Skip to main content

DPA — Swan

Data Processing Agreement — Swan

[AVVIKLET — 2026-03-04] Swan SAS er eliminert som BaaS-partner for Drop. CEO-beslutning 2026-03-04. Dette dokumentet er et uferdig utkast og aldri signert. Beholdt for historisk referanse. Alternativ partner søkes.

Between:

  • Data Controller: ALAI Holding AS, Org. No. 932 516 136 ("Controller")
  • Data Processor: Swan SAS ("Processor")

Effective Date: [DATE]DATE — IKKE TRÅDT I KRAFT] Product: Drop payment services — Banking-as-a-Service (BaaS)

This DPA supplements the generic DPA template (dpa-template.md) with Swan-specific processing details. All general terms from the template apply unless overridden below.

Appendix 1 — Processing Details

Field Description
Purpose Banking infrastructure for Drop: account management, payment initiation (PISP), account information (AISP), transaction processing, and regulatory reporting via Swan's BaaS platform
Nature Collection, storage, processing, and transmission of financial and identity data for payment services
Duration Duration of BaaS service agreement between Controller and Swan
Data subjects Drop end users (account holders), payment recipients, merchants accepting QR payments
Data types Full name, IBAN/account number, bank name, transaction data (amount, currency, timestamp, reference), exchange rates, payment status, balance information, payment initiation requests, beneficiary details for remittance
Special categories None

Appendix 2 — Security Measures (Swan)

  1. Encryption: TLS 1.3 in transit; AES-256 at rest; HSM for cryptographic key management
  2. Access Control: RBAC with MFA, segregation of duties, principle of least privilege
  3. Data Residency: EU data centers (France) — all data processed within EEA
  4. Logging: Complete audit trail for all financial transactions and API access
  5. Data Retention: Transaction data retained per Controller instructions (aligned with bokfoeringsloven 5-year requirement); account data retained during relationship + regulatory period
  6. Incident Response: 24/7 security operations, breach notification within 24 hours
  7. Certifications: PCI DSS Level 1, licensed by ACPR (French banking regulator), PSD2 compliant
  8. Financial Regulations: Compliant with PSD2, EMD2, and applicable French/EU banking regulations

Additional Swan-Specific Terms

Regulatory Compliance

  • Swan operates as a licensed payment institution under French law, supervised by ACPR
  • Processing of payment data complies with PSD2 requirements for strong customer authentication (SCA)
  • Transaction data available for regulatory reporting to Norwegian authorities (Finanstilsynet) upon Controller's request

Payment Data

  • All payment initiation and account information services comply with PSD2 PISP/AISP requirements
  • Transaction data includes full audit trail with timestamps, amounts, currencies, and counterparty information
  • Idempotency controls prevent duplicate transactions

Data Subject Rights

  • Swan shall assist Controller in responding to data subject requests within 10 business days
  • Account data and transaction history exportable in machine-readable format (JSON/CSV)
  • Data erasure subject to regulatory retention requirements (minimum 5 years for financial records)

Business Continuity

  • Redundant infrastructure with 99.9% uptime SLA
  • Regular disaster recovery testing
  • Data backup with point-in-time recovery capability

Signatures

Data Controller — ALAI Holding AS

Name: ___________________________ Title: ___________________________ Date: ___________________________

Data Processor — Swan SAS

Name: ___________________________ Title: ___________________________ Date: ___________________________

Back to top