Skip links
Limited Offer

👋

Sign up and receive 20% bonus discount on checkout.

Join Hub
Facebook Twitter Github

Menu

Blog
Ceylon Cash

Data Processing Addendum

Last Updated: May 28, 2026

This Data Processing Addendum (“DPA“) is incorporated into and forms part of the Terms of Service or other written or electronic agreement between you (“Customer“) and Ceylon Cash (operated by Ceylabs (Pvt) Ltd) (“Ceylon Cash“, “we“, “us“) governing your use of the Ceylon Cash platform and services (the “Agreement“). This DPA applies where and to the extent Ceylon Cash processes Personal Data on behalf of the Customer in connection with the Services.

In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to data processing matters. The order of precedence is: (1) Standard Contractual Clauses (if applicable); (2) this DPA; (3) the Agreement; (4) the Privacy Policy.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Agreement.

1.1 “Applicable Privacy Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to:

  • the EU General Data Protection Regulation 2016/679 (“GDPR“);
  • the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR“);
  • the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA“);
  • the Personal Data Protection Act (Sri Lanka) and any successor legislation;
  • any other national, federal, state, or provincial data protection laws applicable to the parties.

1.2 “Controller” means the entity that determines the purposes and means of processing Personal Data.

1.3 “Customer Account Data” means Personal Data relating to the Customer’s account and business relationship with Ceylon Cash, including contact names, email addresses, phone numbers, billing information, and account credentials.

1.4 “Customer Usage Data” means data generated by or derived from the Customer’s use of the Services, including transaction logs, API call records, usage metrics, session data, and service activity records.

1.5 “Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

1.6 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

1.7 “EEA” means the European Economic Area.

1.8 “Personal Data” means any information relating to an identified or identifiable natural person, as defined under Applicable Privacy Law, that Ceylon Cash processes on behalf of the Customer in connection with the Services.

1.9 “Processing” (and “Process“, “Processed“, “Processes“) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.10 “Processor” means the entity that processes Personal Data on behalf of the Controller.

1.11 “Services” means the Ceylon Cash platform, APIs, payment processing infrastructure, and any related products or features made available to the Customer under the Agreement.

1.12 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission, the UK Information Commissioner’s Office (“ICO”), or other relevant supervisory authority.

1.13 “Sub-processor” means any Processor engaged by Ceylon Cash to process Personal Data on behalf of the Customer.

1.14 “Supervisory Authority” means the competent regulatory or data protection authority with jurisdiction over the processing of Personal Data under this DPA.

2. Roles and Relationship of the Parties

2.1 Controller and Processor. As between the parties:

  • The Customer is the Controller of Personal Data processed in connection with the Services.
  • Ceylon Cash is the Processor processing Personal Data on behalf of and under the instructions of the Customer.

2.2 Independent Processing. Where Ceylon Cash processes Personal Data for its own purposes (for example, Customer Account Data for billing, security, fraud prevention, or service improvement), Ceylon Cash acts as an independent Controller for such processing, which is governed by Ceylon Cash’s Privacy Policy rather than this DPA.

2.3 Compliance. Each party shall comply with its respective obligations under Applicable Privacy Law. Nothing in this DPA relieves either party of its own direct obligations under Applicable Privacy Law.

3. Customer Obligations

3.1 The Customer represents and warrants that:

(a) it has all necessary rights, consents, and lawful bases to provide Personal Data to Ceylon Cash for processing under this DPA;

(b) it has provided all required notices to, and obtained all required consents from, Data Subjects as required by Applicable Privacy Law;

(c) the instructions it gives Ceylon Cash in respect of Personal Data shall at all times comply with Applicable Privacy Law;

(d) it is responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired such data.

3.2 The Customer acknowledges that Ceylon Cash is not responsible for determining whether Applicable Privacy Law applies to the Customer’s business or whether the Customer’s instructions satisfy the requirements of Applicable Privacy Law.

4. Ceylon Cash Processing Obligations

4.1 Instructions. Ceylon Cash shall process Personal Data only:

(a) on documented instructions from the Customer, including those set out in this DPA and the Agreement;

(b) as required by Applicable Privacy Law, in which case Ceylon Cash shall inform the Customer of that legal requirement before processing, unless prohibited from doing so by law on grounds of public interest.

4.2 Confidentiality. Ceylon Cash shall ensure that personnel authorised to process Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory).

4.3 Assistance. Ceylon Cash shall provide reasonable assistance to the Customer in fulfilling its obligations under Applicable Privacy Law, including in relation to:

(a) data protection impact assessments;

(b) prior consultation with Supervisory Authorities;

(c) security of processing;

(d) Data Subject rights requests (as further described in Section 7).

4.4 Notification of Unlawful Instructions. Ceylon Cash shall promptly notify the Customer if, in its reasonable opinion, any processing instruction from the Customer infringes Applicable Privacy Law. Ceylon Cash may suspend performance of the relevant instruction pending resolution.

5. Security

5.1 Security Measures. Ceylon Cash shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account:

(a) the state of the art and cost of implementation;

(b) the nature, scope, context, and purposes of processing;

(c) the risks to the rights and freedoms of Data Subjects.

5.2 Such measures include, without limitation, those described in Exhibit C (Security Measures) to this DPA.

5.3 Personnel. Ceylon Cash shall take reasonable steps to ensure that only authorised personnel have access to Personal Data and that such personnel are subject to appropriate training and confidentiality obligations.

