Παράρτημα Επεξεργασίας Δεδομένων

Last updated: January 9, 2026

This Data Processing Addendum (the “DPA”) forms part of the agreement between M.M. VIRTUAL INFORMATION COMMUNICATION TECHNOLOGY LIMITED, trading under the brand name Virtual EPS (“Virtual EPS”, “Company”, “we”, “us”, or “our”) and Merchants using the Virtual EPS platform and related services (the “Services”).

This DPA governs the processing of Personal Data on behalf of Merchants in connection with the provision of the Services, and supplements the Virtual EPS Services Agreement and the Virtual EPS Website Terms and Conditions.

The purpose of this DPA is to:

(a) set out the respective roles and responsibilities of Virtual EPS and the Merchant regarding the processing of Personal Data;

(b) ensure that Personal Data is processed in compliance with applicable data protection laws, including, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”); and

(c) provide assurances regarding the security, confidentiality, and proper handling of Personal Data processed through the Virtual EPS platform.

By entering into this DPA, the parties acknowledge that it applies to all Personal Data processed by Virtual EPS on behalf of the Merchant in connection with the Services.

Scope and Applicability

This DPA applies to the processing of Personal Data by Virtual EPS as a data processor on behalf of the Merchant (the data controller) in connection with the Services provided under the Services Agreement.

(a) The DPA applies to all Personal Data that the Merchant submits to or collects through the Virtual EPS platform, including Personal Data of end customers, employees, or other individuals whose data is processed in connection with the Merchant’s use of the Services.

(b) This DPA governs only Personal Data processed by Virtual EPS as a result of providing the Services and does not apply to Personal Data processed by the Merchant independently or by third parties engaged directly by the Merchant outside of the Services.

(c) To the extent of any conflict between the terms of this DPA and the Services Agreement, this DPA shall prevail solely with respect to the obligations related to the processing of Personal Data.

(d) The parties acknowledge and agree that the Merchant is responsible for ensuring that its instructions for processing Personal Data comply with applicable data protection laws.

Roles of the Parties

(a) Merchant as Data Controller

(i) The Merchant determines the purposes and means of the processing of Personal Data and is responsible for ensuring that such processing complies with applicable data protection laws.

(ii) The Merchant is responsible for obtaining any necessary consents, notices, or authorizations from individuals whose Personal Data is submitted to Virtual EPS for processing.

(iii) The Merchant shall provide clear and lawful instructions to Virtual EPS regarding the processing of Personal Data in connection with the Services.

(b) Virtual EPS as Data Processor

(i) Virtual EPS processes Personal Data solely on behalf of and in accordance with the documented instructions of the Merchant, including as set forth in the Services Agreement and this DPA.

(ii) Virtual EPS implements appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, in accordance with applicable data protection laws.

(iii) Virtual EPS shall assist the Merchant in fulfilling obligations related to data subjects’ rights, security, breach notification, and compliance with applicable law, as set out in this DPA.

(c) Limits on Processing

(i) Virtual EPS shall not process Personal Data for purposes other than those expressly instructed by the Merchant or required by law.

(ii) Virtual EPS shall immediately inform the Merchant if it believes any instruction from the Merchant would violate applicable data protection laws.

1. Data Processing Instructions and Purpose

This Section describes the scope of Virtual EPS’s processing of Personal Data on behalf of Merchants and the purposes for which such processing is carried out. Virtual EPS acts as a data processor and processes Personal Data only in accordance with the Merchant’s instructions and applicable law.

1.1 Instructions from the Controller

(a) Virtual EPS processes Personal Data solely on behalf of and under the documented instructions of the Merchant, including the terms of the Services Agreement, this Data Processing Addendum (“DPA”), and any other written instructions provided by the Merchant.

(b) Merchants are responsible for ensuring that all instructions provided to Virtual EPS comply with applicable data protection laws and regulations.

