Asima Data Processing Agreement (UK GDPR)

Version 1.00 22/10/2025

Parties

  • Customer: the organisation identified in an executed Order Form or Service Agreement (the Controller).
  • Wonderful Payments Limited trading as Asima, company registration number 12601267, 41 Luke Street, London, EC2A 4DP, FCA-authorised Payment Institution (FRN 964289) (Asima, the Processor).

This Data processing agreement (DPA) forms part of, and is incorporated by reference into, the Asima master services agreement (MSA) and any Order Form entered into between the parties. Capitalised terms not defined here have the meaning given in the MSA or under UK data protection law.

1. Purpose and duration

1.1 This DPA sets out the terms on which Asima processes personal data on behalf of the Customer in connection with the services described in the MSA and the applicable Order Form.

1.2 Processing will begin on the effective date of the relevant Order Form and continue for the term of the services, plus any limited period required to return or delete personal data under clause 11.

2. Roles and status of the parties

2.1 For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the Customer is the Controller and Asima is the Processor.

2.2 Each party will comply with the obligations applicable to it under data protection law.

3. Documented instructions

3.1 Asima will process personal data only on the Customer’s documented instructions, including as set out in the MSA, this DPA, the Order Form, and the Customer’s lawful API and configuration choices.

3.2 If Asima is required by applicable law to process personal data contrary to the Customer’s instructions, Asima will (unless prohibited) notify the Customer before such processing.

3.3 Asima will promptly inform the Customer if, in Asima’s opinion, an instruction infringes data protection law.

4. Confidentiality and personnel

4.1 Asima ensures that persons authorised to process personal data are subject to duties of confidentiality and receive appropriate data protection and security training.

4.2 Access to personal data is limited to personnel who have a need to know for the purpose of performing the services.

5. Security of processing

5.1 Taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing as well as the risks to data subjects, Asima will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to risk.

5.2 Such measures include, as appropriate:

  1. encryption in transit and at rest;
  2. resilient architecture, redundancy and backup procedures;
  3. access controls, least-privilege principles, multi-factor authentication for privileged access, credential rotation and logging;
  4. vulnerability management, patching and hardened baselines;
  5. segregation of environments and customer data;
  6. secure development practices and change management;
  7. incident response procedures, including breach identification, containment and remediation;
  8. periodic testing and assessment of the effectiveness of security measures.

5.3 The Customer is responsible for appropriate security of its own systems, networks, applications, API keys and user account permissions, and for configuring the services in accordance with the documentation.

6. Use of sub-processors

6.1 The Customer provides general authorisation for Asima to appoint third parties as sub-processors to support provision of the services.

6.2 Asima will impose data protection terms on sub-processors that are no less protective than those set out in this DPA and remains responsible to the Customer for each sub-processor’s performance.

6.3 On request, Asima will provide an up-to-date list of current sub-processors used for the services.

6.4 Asima will give the Customer prior notice of any intended addition or replacement of sub-processors. If the Customer reasonably objects on data protection grounds within 10 days of notice, the parties will discuss in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected services (without penalty) to the extent termination is necessary to avoid the use of the objected sub-processor.

7. International transfers

7.1 Asima will not transfer personal data outside the UK (or permit such transfer by a sub-processor) unless appropriate safeguards are in place in accordance with Chapter V of the UK GDPR.

7.2 Where Asima or its sub-processors transfer personal data to a country without an adequacy regulation, Asima will ensure such transfers are subject to the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable, or another recognised transfer mechanism.

7.3 On request, Asima will provide details of the relevant transfer mechanism applied to specific transfers.

8. Assistance to the controller

8.1 Data subject requests: Taking into account the nature of processing, Asima will assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer’s obligations to respond to data subject requests under data protection law. If Asima receives a request directly from a data subject relating to the personal data, Asima will (unless prohibited by law) notify the Customer without undue delay and will not respond except on the Customer’s documented instructions.

8.2 Security and DPIAs: Asima will provide reasonable assistance to the Customer with obligations under Articles 32 to 36 UK GDPR, including security, personal data breach notifications, data protection impact assessments and prior consultation with supervisory authorities, in each case taking into account the nature of processing and information available to Asima.

8.3 Regulatory enquiries: Asima will provide reasonable cooperation and assistance to lawful enquiries or investigations by competent supervisory authorities that relate to the services.

9. Personal data breach

9.1 Asima will notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Customer.

9.2 Such notice will include, to the extent known at the time: a description of the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address and mitigate the breach.

9.3 Asima will take appropriate remedial actions to mitigate the effects and prevent recurrence and will cooperate with the Customer as reasonably required to meet the Customer’s breach notification obligations.

10. Audits and information

10.1 Asima will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 UK GDPR.

10.2 Upon reasonable written notice, and no more than once in any 12-month period (save where required by a regulator, following a personal data breach, or where there are reasonable grounds to suspect material non-compliance), the Customer may conduct an audit of Asima’s processing activities relevant to the services.

