide the Merchant with reasonable prior notice to the extent permitted by law so that the Merchant may seek a protective order or other appropriate relief.

6. Security Measures

EPN implements and maintains technical and organizational security measures to protect personal information within its systems against unauthorized access, acquisition, disclosure, alteration, or destruction. These measures include, but are not limited to:

Gateway-Based Card Data Protection — EPN does not store, process, or transmit raw cardholder data (card numbers, CVV/CVC, track data) on its own servers. All payment card data is handled exclusively within the PCI DSS certified environments of EPN's gateway and processing partners. EPN receives only secure payment tokens, masked card references, and transaction metadata from those partners.

Encryption — Merchant account data, payout banking details, API credentials, and transaction metadata stored in EPN's systems are encrypted in transit using TLS 1.2+ and at rest using AES-256.

FTC Safeguards Rule Compliance — EPN maintains a written information security program meeting the requirements of the FTC Safeguards Rule (16 C.F.R. Part 314), including a designated security officer, annual risk assessments, access controls, and a formal incident response plan.

Access Controls — Role-based access controls (RBAC), multi-factor authentication (MFA), and least-privilege principles govern all internal access to systems that process personal information.

Penetration Testing — EPN conducts annual third-party penetration tests and quarterly vulnerability scans of its own platform systems. Summary findings are available to Merchants upon written request under NDA.

Physical Security — EPN's infrastructure is hosted in SOC 2 Type II certified data centers operated by AWS in U.S. regions, with physical access controls, 24/7 security monitoring, and environmental controls.

7. Sub-Processors

Authorization — The Merchant grants EPN general authorization to engage Sub-Processors to assist in delivering the Services, subject to the requirements of this Section.

Sub-Processor Obligations — EPN imposes on each Sub-Processor, by written contract, data protection obligations substantially equivalent to those in this DPA, including appropriate security measures, confidentiality obligations, and restrictions on processing.

Current Sub-Processors — EPN's current list of Sub-Processor categories includes:

- Acquiring banks and payment network partners (for transaction authorization and settlement)
- Cloud infrastructure providers (AWS — hosting, storage, and compute)
- Identity verification and KYB/KYC providers (for merchant onboarding and AML compliance)
- Fraud detection and risk scoring vendors
- Customer support platform providers
- Tax and financial reporting services

A current list of named Sub-Processors is available upon written request to legal@epayments.network.

Changes to Sub-Processors — EPN will provide at least thirty (30) days' prior notice of any material changes to its Sub-Processor list (additions or replacements) by email or in-platform notification. If the Merchant objects to a new Sub-Processor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If no resolution is reached within thirty (30) days, either party may terminate the affected Services with notice.

EPN's Liability — EPN remains liable to the Merchant for the acts and omissions of its Sub-Processors to the same extent EPN would be liable if performing the Sub-Processing directly.

8. EPN's Assistance Obligations

EPN will assist the Merchant in meeting its obligations to end users under applicable U.S. privacy law as follows:

Security Assistance — EPN implements the technical and organizational security measures described in Section 6, enabling the Merchant to demonstrate appropriate security for transactions processed through EPN.

Data Subject Rights — If EPN receives a privacy rights request (access, deletion, correction, opt-out) directly from one of the Merchant's end users, EPN will:

- Notify the Merchant within five (5) business days
- Refrain from responding directly to the end user except to redirect them to the Merchant (as the Controller)
- Provide the Merchant with reasonable cooperation to assist in responding, including retrieving transaction records associated with the end user upon verified Merchant request

Breach Notification — EPN will provide the Merchant with notification and assistance as described in Section 9.

CCPA Compliance Cooperation — EPN will cooperate with the Merchant in responding to verifiable consumer requests under the CCPA/CPRA to the extent the data is within EPN's control, and will certify compliance with CCPA Service Provider restrictions upon request.