1.2 Purposes of Processing

Virtual EPS may process Personal Data for the purposes necessary to provide the Services to the Merchant, including but not limited to:

(i) operating, maintaining, and improving the Virtual EPS platform, Website, and related services;

(ii) facilitating payment interactions between Customers and Merchants;

(iii) managing and administering Merchant Accounts, transactions, reports, and statements;

(iv) communicating with Merchants regarding operational matters, updates, notices, or security alerts;

(v) preventing, detecting, and investigating fraud, abuse, or unauthorized activity;

(vi) complying with applicable laws, regulations, or contractual obligations; and

(vii) enforcing the Services Agreement, Website Terms and Conditions, and any Additional Policies.

1.3 Limitation of Processing

(a) Virtual EPS will not process Personal Data for any purpose other than those expressly authorized by the Merchant or required by law.

(b) Any additional processing activities requested by the Merchant must be documented in writing and agreed upon prior to the commencement of such processing.

2. Data Categories and Subject Data

This Section describes the types of Personal Data that Virtual EPS may process on behalf of Merchants under the Services, as well as the categories of data subjects to which this Personal Data relates.

2.1 Categories of Personal Data

Virtual EPS may process the following categories of Personal Data on behalf of Merchants, depending on the features and Services used:

(a) Identification and Contact Data

(i) Names, email addresses, telephone numbers, billing or shipping addresses, and other identifiers provided by Customers or Representatives.

(b) Transaction and Payment Data

(i) Payment amounts, currencies, payment identifiers, payment method types (e.g., card, bank account), transaction dates, and related metadata.

(c) Account and Login Data

(i) Merchant account identifiers, API keys, login credentials, and configuration settings.

(d) Technical and Usage Data

(i) IP addresses, device identifiers, browser type, operating system, access logs, and usage patterns relating to the Website or Services.

(e) Communications Data

(i) Emails, support tickets, feedback, and any other correspondence between Users and Merchants or Virtual EPS.

(f) Other Merchant-Provided Data

(i) Any additional Personal Data provided by the Merchant to Virtual EPS to enable the Services, including optional integrations or custom fields.

2.2 Categories of Data Subjects

The Personal Data processed by Virtual EPS under these Services may relate to the following categories of individuals:

(a) Customers / End Users – individuals making payments to or interacting with Merchants through the Website.

(b) Representatives – authorized personnel, business owners, administrators, or other users acting on behalf of a Merchant.

(c) Visitors – individuals who interact with the Website or Services but do not maintain a Merchant Account or complete a payment.

(d) Other Individuals – any other individuals whose Personal Data is provided to Virtual EPS by Merchants for the purpose of using the Services, including for analytics, communications, or compliance purposes.

3. Processing Activities and Purposes

This Section outlines the types of processing Virtual EPS may perform on Personal Data on behalf of Merchants and the purposes for which such processing is conducted.

3.1 Provision and Operation of Services

(a) Virtual EPS processes Personal Data to provide, operate, maintain, and improve the Website and Services, including:

(i) account creation, management, and authentication;

(ii) configuration, management, and administration of Merchant accounts and transactional tools;

(iii) facilitating payment interactions between Merchants and Customers; and

(iv) providing access to reporting, analytics, and operational dashboards.

3.2 Security and Fraud Prevention

(a) Personal Data is processed to maintain the security and integrity of the Website and Services, including:

(i) detecting, preventing, and mitigating fraud, abuse, or unauthorized activity;

(ii) monitoring access and usage patterns for security threats; and

(iii) investigating potential security incidents or breaches.

3.3 Compliance and Legal Obligations

(a) Virtual EPS processes Personal Data to comply with legal, regulatory, and contractual obligations, including:

(i) anti-money laundering (AML), counter-terrorist financing (CTF), and know-your-customer (KYC) obligations where applicable;

(ii) tax reporting and regulatory filings;

(iii) responding to lawful requests from courts, regulators, or law enforcement authorities; and

(iv) enforcing the Website Terms and Conditions, Services Agreement, and other contractual or legal obligations.

3.4 Communications and Support

(a) Virtual EPS processes Personal Data to facilitate communications with Merchants and their end users, including:

(i) responding to inquiries, requests, or support tickets;

(ii) sending service-related updates, notices, or operational information; and

(iii) maintaining records of communications for quality assurance, security, and compliance purposes.

