Trust Center

Trust Center

Data Processing Addendum

Last updated: May 1, 2026

1. Scope and Applicability

This Data Processing Addendum ("DPA") applies where eWay Corp ("eWay," "Processor") processes personal data on behalf of a client ("Controller") in connection with:

  • Website hosting
  • Cloud infrastructure services (AWS, Azure)
  • Managed services and support

This DPA supplements any applicable services agreement (e.g., MSA, SOW). In case of conflict, the services agreement prevails.

2. Roles and Responsibilities

  • Controller (Client): Determines the purpose and means of processing personal data
  • Processor (eWay Corp): Processes personal data only on documented instructions from the Controller

eWay does not use client data for its own independent purposes.

3. Nature and Purpose of Processing

Processing activities may include:

  • Hosting and storage of website and application data
  • Transmission of data across cloud infrastructure
  • Monitoring, logging, and performance optimization
  • Troubleshooting and support services

Processing is limited to what is necessary to deliver contracted services.

4. Categories of Data

Depending on the client implementation, data processed may include:

4.1 Standard Website Data

  • Names, email addresses, and contact details
  • Form submissions
  • Analytics and usage data

4.2 Technical and Operational Data

  • IP addresses and device information
  • Logs and diagnostic data
  • System configurations

4.3 Support Data

  • Information submitted through support channels
  • Infrastructure and application details
  • Access credentials (where provided by the Controller)

5. Special Note on Credentials and Access Data

Where clients provide access credentials or system-level permissions:

  • eWay processes such data solely for authorized support and service delivery
  • Access is restricted to authorized personnel
  • Credentials are not retained longer than necessary

Clients are responsible for:

  • Providing secure, temporary, and least-privilege access wherever possible
  • Rotating credentials after use

6. Subprocessors

eWay engages third-party subprocessors to support service delivery.

eWay ensures that:

  • Subprocessors are bound by appropriate confidentiality and data protection obligations
  • Processing is limited to what is necessary for service delivery
  • eWay remains responsible for subprocessor performance as required by applicable agreements

Subprocessor Updates

eWay may update its list of subprocessors from time to time. Where required by applicable agreements, eWay will:

  • Notify clients of material changes at least 30 days in advance
  • Provide an opportunity to raise reasonable objections

7. Data Transfers

Data may be processed in:

  • The United States
  • Other regions where eWay or its subprocessors operate

Where applicable, eWay implements reasonable safeguards for cross-border data transfers.

8. Security Measures

eWay implements appropriate technical and organizational measures, including:

  • Encryption in transit (TLS)
  • Access controls and authentication mechanisms
  • Role-based access and least privilege
  • Logging and monitoring
  • Secure cloud architecture practices

Security measures are aligned with industry standards and cloud provider best practices.

9. Confidentiality

eWay ensures that:

  • Personnel with access to personal data are bound by confidentiality obligations
  • Access is limited to individuals with a legitimate business need

10. Data Retention and Deletion

  • Data is retained only as necessary to provide services and meet legal obligations
  • Upon termination of services, data handling (return or deletion) is governed by the applicable agreement

Support-related data is retained only for operational necessity unless otherwise required.

11. Assistance to Controller

eWay will, where applicable and reasonable:

  • Assist with responding to data subject requests
  • Support security and compliance obligations
  • Provide relevant information for audits or assessments

Such assistance may be subject to agreed commercial terms.

12. Incident Management

In the event of a confirmed security incident affecting personal data:

  • eWay will notify the Controller within a reasonable timeframe
  • Provide relevant information to support investigation and response

Detailed obligations are defined in service agreements where applicable.

13. Audit and Compliance

eWay may provide:

  • Reasonable information regarding security practices
  • Responses to security questionnaires

Formal audits, if required, are subject to:

  • Prior agreement
  • Scope limitations
  • Confidentiality obligations

14. Liability

Liability related to data processing is governed by the applicable services agreement (e.g., MSA).

This DPA does not independently expand or modify liability terms.

15. Term and Termination

This DPA remains in effect for the duration of:

  • The underlying services agreement
  • Any period during which eWay processes personal data on behalf of the Controller

16. Governing Law

This DPA is governed by the same law and jurisdiction as the underlying services agreement.

Annex A – Subprocessors

Below is the current list of key subprocessors used by eWay Corp in delivering services.

SubprocessorPurposeTypical Data ProcessedPrimary Region
Amazon Web Services (AWS)Cloud infrastructure, hosting, storageWebsite data, application data, logsUnited States
Microsoft AzureCloud infrastructure (where applicable)Website data, application data, logsUnited States
Amazon CloudFrontCDN, edge security, traffic routingIP addresses, request metadataUnited States
CloudflareCDN, edge security, traffic routing (where used)IP addresses, request metadataUnited States
Cloudflare ZarazConsent management and edge tag orchestration (cookie/CMP, server-side tag loading)Consent records, IP addresses (for geolocation-based consent), browser metadata, tagged event payloadsUnited States
Customer-preferred CDN (e.g., Akamai)CDN, edge security, traffic routing (where the customer specifies a particular CDN)IP addresses, request metadataPer customer / vendor
Monitoring & Logging Tools (e.g., CloudWatch, Azure Monitor)Performance monitoring and loggingLogs, system metricsUnited States
Zoho DeskSupport request and ticket managementContact info, support data, credentials (if submitted)United States
Zoho CRM (crm.zohopublic.com)Sales pipeline + lead capture from contact formContact info submitted in the form, originating session metadataUnited States
Google (Analytics, reCAPTCHA)Analytics, form bot protectionIP addresses, page interaction data, form-protection tokensUnited States
Google Ads (incl. DoubleClick / Google Signals)Advertising delivery, conversion measurement, remarketing audiencesIP addresses, ad-click attribution, conversion event metadataUnited States
LinkedIn (LinkedIn Insight Tag, LinkedIn Ads)B2B advertising delivery, conversion measurement, demographic profiling of logged-in LinkedIn users who visit our siteIP addresses, LinkedIn-account-linked browser identifier, page interaction dataUnited States, Ireland
Retention.com (RB2B)B2B visitor identification — surfaces visiting business names and public business signals to our sales teamCompany-level metadata (IP-to-company resolution, browser metadata)United States