Get In Touch

Data Processing Addendum

Instarails Data Processing Addendum

Last Updated: December 2025 | Version 1.0

Table of Contents

  1. Definitions
  2. Compliance with Laws
  3. Confidentiality
  4. Instarails’ Processing of Personal Data
  5. Information Security
  6. Personal Data Breach
  7. Data Subject Requests
  8. Subcontractors
  9. Verification of Compliance
  10. Return or Deletion of Data
  11. Additional Provisions for California Personal Information
  12. Additional Provisions for European Data
  13. General Provisions
  14. Contact

Introduction

This Data Processing Addendum (the “DPA” or “Addendum“) amends and forms part of Instarails Inc.’s Terms of Service and/or other agreement(s) (collectively, the “Agreement“) between you (“Customer“) and Instarails Inc., together with its affiliates, subsidiaries, successors, and assigns (“Instarails“).

This DPA governs your use of Instarails’ standard offering for invoice payment and payment processing, invoicing, and other cash flow management services that Instarails makes generally available at www.instarails.net, as such is updated from time to time (the “Instarails Services“).

This DPA shall apply to the extent Instarails processes any “Personal Data,” as defined below, on behalf of Customer. This DPA shall be effective as of the date set forth above.

1. Definitions

1.1 Affiliate

Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2 California Personal Information

California Personal Information” means Personal Data that is subject to the protection of the CCPA.

1.3 CCPA

CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), and any related regulations or guidance issued by the California Attorney General or the California Privacy Protection Agency.

1.4 Controller

Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.5 Data Protection Laws

Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and the CCPA, in each case as amended, repealed, consolidated, or replaced from time to time.

1.6 Data Subject

Data Subject” means the identified or identifiable individual to whom Personal Data relates.

1.7 End Customer

End Customer” means any individual or entity that Customer pays or is paid by through the Instarails Services.

1.8 End Customer Data

End Customer Data” means Personal Data relating to an End Customer. “California End Customer Data” means California Personal Information consisting of End Customer Data. “European End Customer Data” means European Data consisting of End Customer Data.

1.9 Europe

Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

1.10 European Data

European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

1.11 European Data Protection Laws

European Data Protection Laws” means data protection laws applicable in Europe, including:

  • Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU General Data Protection Regulation” or “GDPR“)
  • GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“)
  • Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance

In each case, as may be amended, superseded, or replaced.

1.12 Personal Data

Personal Data” means information relating to an identified or identifiable individual that Instarails Processes under the Agreement.

1.13 Personal Data Breach

Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

1.14 Processing

Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

1.15 Processor

Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.16 Standard Contractual Clauses

Standard Contractual Clauses” means:

  • Where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (“EU SCCs“)
  • Where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs“)

1.17 Subcontractor / Subprocessor

Subcontractor” or “Subprocessor” means an entity engaged by a party to provide Processing services to assist in fulfilling the party’s obligations outlined in the Agreement or this DPA where such entity processes Personal Data. Subcontractors or subprocessors may include Instarails affiliates or third parties.

2. Compliance with Laws

Within the scope of the Agreement and in the use or provision of the Instarails Services, the parties agree to comply with all requirements that apply under applicable Data Protection Laws with respect to the Processing of Personal Data.

3. Confidentiality

Instarails will ensure that any personnel authorized to Process Personal Data are subject to appropriate (contractual and/or statutory) confidentiality obligations with respect to that data. Instarails will ensure that such confidentiality obligations survive the termination of the authorized personnel engagement.

4. Instarails’ Processing of Personal Data

4.1 Privacy Notice

Instarails will collect, use, and share Personal Data as set forth in its Privacy Notice.

4.2 Purpose Limitation

Instarails will process End Customer Data and Personal Data only for the purposes of providing the Instarails Services in accordance with Customer’s written instructions as specified in the Terms of Service, this DPA, and in accordance with applicable Data Protection Laws.

5. Information Security

Instarails will maintain commercially reasonable technical and organizational security measures and procedures designed to provide an industry-level of safeguards to protect the security, confidentiality, and integrity of Personal Data. Such measures are designed to protect Personal Data from loss, alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction.

6. Personal Data Breach

In accordance with applicable Data Protection Laws, Instarails will notify Customer without undue delay after becoming aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer.

At Customer’s request, Instarails will promptly provide such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under applicable Data Protection Laws.

