# DPA — Swan # Data Processing Agreement — Swan **Between:** - **Data Controller:** ALAI Holding AS, Org. No. 932 516 136 ("Controller") - **Data Processor:** Swan SAS ("Processor") **Effective Date:** [DATE] **Product:** Drop payment services — Banking-as-a-Service (BaaS) --- This DPA supplements the generic DPA template (`dpa-template.md`) with Swan-specific processing details. All general terms from the template apply unless overridden below. --- ## Appendix 1 — Processing Details | Field | Description | |-------|-------------| | **Purpose** | Banking infrastructure for Drop: account management, payment initiation (PISP), account information (AISP), transaction processing, and regulatory reporting via Swan's BaaS platform | | **Nature** | Collection, storage, processing, and transmission of financial and identity data for payment services | | **Duration** | Duration of BaaS service agreement between Controller and Swan | | **Data subjects** | Drop end users (account holders), payment recipients, merchants accepting QR payments | | **Data types** | Full name, IBAN/account number, bank name, transaction data (amount, currency, timestamp, reference), exchange rates, payment status, balance information, payment initiation requests, beneficiary details for remittance | | **Special categories** | None | --- ## Appendix 2 — Security Measures (Swan) 1. **Encryption:** TLS 1.3 in transit; AES-256 at rest; HSM for cryptographic key management 2. **Access Control:** RBAC with MFA, segregation of duties, principle of least privilege 3. **Data Residency:** EU data centers (France) — all data processed within EEA 4. **Logging:** Complete audit trail for all financial transactions and API access 5. **Data Retention:** Transaction data retained per Controller instructions (aligned with bokfoeringsloven 5-year requirement); account data retained during relationship + regulatory period 6. **Incident Response:** 24/7 security operations, breach notification within 24 hours 7. **Certifications:** PCI DSS Level 1, licensed by ACPR (French banking regulator), PSD2 compliant 8. **Financial Regulations:** Compliant with PSD2, EMD2, and applicable French/EU banking regulations --- ## Additional Swan-Specific Terms ### Regulatory Compliance - Swan operates as a licensed payment institution under French law, supervised by ACPR - Processing of payment data complies with PSD2 requirements for strong customer authentication (SCA) - Transaction data available for regulatory reporting to Norwegian authorities (Finanstilsynet) upon Controller's request ### Payment Data - All payment initiation and account information services comply with PSD2 PISP/AISP requirements - Transaction data includes full audit trail with timestamps, amounts, currencies, and counterparty information - Idempotency controls prevent duplicate transactions ### Data Subject Rights - Swan shall assist Controller in responding to data subject requests within 10 business days - Account data and transaction history exportable in machine-readable format (JSON/CSV) - Data erasure subject to regulatory retention requirements (minimum 5 years for financial records) ### Business Continuity - Redundant infrastructure with 99.9% uptime SLA - Regular disaster recovery testing - Data backup with point-in-time recovery capability --- ## Signatures **Data Controller — ALAI Holding AS** Name: ___________________________ Title: ___________________________ Date: ___________________________ **Data Processor — Swan SAS** Name: ___________________________ Title: ___________________________ Date: ___________________________