3.5 Analytics and Service Improvement

(a) Personal Data is processed to improve and optimize the Website and Services, including:

(i) analyzing usage patterns, performance metrics, and interaction trends;

(ii) testing, monitoring, and enhancing Website functionality; and

(iii) generating anonymized or aggregated analytics reports for internal or operational purposes.

3.6 Optional Marketing Activities

(a) With explicit consent where legally required, Personal Data may be processed for marketing or promotional purposes, including:

(i) sending product, service, or feature announcements; and

(ii) providing information about relevant updates, offers, or educational content to Merchants.

4. Sub-Processors and Third-Party Transfers

This Section describes the engagement of sub-processors by Virtual EPS, as well as the circumstances under which Personal Data may be transferred to third parties, including across borders.

4.1 Engagement of Sub-Processors

(a) Virtual EPS may engage third-party service providers, contractors, or sub-processors to assist in providing the Website and Services.

(b) Sub-processors are engaged only where necessary to perform specific processing activities on behalf of Virtual EPS, including:

(i) hosting and infrastructure services;

(ii) data storage, backup, and recovery;

(iii) analytics, monitoring, and performance management;

(iv) customer support and communication tools; and

(v) security, fraud detection, and risk mitigation services.

(c) All sub-processors are contractually required to process Personal Data in accordance with applicable data protection laws and the obligations set forth in this Data Processing Addendum (DPA).

4.2 Third-Party Transfers

(a) Personal Data may be transferred to third-party service providers or partners to support the provision of the Website and Services, including payment facilitation, analytics, or operational support.

(b) Transfers are conducted under legally recognized safeguards to ensure adequate protection of Personal Data, including:

(i) standard contractual clauses approved by relevant authorities;

(ii) binding corporate rules; or

(iii) other mechanisms recognized by law to maintain a level of protection equivalent to applicable data protection requirements.

(c) Virtual EPS remains responsible for ensuring that all third-party transfers comply with applicable law and that the rights and protections of data subjects are maintained.

(d) Merchants will be notified of any changes to the list of sub-processors or third-party processors, and a current list of sub-processors will be made available on the Website or upon request.

5. Security Measures

This Section outlines the technical, administrative, and organizational measures Virtual EPS implements to protect Personal Data against unauthorized access, disclosure, alteration, or destruction.

5.1 Organizational Measures

(a) Virtual EPS maintains policies, procedures, and governance structures designed to ensure secure processing of Personal Data.

(b) Access to Personal Data is restricted to authorized personnel on a need-to-know basis.

(c) All personnel handling Personal Data are trained on data protection obligations and confidentiality requirements.

5.2 Technical Measures

(a) Virtual EPS implements industry-standard security technologies, including but not limited to:

(i) encryption of data in transit and at rest where applicable;

(ii) access controls and authentication mechanisms for authorized users;

(iii) network and application monitoring to detect anomalies, intrusions, or breaches; and

(iv) regular testing and assessment of security systems and processes.

(b) Virtual EPS maintains procedures to promptly detect, respond to, and mitigate security incidents or vulnerabilities affecting Personal Data.

5.3 Physical Measures

(a) Physical access to data centers and other facilities processing Personal Data is controlled and restricted to authorized personnel.

(b) Security measures include monitoring, access logs, and environmental safeguards to prevent unauthorized access, damage, or interference.

5.4 Limitations

(a) Despite these measures, Virtual EPS cannot guarantee absolute security of Personal Data. Users acknowledge and accept the inherent risks associated with processing and transmission of data over the Internet.

6. Retention of Personal Data

This Section describes how long Virtual EPS retains Personal Data and the principles guiding the deletion or anonymization of such data.

6.1 Retention Periods

(a) Virtual EPS retains Personal Data only for as long as necessary to:

(i) provide and maintain the Website and Services;

(ii) fulfill contractual obligations with Merchants, Customers, or Visitors;

(iii) comply with applicable laws, regulations, or legal obligations;

(iv) resolve disputes, enforce agreements, or protect Virtual EPS’s legal rights; and

(v) detect, prevent, or investigate fraud, security incidents, or unauthorized activity.

