Data Processing Agreement (DPA)

Introduction

This document serves as the Data Processing Agreement (DPA) — Third-Party Service Providers Integration Addendum for the Selfwork Platform. It governs how third-party service providers process user data on behalf of Selfwork GmbH.

1. Definitions

1.1. Controller

"Controller" means Selfwork GmbH, a company incorporated under the laws of Switzerland, with its registered office at Schützengasse 4, 8001 Zürich, Switzerland which determines the purposes and means of processing Personal Data in connection with the Platform.

1.2. Third-Party Service Providers

"Third-Party Service Providers" means the third-party service providers engaged by the Controller to process data on its behalf in connection with the services provided through the Platform, including:

• Payment processing providers ("Payment Processors"), such as Stripe Connect and Unlimit;
• Identity verification providers ("Verification Providers"), such as SumSub.

1.3. Payment Data

"Payment Data" means any Personal Data related to payment transactions, including but not limited to credit/debit card numbers, bank account details, billing addresses, and transaction histories.

1.4. Verification Data

"Verification Data" means any Personal Data related to identity verification, including but not limited to government-issued identification documents, biometric data, proof of address, and verification results.

1.5. Platform

"Platform" means the Selfwork Platform website and associated services that facilitate connections between Users.

2. Relationship of Parties

2.1. Agreement Scope

The Controller and the Third-Party Service Providers enter into this Addendum to govern the processing of Payment Data and Verification Data by the Third-Party Service Providers in connection with the Platform's integration with their respective services.

2.2. Independent Controllers

The Controller acknowledges that Third-Party Service Providers operate as independent service providers and data controllers and/or processors (as applicable) with respect to Payment Data and Verification Data, and that the Controller does not access, process, or control such data at any time.

2.3. Technical Intermediary

The Controller acts solely as a technical intermediary between Users and the Third-Party Service Providers and does not have access to or control over Payment Data or Verification Data processed by the Third-Party Service Providers.

3. Scope of Processing

3.1. Payment Processors

Payment Processors shall process Payment Data solely for the purpose of:

• Facilitating payment transactions between Users;
• Holding funds in escrow during the payment hold period;
• Distributing funds to the Controller (as Platform Fee) and to Users (as service payments) as per the Controller's instructions;
• Complying with applicable legal and regulatory requirements.

3.2. Verification Providers

Verification Providers shall process Verification Data solely for the purpose of:

• Conducting identity verification (KYC) procedures;
• Performing Anti-Money Laundering (AML) checks;
• Fraud prevention and detection;
• Complying with applicable legal and regulatory requirements.

3.3. Controller's Role

The Controller shall not process any Payment Data or Verification Data directly and shall rely solely on the Third-Party Service Providers' systems, data processing policies, and applicable regulatory frameworks.

3.4. User Notice

The Controller shall provide Users with clear notice that:

• Payment processing is conducted through Third-Party Payment Services;
• Identity verification is conducted through Third-Party Verification Services;
• The relevant Third-Party Service Provider acts as the data controller and/or processor (as applicable) for Payment Data and Verification Data;
• Users' data is subject to the relevant Third-Party Service Provider's privacy policy and data protection terms.

4. Processing Instructions

4.1. Payment Processing Metadata

The Controller shall provide Payment Processors with only the minimum transaction details required for payment processing, including:

• Amount of transaction;
• Service/works cost and amount;
• Service/works deadlines;
• Description of services;
• Parties involved in the transaction;
• Payment terms.

4.2. Verification Initiation

The Controller shall provide Verification Providers with only the minimum information required to initiate verification, including:

• User identifier;
• Verification level required;
• Callback/webhook endpoints for verification results.

4.3. Data Entry

The Controller shall not transmit any sensitive Payment Data (including payment card numbers or authentication data) or Verification Data (including identity documents or biometric data) via the Platform. All such data shall be entered directly by Users into the respective Third-Party Service Provider's secure interface.

4.4. No Data Storage

The Controller shall not store, access, or retain any Payment Data or Verification Data. All such data is processed exclusively through the Third-Party Service Providers' systems.

5. Security Measures

5.1. Third-Party Responsibilities

Third-Party Service Providers shall implement and maintain appropriate technical and organizational security measures to protect Payment Data and Verification Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

5.2. Controller's Security

The Controller acknowledges that it does not process Payment Data or Verification Data and therefore is not required to implement security measures for such data. The Controller shall maintain the security of its systems to prevent unauthorized access to transaction metadata and verification status information that does not contain Payment Data or Verification Data.

6. Data Subject Rights

6.1. User Information

The Controller shall inform Users that:

• All Payment Data and Verification Data is processed by Third-Party Service Providers;
• Requests related to Payment Data or Verification Data should be directed to the relevant Third-Party Service Provider;
• The relevant Third-Party Service Provider is responsible for fulfilling data subject rights requests related to Payment Data and Verification Data.

6.2. Request Forwarding

In the event a User submits a data subject rights request related to Payment Data or Verification Data to the Controller, the Controller shall promptly forward such request to the relevant Third-Party Service Provider and shall not attempt to fulfil such request directly.

7. Sub-Processing

7.1. Third-Party Sub-Processors

Third-Party Service Providers may engage sub-processors for the provision of their respective services, provided that such sub-processors provide appropriate data protection safeguards as required by applicable data protection laws.

7.2. Affiliates and Service Providers

The Controller acknowledges that Third-Party Service Providers may use their affiliates and third-party service providers to provide their respective services.

8. Data Transfers

8.1. Cross-Border Transfers

Third-Party Service Providers may transfer Payment Data and Verification Data to their affiliates and service providers located outside the User's jurisdiction, provided such transfers are subject to appropriate safeguards as required by applicable data protection laws.

8.2. Controller's Responsibility

The Controller acknowledges that as it does not process Payment Data or Verification Data, it bears no responsibility for cross-border data transfers of such data.

9. Audit and Compliance

9.1. Documentation Availability

The Controller shall provide Users with copies of the Third-Party Service Providers' privacy policies and, where reasonably available, links or references to their security certifications and compliance documentation upon request.

9.2. Audit Limitations

The Controller shall not conduct audits of Third-Party Service Providers' processing environments, as they operate their own independent infrastructure and act as independent data controllers and/or processors for Payment Data and Verification Data.

9.3. Privacy Policy References

For details on how Third-Party Service Providers handle data, please refer to their respective privacy policies:

• Stripe: https://stripe.com/privacy
• Unlimit: https://www.unlimit.com/privacy-policy
• SumSub: https://sumsub.com/privacy-notice

10. Term and Termination

10.1. Duration

This Addendum shall remain in effect for the duration of the Controller's relationship with the Third-Party Service Providers in connection with their respective services.

10.2. Data Deletion

Upon termination of the relationship with any Third-Party Service Provider, such provider shall delete or anonymise data processed on behalf of the Controller in accordance with its data retention policies and applicable law, except where further retention is required by law.