10.3 Audits shall be conducted during normal business hours, without undue disruption, and subject to reasonable confidentiality, security and scheduling requirements. The scope may include review of relevant policies, summaries of third-party audit reports or certifications and, where strictly necessary, on-site inspection of facilities involved in the processing.

10.4 To protect the security and confidentiality of other customers’ data and Asima’s systems, Asima may require the audit to be performed by an independent third-party auditor under appropriate confidentiality terms.

11. Return and deletion

11.1 At the end of the provision of the services relating to processing, and at the Customer’s election, Asima will either (a) return all personal data to the Customer in a commonly used, machine-readable format made available by the services, or (b) delete such personal data.

11.2 Asima may retain copies to the extent required by law and only for the period and purposes mandated by law, in which case Asima will ensure the confidentiality of all such retained personal data and will not actively process it except for such retention purposes.

12. Records of processing

Asima will maintain records of processing activities carried out on behalf of the Customer as required by Article 30(2) UK GDPR and will make such records available to the Customer or the Information Commissioner’s Office on request, subject to confidentiality protections.

13. Liability and indemnity

13.1 Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the MSA, except that nothing in this DPA limits liability that cannot lawfully be limited.

13.2 The Customer will indemnify Asima against claims, losses or regulatory penalties arising from the Customer’s failure to comply with data protection law in respect of data that the Customer provides or instructs Asima to process.

14. Order of precedence and changes

14.1 In the event of a conflict between this DPA and the MSA, this DPA prevails to the extent of the conflict in relation to the processing of personal data.

14.2 Asima may update this DPA to reflect changes in law or good practice. Material changes will be notified to Customers in accordance with the MSA, and will take effect after the notice period specified there.

15. Contact points for data protection

15.1 Customer data protection contact: as specified in the Order Form.

15.2 Asima data protection contact: hello@asima.co.uk (addressed to “Data protection”).

Annex 1 – details of processing

A. Subject matter of processing

Provision of enterprise Open Banking services, including account information services (AIS) and payment initiation services (PIS), and related support.

B. Duration of processing

For the term of the services under the applicable Order Form and any limited post-termination period necessary for secure return or deletion in accordance with clause 11.

C. Nature and purpose of processing

Collection, retrieval, transmission, storage and other processing necessary to:

  • access account information from participating institutions under the Customer’s instructions (AIS);
  • initiate and manage payments under the Customer’s instructions (PIS);
  • provide customer support, incident response, fraud monitoring and operational reporting;
  • maintain security, availability and performance of the services.

D. Categories of data subjects

  • End users of the Customer (payers, account holders and authorised users);
  • Personnel and representatives of the Customer (contact details only).

E. Categories of personal data

Depending on the services used and Customer configuration:

  • identification data and account identifiers necessary for Open Banking connectivity;
  • account balances and transaction data retrieved via AIS;
  • payment amounts, references, payer details and status information for PIS;
  • technical logs and metadata associated with access, authorisation and fraud-prevention controls;
  • Customer personnel contact data for administration and support.

F. Special categories of data

Asima does not intentionally process special categories of personal data. The Customer must not cause special category data to be submitted to the services unless explicitly agreed in writing and subject to additional safeguards.

G. Processing instructions

As documented in the MSA, this DPA, the Order Form, and Customer’s use of the services and APIs, including configuration, permissions and calls made by the Customer’s applications.

Annex 2 – technical and organisational security measures (summary)

Without limiting clause 5, Asima maintains the following controls appropriate to risk:

  1. Organisation of information security – governance framework, roles and responsibilities, security policies reviewed at least annually.
  2. Human resources security – background checks (where lawful and appropriate), confidentiality undertakings, periodic training.
  3. Asset and data management – data classification, minimisation, retention and secure disposal; encrypted backups with periodic restore testing.
  4. Access control – unique user IDs, role-based access, multi-factor authentication for privileged accounts, regular access reviews.
  5. Cryptography – industry-standard encryption for data in transit and at rest; key management procedures and separation of duties.
  6. Physical and environmental security – use of reputable cloud infrastructure providers with appropriate physical safeguards; restricted access to facilities.
  7. Operations security – vulnerability management, secure configuration baselines, change management, protective monitoring and alerting.
  8. Communications and network security – network segmentation, firewalling, DDoS resilience, secure API gateways and TLS enforcement.
  9. Secure development – secure SDLC practices, code review, dependency management and pre-deployment testing.
  10. Incident management – documented incident response plan, defined escalation paths, post-incident review and corrective actions.
  11. Supplier management – initial and periodic due diligence of critical suppliers, contractual security obligations and performance monitoring.
  12. Business continuity – high-availability architecture, redundancy and tested recovery procedures proportionate to service criticality.

Execution

This DPA is effective for the Customer upon execution of an Order Form or Service Agreement that incorporates the MSA by reference. For existing customers, updates to this DPA take effect in accordance with the MSA’s change-notification provisions.