7. Data Subject Requests

Instarails agrees to promptly cooperate and provide commercially reasonable assistance to Customer to enable Customer to respond to requests from a Data Subject seeking to exercise their rights under applicable Data Protection Law.

Instarails shall not respond to the Data Subject request itself, except to inform the Data Subjects that they should direct their request to the Customer for appropriate handling.

8. Subcontractors

Where Instarails engages any Subcontractors to Process Personal Data on its behalf, it will enter into a written contract with the Subcontractor that contains security terms substantially similar to those set out in this DPA and requires the Subcontractor to maintain the security and confidentiality of any Personal Data it Processes on Instarails’ behalf.

9. Verification of Compliance

Upon Customer’s written request, at reasonable intervals and subject to Customer agreeing to confidentiality terms, Instarails will make available copies of the most recent audit report for Service Organization Controls (SOC) Type 2 (or similar report), so that Customer can verify Instarails’ compliance with the audit standards against which it has been assessed and this Data Processing Addendum.

10. Return or Deletion of Data

On termination of the Agreement for any reason or expiry of its term, Customer will have thirty (30) calendar days to request a download of Customer’s transaction history by contacting Instarails Customer Support.

In the event Customer does not contact Instarails Customer Support for this purpose within 30 calendar days after the end of the provision of the Instarails Services, Instarails will delete or de-identify Personal Data except for:

  • Back-ups deleted in ordinary course
  • Retention as required for legal, regulatory, and compliance purposes

In the event of either exception, Instarails will continue to comply with the relevant provisions of this DPA until such data has been deleted.

11. Additional Provisions for California Personal Information

11.1 Scope

This Section will apply only with respect to California Personal Information, if applicable to the Instarails Services.

11.2 Roles of the Parties

With respect to California End Customer Data, Instarails is a “Service Provider” as that term is defined in the CCPA. With respect to all other California Personal Information, the parties acknowledge and agree that they are each a “Business” as that term is defined in the CCPA.

11.3 Responsibilities

The parties agree that their respective Processing of California Personal Information under the Agreement will be consistent with the requirements of the CCPA. Instarails will collect, use, and share California Personal Information as set forth in its Privacy Notice.

If Instarails determines that it cannot comply with this DPA or the CCPA, it will notify the Customer and allow Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.

12. Additional Provisions for European Data

12.1 Scope

This Section will apply only with respect to European Data, if applicable to the Instarails Services.

12.2 Definitions

For the purposes of this Section, the following terms are defined as follows:

  • EU SCCs” means Standard Contractual Clauses approved by the European Commission in decision 2021/914
  • UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner’s Office (ICO) in accordance with S119A(1) of the Data Protection Act 2018 as effective on 21 March 2022

12.3 Roles of the Parties

With respect to European End Customer Data, Instarails is a Processor for purposes of European Data Protection Law.

With respect to all other European Data, the parties acknowledge and agree that they are each a Controller for purposes of European Data Protection Law and that they act as independent Controllers with respect to Personal Data Processed as part of the services.

12.4 Cooperation

The parties agree to provide each other with commercially reasonable assistance with any data protection impact assessments or prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

12.5 Cross-Border Transfer Mechanisms

If provision of the Instarails Services will require transfer of European Data outside of Europe to countries which are not recognized by the European Commission as providing an adequate level of protection of Personal Data, the parties acknowledge and agree that such transfers will be made pursuant to the transfer mechanisms set forth below:

  • EU SCC-Module One (Controller to Controller) — Applies where Instarails is processing European Data as a Controller
  • EU SCC-Module Two (Controller to Processor) — Applies where Customer is a Controller of European Customer Data and Instarails is a Processor of European Data
  • EU SCC-Module Three (Processor to Processor) — Applies where Customer is a Processor of European Customer Personal Data and Instarails is a Sub-Processor of European Data

For each module, where applicable:

  • In Clause 7, the optional docking clause will not apply
  • In Clause 9, Option 2 will apply, and the process for providing notice and the time period for objections of sub-processor changes will be as set forth in Section 8 (Subcontractors) of this DPA
  • In Clause 11, the optional language will not apply
  • In Clause 17, the EU SCCs will be governed by the laws of Ireland
  • In Clause 18(b), disputes will be resolved before the courts of Ireland

12.6 Annex I, Part A — List of Parties

Data Exporter:

  • Identity: Customer and their authorized Affiliates
  • Contact Details: Customer’s account owner email address, or the email address(es) for which Customer elects to receive privacy communications
  • Role: As outlined in Section 12.3 of this DPA
  • Signature & Date: By entering into the DPA, Data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date

Data Importer:

  • Identity: Instarails Inc.
  • Contact Details: Instarails Privacy — support@instarails.io
  • Role: As outlined in Section 12.3 of this DPA
  • Signature & Date: By entering into the DPA, Data importer is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date

12.7 Annex I, Part B — Description of Transfer

Categories of Data Subjects: Categories of data subjects may include exporter’s customers, employees, and other business contacts.

