Fyber
Get Started

Legal

Data Processing Agreement

Standard DPA for merchants whose customers are EU, UK, or Jamaican residents — i.e., almost every merchant.

Last updated: May 6, 2026

v0.1 — pending review by Jamaica-qualified counsel. A signable PDF version of this DPA is available on request from legal@fyber.one. This page is the summary; the PDF is the binding instrument.

1. Who this is for

Merchants whose customers include EU, UK, or Jamaica residents. In practice, this is almost every Fyber merchant.

2. Roles

  • Merchant — data controller (you decide what to collect and why).
  • Fyber — data processor for payment processing, joint controller for fraud network data shared across merchants.

3. Categories of data processed

  • Tokenised card data — full PAN never stored, only BIN, last 4, brand, fingerprint
  • Cardholder name, email, billing/shipping address (where the merchant collects them)
  • IP address, device fingerprint (FraudGate)
  • Transaction amount and currency, timestamps, status

4. Purposes of processing

  • Payment authorisation, capture, settlement, refunds, chargebacks
  • Fraud prevention and FraudGate AI scoring
  • Compliance — AML, sanctions screening, tax reporting
  • Platform operation, debugging, security
  • Audit logging

5. Data subject rights

Where the Merchant is the controller, end customers exercise their rights against the Merchant. The Merchant routes deletion / access / rectification requests to Fyber via privacy@fyber.one. SLA: we respond within 30 days, sooner where regulator-mandated.

6. International transfers

Some processing occurs in the US (Anthropic, Google, Fingerprint Pro) and the EU (Sentry, IP geolocation provider). Lawful bases:

  • EU residents: Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c).
  • Jamaican residents: cross-border transfer permitted under JDPA 2020 §27 with adequate-protection assurances.

7. Sub-processors

Listed publicly at Sub-processors. We provide 30 days' notice before adding or replacing any sub-processor.

8. Security measures

  • TLS 1.2+ in transit, AES-256 at rest
  • HMAC-SHA256 card fingerprinting (PCI DSS 4.0 §3.5.1.3)
  • Role-based access control on all dashboards
  • Immutable audit logging with 7-year retention
  • Annual penetration testing
  • Documented incident response runbook

9. Audit rights

Merchants may request our latest SOC 2 report (when available), PCI Attestation of Compliance, and penetration test summaries under NDA. Email trust@fyber.one.

10. Data retention

  • Payments: 7 years (regulatory minimum).
  • Audit logs: 90 days hot storage, 7 years cold.
  • Cardholder identifiers: until token revoked or 13 months after last use, whichever is sooner.
  • KYC documents: 7 years after account closure.

11. Breach notification

Fyber notifies the Merchant within 72 hours of confirming a personal data breach affecting their data, with: nature of the breach, categories and approximate number of records, likely consequences, and remediation steps.

12. Termination

On termination of the Merchant's account, we provide a 30-day data export window, then perform secure deletion of merchant-controlled personal data — except records we are required to retain for regulatory or audit reasons (typically 7 years for transaction data).