Data Processing Agreement
GDPR Article 28 Data Processing Agreement for SatsRail merchants
GDPR Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the SatsRail Terms of Service and governs the processing of personal data by SatsRail on behalf of merchants who are subject to the European Union General Data Protection Regulation (GDPR) or the UK GDPR.
1. Definitions
- "Controller" means the Merchant, who determines the purposes and means of processing personal data.
- "Processor" means SatsRail LLC, which processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
- "Sub-processor" means a third party engaged by SatsRail to process Personal Data on behalf of the Controller.
2. Scope of Processing
2.1 Data Processed
SatsRail processes the following categories of personal data on behalf of merchants:
| Data Category | Examples | Purpose |
|---|---|---|
| Merchant account data | Email address, business name, phone number | Account management, service delivery |
| Transaction data | Lightning invoices, payment amounts, payment status, order records | Payment processing, reporting |
| Technical data | IP addresses, API usage logs, device information | Security, service operation |
2.2 Data NOT Processed
SatsRail does not process:
- End-customer personal data (buyer names, emails, or identity information)
- Content data (what is being sold)
- Wallet private keys or seed phrases
3. Obligations of the Processor
SatsRail shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure security of processing, including encryption in transit (TLS) and at rest, access controls, and regular security reviews
- Not engage a Sub-processor without prior written authorization from the Controller
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required
- Delete or return all Personal Data upon termination of the Agreement, at the Controller's choice, subject to legal retention requirements
- Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations
4. Sub-processors
SatsRail currently uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Subscription billing | United States |
| Amazon Web Services | Infrastructure hosting | United States |
| Google LLC (Analytics) | Website analytics | United States |
SatsRail will notify the Controller before adding or replacing a sub-processor. The Controller may object within 15 days. If an objection cannot be resolved, the Controller may terminate the Agreement.
5. International Transfers
Personal Data is stored and processed in the United States. For transfers of Personal Data from the EEA to the United States, SatsRail relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards as required by GDPR Chapter V.
6. Data Breach Notification
In the event of a Personal Data breach, SatsRail shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
7. Data Retention
SatsRail retains Personal Data as described in the Privacy Policy. Transaction data is retained for a minimum of 7 years for legal and tax compliance. Upon termination, Personal Data is deleted or returned within 90 days, except where legal retention obligations apply.
8. Audit Rights
The Controller may audit SatsRail's compliance with this DPA once per year, with at least 30 days' written notice, during normal business hours, and at the Controller's expense. SatsRail may satisfy audit requests by providing relevant certifications, audit reports, or other documentation.
9. Contact
For questions about this DPA or to exercise rights under it, contact:
- Compliance: compliance@satsrail.com
Version: 1.0 | Effective Date: March 27, 2026