(b) Personal Data that is no longer required for the purposes stated above will be securely deleted or anonymized in accordance with internal policies and applicable data protection laws.

6.2 Data Minimization

(a) Virtual EPS applies data minimization principles, collecting and retaining only the Personal Data necessary for the specified purposes.

(b) Retention schedules are regularly reviewed and updated to ensure compliance with legal and operational requirements.

7. Data Subject Rights

This Section describes the rights of individuals whose Personal Data is processed by Virtual EPS and the mechanisms available to exercise those rights.

7.1 Access and Correction

(a) Data Subjects have the right to request access to the Personal Data that Virtual EPS holds about them.

(b) Data Subjects may request correction, updating, or completion of Personal Data that is inaccurate, incomplete, or outdated.

(c) Virtual EPS may require verification of identity before fulfilling any access or correction request.

7.2 Deletion and Restriction

(a) Data Subjects may request that Virtual EPS delete their Personal Data, subject to Virtual EPS’s obligations to retain data for contractual, legal, or regulatory purposes.

(b) Data Subjects may request restriction of processing in certain circumstances, including where the accuracy of data is contested, the processing is unlawful, or the Data Subject objects to processing pending verification of overriding legitimate grounds.

7.3 Objection and Opt-Out

(a) Data Subjects may object to the processing of their Personal Data where processing is based on Virtual EPS’s legitimate interests, including for marketing purposes.

(b) Upon receipt of a valid objection, Virtual EPS will cease processing unless required to continue by law or compelling legitimate grounds.

(c) Data Subjects may opt out of marketing communications at any time by following the unsubscribe instructions or by contacting Virtual EPS directly.

7.4 Withdrawing Consent

(a) Where Personal Data processing is based on consent, Data Subjects may withdraw that consent at any time.

(b) Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

7.5 Exercising Rights (How to Contact Virtual EPS)

(a) Data Subjects may exercise any of the rights described in this Section by contacting Virtual EPS.

(b) Virtual EPS will respond to requests in accordance with applicable law and within required statutory timeframes.

(c) Virtual EPS may request additional information to verify the identity of the Data Subject before processing any request.

8. Updates and Notifications

This section describes how Virtual EPS may update this Data Processing Addendum and how such changes will be communicated to Merchants.

(a) Virtual EPS may update or amend this DPA from time to time to reflect changes in:

(i) legal or regulatory requirements;

(ii) operational practices or technical measures;

(iii) the scope of the Services or processing activities; or

(iv) other circumstances affecting the processing of Personal Data.

(b) When updates are made, Virtual EPS will revise the “Last Updated” date at the top of this DPA to indicate the most recent changes.

(c) Significant updates that materially affect the obligations of Virtual EPS or the processing of Personal Data will be communicated to Merchants via email, the Website, or other reasonable means.

(d) Continued use of the Services after posting or notification of any updated DPA constitutes acceptance of those changes. Merchants who do not agree with the changes should terminate their use of the Services in accordance with the Services Agreement and notify Virtual EPS.

9. Contact Us

This section provides the contact details for Virtual EPS and information about the legal entity responsible for processing Personal Data under this DPA.

9.1 Privacy Contact

(a) Merchants may direct all inquiries regarding this DPA, data processing practices, or the exercise of data subject rights to Virtual EPS’s designated contact point:

Email: info@virtualeps.com

(b) The designated contact will respond to inquiries, assist with data protection requests, and provide guidance regarding the DPA.

9.2 Legal Entity Details

(a) Virtual EPS is operated by:

Company Name: M.M. VIRTUAL INFORMATION COMMUNICATION TECHNOLOGY LIMITED (HE 133357)
Registered Address: 81 Omonia Avenue, 5th floor, Office 52 3048 Limassol, Cyprus
Mailing Address: P.O. Box 55675, Limassol 3782, Cyprus

(b) These details are provided to ensure transparency, enable communication regarding data processing, and allow Merchants to exercise their rights under applicable data protection laws.

(c) Merchants may reference this information in any formal communication or legal correspondence relating to data protection or privacy matters.