9. Security Incidents & Breach Notification

Detection & Notification — Upon confirming a Security Incident affecting personal information processed under this DPA, EPN will notify the Merchant without undue delay and in no event later than seventy-two (72) hours after confirmation, to the extent feasible. Initial notice may be provided before all details are known.

Notice Contents — EPN's breach notification will include, to the extent available at the time:

- The nature of the Security Incident and categories of personal information involved
- Approximate number of individuals and records affected
- Likely consequences of the Security Incident
- Measures taken or proposed to address the incident and mitigate its effects
- EPN's designated incident response contact

Merchant Notification Obligations — The Merchant, as Controller, is responsible for determining whether and how to notify affected end users and relevant state authorities in accordance with applicable U.S. state breach notification laws (including California Civil Code § 1798.82, New York SHIELD Act, Texas Business & Commerce Code § 521, Florida Statute § 501.171, and equivalent statutes).

Cooperation — EPN will cooperate fully with the Merchant's breach investigation and remediation efforts, including providing forensic assistance, system logs, and relevant records as needed and as permitted by law.

Security Incident Reporting — To report a suspected Security Incident involving EPN systems, contact security@epayments.network immediately.

10. Data Retention & Deletion

Retention During Services — EPN retains personal information for as long as necessary to provide the Services and fulfill the purposes described in this DPA.

Post-Termination Retention — Upon termination of the Merchant's EPN account, EPN will retain personal information for the minimum periods required by applicable U.S. law:

- Transaction & cardholder records — Five (5) years minimum under the Bank Secrecy Act (BSA) and GLBA
- KYB / identity documents — Five (5) years from account closure under FinCEN CDD rules
- Tax records (1099-K) — Seven (7) years under IRS guidance
- Fraud and AML investigation records — As required by FinCEN and applicable law

Deletion & Return — Following expiration of all applicable retention periods, EPN will securely delete or destroy personal information in accordance with NIST SP 800-88 guidelines for media sanitization. Merchants may request confirmation of deletion by contacting privacy@epayments.network .

Merchant Data Export — Merchants may export their transaction history and account data from the Merchant Dashboard at any time during the active account period. EPN will make transaction data available for export for ninety (90) days following account termination.

11. Audit & Compliance Verification

Documentation — EPN will make available to the Merchant, upon written request and no more than once per calendar year, the following compliance documentation:

- Gateway partner PCI DSS Attestation of Compliance (AoC) — facilitated on request
- SOC 2 Type II report summary for EPN's infrastructure (under NDA)
- FTC Safeguards Rule compliance attestation for EPN's platform
- Sub-Processor list (current)

Third-Party Audits — EPN's annual third-party security assessment and the SOC 2 Type II certification of EPN's infrastructure provider (AWS) constitute EPN's primary compliance verification mechanism for platform security. For cardholder data handling, gateway partner PCI DSS assessments are the relevant documentation.

Merchant Audit Rights — Where third-party audit reports are insufficient to demonstrate compliance with this DPA, the Merchant may request a compliance review by providing at least sixty (60) days' prior written notice. Any such review will be: (i) conducted at the Merchant's expense; (ii) limited in scope to data processing activities covered by this DPA; (iii) subject to confidentiality protections; and (iv) conducted in a manner that does not disrupt EPN's operations or compromise the security of other customers' data.

12. CCPA / CPRA Service Provider Provisions

To the extent EPN processes personal information of California residents on behalf of the Merchant, the following CCPA/CPRA-specific terms apply:

Service Provider Designation — EPN is a "Service Provider" as defined under California Civil Code § 1798.140(ag). EPN receives personal information from the Merchant for the business purpose of providing payment processing services and is prohibited from:

- Selling or sharing personal information received from the Merchant
- Retaining, using, or disclosing personal information outside the direct business relationship with the Merchant
- Combining personal information received from the Merchant with personal information from other sources, except as permitted under the CCPA/CPRA

Merchant Obligations — The Merchant represents that it complies with the CCPA/CPRA with respect to any personal information it provides to EPN, including providing required disclosures to California residents about sharing with Service Providers.

