Sign Up Login
Legal

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Malum Limited ("Processor", "Malum") and the Merchant identified in the Malum dashboard ("Controller") and governs the processing of personal data by Malum on the Controller's behalf under the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, and equivalent laws.

Last modified 05/12/2026 Malum Legal Team

Table of Contents

  1. Definitions
  2. Scope and roles
  3. Processing on documented instructions
  4. Confidentiality
  5. Security measures
  6. Sub-processors
  7. Data subject rights
  8. Personal data breach
  9. International transfers
  10. Audits and inspections
  11. Return and deletion
  12. Liability and indemnity
  13. Annex A – Processing details
  14. Annex B – Security measures
  15. Execution

Definitions

Capitalised terms not defined here have the meaning given in the UK GDPR or in the Malum Terms of Service. "Data Protection Laws" means the UK GDPR, the EU GDPR, the Data Protection Act 2018, the ePrivacy Directive, and any successor or equivalent law applicable to processing under this DPA.

Scope and roles

The Controller determines the purposes and means of processing of personal data relating to its customers, end-users, and prospects. Malum processes that personal data solely as a Processor for the purpose of providing the Services. Where Malum processes personal data for its own purposes (fraud prevention, regulatory compliance, network operations), Malum acts as an independent Controller and the Privacy Policy applies.

Processing on documented instructions

Malum will process personal data only on the Controller's documented instructions, which are given by (i) the Controller's use of the Services, including configuration of webhooks, custom domains, payouts and notifications, and (ii) any written instruction subsequently agreed in writing. Malum will inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

Confidentiality

Malum ensures that persons authorised to process the personal data are bound by appropriate confidentiality undertakings or are under a statutory obligation of confidentiality.

Security measures

Malum implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art and the nature of the data. Current measures are described in Annex B and are reviewed at least annually.

Sub-processors

The Controller authorises Malum to engage the sub-processors listed at malum.co/legal/sub-processors. Malum will provide at least fourteen (14) days' notice of the addition or replacement of a sub-processor through that page. The Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection or the Controller may terminate the affected Services.

Malum will impose data-protection obligations on each sub-processor that are no less onerous than those in this DPA and remains liable for the acts and omissions of its sub-processors.

Data subject rights

Malum will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects to exercise their rights under Data Protection Laws. Where Malum receives a request directly from a data subject relating to data processed for the Controller, Malum will refer the data subject to the Controller.

Personal data breach

Malum will notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting the Controller's data, providing the information reasonably required for the Controller to meet its own notification obligations.

International transfers

Where Malum transfers personal data outside the UK or the EEA to a country that is not the subject of an adequacy decision, the transfer will be made under the UK Addendum to the EU Standard Contractual Clauses (or successor mechanism) executed between the parties, or under another valid Article 46 transfer mechanism.

Audits and inspections

Malum will make available to the Controller the information necessary to demonstrate compliance with this DPA. On reasonable prior written notice and no more than once every twelve (12) months (unless required by a competent supervisory authority or following a personal data breach), the Controller may audit Malum's compliance, or appoint an independent auditor to do so under appropriate confidentiality. Malum may satisfy audit obligations by providing the most recent SOC 2 Type II, ISO 27001, or PCI-DSS attestations.

Return and deletion

On termination of the Services, the Controller may export its data through the dashboard or the API for up to thirty (30) days. Malum will then delete or anonymise the Controller's personal data unless retention is required for compliance with a legal obligation (for example anti-money-laundering record keeping for five years).

Liability and indemnity

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits a data subject's rights against either party under Data Protection Laws.

Annex A — Processing details

Subject matter

Provision of card-to-crypto payment processing and ancillary services.

Duration

For as long as Malum provides the Services to the Controller.

Nature and purpose

Collection, storage, transmission and analysis of personal data to authenticate users, process payments, detect fraud, meet anti-money-laundering and Travel Rule obligations, generate receipts and tax invoices, and provide customer support.

Categories of data subjects

  • End-customers paying the Controller through Malum.
  • Authorised users of the Controller's Malum workspace.
  • Beneficial owners and directors of the Controller (KYB).

Categories of personal data

  • Identification: name, date of birth, government-issued ID details.
  • Contact: email, postal address, phone number.
  • Transaction: payment instrument metadata (BIN, last four), amount, currency, timestamp, country, IP and device fingerprints, geolocation derived from MaxMind GeoLite2.
  • Financial: bank account or wallet address used for payouts or refunds.
  • Risk: sanctions/PEP screening hits, fraud signals, chargeback history.

Special categories

None processed as part of normal operations. Selfies and document images supplied for KYC may incorporate biometric data; these are processed under Article 9(2)(g) UK GDPR and retained per the Privacy Policy.

Annex B — Security measures

  • Network segmentation and least-privilege IAM with mandatory MFA for production access.
  • Encryption in transit (TLS 1.2+) and at rest (AES-256) for all personal data stores.
  • Card data scoped to PCI-DSS-validated service providers; Malum operates as a SAQ-A or SAQ-A-EP merchant depending on integration.
  • Application-layer rate limiting, bot mitigation, Cloudflare WAF and Turnstile for human verification.
  • Centralised logging with tamper-evident retention and 24x7 alerting.
  • Quarterly internal vulnerability scans; annual penetration test by a CREST-accredited provider.
  • Documented incident response runbook with tabletop exercises every six (6) months.
  • Background checks on all engineering hires and annual security awareness training.
  • Daily encrypted backups with documented recovery time and point objectives.

Execution

This DPA is incorporated by reference into the Terms of Service and takes effect when the Controller accepts those Terms. Each party warrants that the individual accepting on its behalf is duly authorised to bind it. Where a Controller requires a counter-signed copy or an updated SCC module, contact [email protected].

Last modified 05/12/2026