DPA — Swan
Data Processing Agreement — Swan
Between:
- Data Controller: ALAI Holding AS, Org. No. 932 516 136 ("Controller")
- Data Processor: Swan SAS ("Processor")
Effective Date: [DATE] Product: Drop payment services — Banking-as-a-Service (BaaS)
This DPA supplements the generic DPA template (dpa-template.md) with Swan-specific processing details. All general terms from the template apply unless overridden below.
Appendix 1 — Processing Details
| Field | Description |
|---|---|
| Purpose | Banking infrastructure for Drop: account management, payment initiation (PISP), account information (AISP), transaction processing, and regulatory reporting via Swan's BaaS platform |
| Nature | Collection, storage, processing, and transmission of financial and identity data for payment services |
| Duration | Duration of BaaS service agreement between Controller and Swan |
| Data subjects | Drop end users (account holders), payment recipients, merchants accepting QR payments |
| Data types | Full name, IBAN/account number, bank name, transaction data (amount, currency, timestamp, reference), exchange rates, payment status, balance information, payment initiation requests, beneficiary details for remittance |
| Special categories | None |
Appendix 2 — Security Measures (Swan)
- Encryption: TLS 1.3 in transit; AES-256 at rest; HSM for cryptographic key management
- Access Control: RBAC with MFA, segregation of duties, principle of least privilege
- Data Residency: EU data centers (France) — all data processed within EEA
- Logging: Complete audit trail for all financial transactions and API access
- Data Retention: Transaction data retained per Controller instructions (aligned with bokfoeringsloven 5-year requirement); account data retained during relationship + regulatory period
- Incident Response: 24/7 security operations, breach notification within 24 hours
- Certifications: PCI DSS Level 1, licensed by ACPR (French banking regulator), PSD2 compliant
- Financial Regulations: Compliant with PSD2, EMD2, and applicable French/EU banking regulations
Additional Swan-Specific Terms
Regulatory Compliance
- Swan operates as a licensed payment institution under French law, supervised by ACPR
- Processing of payment data complies with PSD2 requirements for strong customer authentication (SCA)
- Transaction data available for regulatory reporting to Norwegian authorities (Finanstilsynet) upon Controller's request
Payment Data
- All payment initiation and account information services comply with PSD2 PISP/AISP requirements
- Transaction data includes full audit trail with timestamps, amounts, currencies, and counterparty information
- Idempotency controls prevent duplicate transactions
Data Subject Rights
- Swan shall assist Controller in responding to data subject requests within 10 business days
- Account data and transaction history exportable in machine-readable format (JSON/CSV)
- Data erasure subject to regulatory retention requirements (minimum 5 years for financial records)
Business Continuity
- Redundant infrastructure with 99.9% uptime SLA
- Regular disaster recovery testing
- Data backup with point-in-time recovery capability
Signatures
Data Controller — ALAI Holding AS
Name: ___________________________ Title: ___________________________ Date: ___________________________
Data Processor — Swan SAS
Name: ___________________________ Title: ___________________________ Date: ___________________________