Consumer Requests — If EPN receives a verifiable consumer request from a California resident that relates to data the Merchant controls, EPN will direct the consumer to the Merchant and notify the Merchant within five (5) business days.

CPRA Contractor Certification — EPN certifies its understanding of and compliance with the restrictions in this Section and grants the Merchant the right to take reasonable and appropriate steps to ensure EPN's use of personal information complies with this DPA.

13. Compliance with U.S. State Privacy Laws

EPN will assist the Merchant in meeting its obligations under applicable U.S. state privacy laws. To the extent EPN processes personal information of residents of the following states on behalf of the Merchant, EPN operates as a "Processor" or equivalent service provider role under applicable state law:

- California (CCPA/CPRA) — Service Provider as described in Section 12
- Virginia (CDPA) — Processor under Va. Code § 59.1-577 et seq.
- Colorado (CPA) — Processor under C.R.S. § 6-1-1301 et seq.
- Connecticut (CTDPA) — Processor under Conn. Gen. Stat. § 42-515 et seq.
- Texas (TDPSA) — Service Provider under Tex. Bus. & Com. Code § 541 et seq.
- Oregon (OCPA), Montana (MCDPA), and other enacted state statutes as applicable

In each case, EPN will process personal information only as instructed by the Merchant (as the Controller / Business) and in accordance with the requirements of the applicable state law and this DPA.

14. Liability

Merchant Liability — The Merchant is solely responsible for the accuracy, quality, and legality of personal information submitted to EPN, and for ensuring it has a lawful basis for sharing that personal information with EPN under applicable law.

EPN Liability — EPN's liability arising out of or related to this DPA is subject to the limitations and caps set out in the Limitation of Liability section of EPN's Terms & Conditions. EPN is not liable for any data processing that occurs outside of EPN's systems or as a result of unauthorized access caused by the Merchant's security failures.

Indemnification — Each party agrees to indemnify the other for losses arising from that party's failure to comply with its obligations under this DPA, subject to the limitations in the Terms & Conditions.

15. Term & Termination

Term — This DPA is effective from the date the Merchant accepted EPN's Terms & Conditions and continues until the termination of those Terms & Conditions.

Survival — Sections 5 (Confidentiality), 9 (Breach Notification), 10 (Data Retention & Deletion), 11 (Audit), and 14 (Liability) survive termination of this DPA for so long as EPN retains any personal information processed under it.

Termination — This DPA terminates automatically upon termination of the Terms & Conditions. EPN will continue to process personal information after termination solely to the extent required by applicable U.S. law and for the minimum retention periods specified in Section 10.

16. Governing Law & Order of Precedence

Governing Law — This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles, consistent with EPN's Terms & Conditions.

Order of Precedence — In the event of a conflict: (1) this DPA governs over the Terms & Conditions with respect to data processing matters; (2) the Terms & Conditions govern all other matters; (3) EPN's Privacy Policies (Merchant & Site Privacy Policy and End User Privacy Policy) apply to their respective audiences.

Entire Agreement — This DPA, together with the Terms & Conditions and any executed merchant order form, constitutes the entire agreement between the parties with respect to the processing of personal information and supersedes all prior data processing agreements.

17. Contact & DPA Execution

Merchants wishing to obtain a countersigned DPA, request compliance documentation, or raise a data processing concern should contact:

Legal & Compliance: legal@epayments.network
Privacy Team: privacy@epayments.network
Security Incidents: security@epayments.network
Mailing Address: ePayments Network — Legal, EverExpanse LLC, 2201 Double Creek Dr Suite 3001, Round Rock, Austin, Texas, USA - 78664

This DPA is incorporated by reference into EPN's Terms & Conditions and is binding upon acceptance of those Terms. No separate signature is required unless the Merchant requests a countersigned copy for its own records.