Categories of Personal Data: Categories of personal data may include name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, card expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by Instarails under the Agreement.

Sensitive Data: Collection and processing of Sensitive Data is not required in connection with the provision of the Instarails Services and Instarails does not intentionally collect or process Sensitive Data. Customers will not provide or cause to be provided any Sensitive Data to Instarails for processing under the Agreement, and Instarails will have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise.

Sensitive Data” means Personal Data:

  • Revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
  • Genetic data, biometric data processed for uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation
  • Relating to criminal convictions and offenses
  • Any other information that falls within the definition of “special categories of data” under GDPR or any other applicable law

Frequency of Transfer: Transfers may be continuous for the duration of the Agreement.

Nature of Processing: As set forth in the Agreement to provide the Instarails Services.

Purposes of the Data Transfer and Further Processing: Performance of Instarails Services, fraud detection, compliance with applicable laws, and any other purpose set forth in this DPA.

Subcontractors: Notwithstanding the provisions of Section 8, Customer provides Instarails with general authorization to engage Subcontractors to process European End Customer Data on Customer’s behalf. Upon Customer’s request, Instarails will provide a list of Subcontractors processing European Data consisting of End Customer Data. If Customer objects to the appointment of a Subcontractor, it must notify Instarails within thirty (30) days of such notice and work in good faith with Instarails to find an alternative solution.

Data Retention Period: The data importer will retain the data as described in Section 10 of this DPA.

12.8 Annex I, Part C — Supervisory Authority

In accordance with Clause 13(a) of the EU SCCs, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority:

  • Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has appointed a representative pursuant to Article 27 of the GDPR, the supervisory authority of the member state where the representative is established shall act as the competent supervisory authority
  • Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has not appointed a representative pursuant to Article 27 of the GDPR, the Irish Data Protection Commission shall act as the competent supervisory authority
  • Where the data exporter is established in the UK, the Information Commissioner’s Office shall act as the competent supervisory authority

12.9 Annex II — Technical and Organizational Measures

Instarails will maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of Personal Data as set forth in Sections 3 and 5 of this DPA.

13. General Provisions

13.1 Amendments

Subject to Section 17 of the Terms of Service, Instarails may, in its sole discretion, modify, change, or terminate this DPA, as reasonably determined by Instarails is necessary to address the requirements of applicable Data Protection Laws.

13.2 Severability

If any individual provision of this Addendum is determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum will not be affected.

13.3 Indemnity

The indemnities arising out of or related to this Addendum are limited to those indemnities stated in the Agreement.

13.4 Limitation of Liability

Instarails’ liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Agreement.

13.5 Order of Precedence

With regard to the subject matter of this Addendum, in the event of inconsistencies or conflicts between this Addendum and the Agreement, the provisions of this Addendum will control. All other provisions of the Agreement apply to this Addendum.

14. Contact

If you have questions about this Data Processing Addendum, please contact us at support@instarails.io.

Instarails Inc.
131 Continental Drive, Suite 305
Newark, DE 19713

Award-Winning Excellence

Global TiE50 2024 Winner

Read More

2024 Atlanta Web3 Pitchfest Winner

Read More

AnitaB.org 2024 PitcHER™ Audience Favorite Winner

Read More

Available Payout Options

What Our Clients Say

"Instarails has transformed how we handle international payments. Their platform saves us at least 3% in costs, directly improving our bottom line. The batch upload feature streamlines our processes, but what’s most impressive is the impact on our overseas team—they now receive their full salaries directly in their bank accounts in under 1 minute, with zero deductions. The smooth onboarding was just the beginning of an excellent service that has genuinely improved our global operations."

Baldev Krishan Ph.D., President & CEO
iVALT