5.4 Customer Responsibility. The Customer is responsible for implementing appropriate security controls within its own systems and for the secure configuration of any access credentials used to connect to the Services.

6. Sub-processors

6.1 Authorisation. The Customer provides general authorisation for Ceylon Cash to engage Sub-processors, subject to the requirements of this Section 6.

6.2 Current Sub-processors. Ceylon Cash maintains a list of authorised Sub-processors at ceyloncash.com/legal/subprocessors (the “Sub-processor List“). The Customer acknowledges the Sub-processors listed there as of the date the Customer enters into this DPA.

6.3 New Sub-processors. Ceylon Cash shall give the Customer at least 10 days’ prior written notice (by email or update to the Sub-processor List) before engaging a new Sub-processor or materially changing the role of an existing Sub-processor.

6.4 Objection. The Customer may object to the engagement of a new Sub-processor on reasonable data protection grounds by notifying Ceylon Cash in writing within 10 days of receiving notice. If the parties cannot resolve the objection within 30 days, either party may terminate the affected Services on written notice without liability (other than for amounts already due). If the Customer does not object within the notice period, the new Sub-processor is deemed approved.

6.5 Sub-processor Obligations. Ceylon Cash shall impose on each Sub-processor data protection obligations that are no less protective than those in this DPA and shall remain liable to the Customer for the Sub-processor’s performance of those obligations.

7. Data Subject Rights

7.1 Taking into account the nature of the processing, Ceylon Cash shall provide the Customer with reasonable technical and organisational assistance to enable the Customer to fulfil its obligations to respond to Data Subject requests under Applicable Privacy Law (including requests to access, rectify, erase, restrict, port, or object to processing of Personal Data).

7.2 If Ceylon Cash receives a request directly from a Data Subject, Ceylon Cash shall, to the extent it identifies the request as relating to Personal Data processed on the Customer’s behalf, promptly notify the Customer and not respond to the Data Subject except to acknowledge receipt (unless instructed otherwise by the Customer or required by law).

7.3 The Customer is responsible for responding to Data Subject requests relating to Personal Data processed under this DPA.

8. Data Breach Notification

8.1 Ceylon Cash shall notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of a confirmed Data Breach affecting Personal Data processed on behalf of the Customer.

8.2 Such notification shall include, to the extent then known:

(a) the nature of the Data Breach, including categories and approximate number of Data Subjects and Personal Data records affected;

(b) the name and contact details of Ceylon Cash’s data protection point of contact;

(c) the likely consequences of the Data Breach;

(d) the measures taken or proposed to address the Data Breach and mitigate its effects.

8.3 Ceylon Cash shall provide further information as it becomes available and shall cooperate with the Customer’s reasonable requests in relation to the Data Breach, including in relation to notifying Supervisory Authorities and affected Data Subjects.

8.4 A notification under this Section 8 shall not constitute an acknowledgement of fault or liability.

9. International Data Transfers

9.1 Personal Data may be transferred to and processed in countries outside the EEA, the UK, or Switzerland (“Third Countries“) — including Sri Lanka and other countries where Ceylon Cash or its Sub-processors operate — as necessary to provide the Services.

9.2 Transfer Mechanisms. To the extent such transfers require a lawful transfer mechanism under Applicable Privacy Law, Ceylon Cash shall ensure an appropriate mechanism is in place, which may include:

(a) the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor), incorporated by reference into this DPA;

(b) the UK International Data Transfer Addendum issued by the ICO;

(c) adequacy decisions issued by a competent authority;

(d) other mechanisms permitted under Applicable Privacy Law.

9.3 By entering into this DPA, the parties are deemed to have executed the applicable Standard Contractual Clauses to the extent required for the relevant transfer. In the event of a conflict between the SCCs and this DPA, the SCCs shall prevail to the extent of the conflict.

10. Audits and Records

10.1 Records. Ceylon Cash shall maintain appropriate records of its processing activities on behalf of the Customer as required by Applicable Privacy Law.

10.2 Audit Rights. Upon the Customer’s written request, and no more than once per calendar year (unless required more frequently by Applicable Privacy Law or following a Data Breach), Ceylon Cash shall:

(a) make available information reasonably necessary to demonstrate compliance with this DPA; and

(b) allow for and contribute to audits and inspections conducted by the Customer or a mutually agreed independent auditor.

10.3 Audit Conditions. Any audit shall be:

(a) conducted on reasonable prior written notice of at least 30 days;

(b) carried out during business hours with minimal disruption to Ceylon Cash’s operations;

(c) subject to the auditor executing a confidentiality agreement acceptable to Ceylon Cash;

(d) conducted at the Customer’s expense, including any reasonable costs incurred by Ceylon Cash.

10.4 Certifications. Ceylon Cash may satisfy audit requests by providing relevant certifications, third-party audit reports, or security documentation in lieu of a direct audit, where appropriate.

11. Retention and Return of Personal Data

11.1 Upon expiry or termination of the Agreement, or upon the Customer’s written request, Ceylon Cash shall (at the Customer’s election):

(a) return Personal Data to the Customer in a commonly used machine-readable format; or

(b) securely delete or destroy Personal Data;

in each case within 90 days of the relevant request or termination date, except to the extent that Ceylon Cash is required by Applicable Privacy Law to retain certain data.

11.2 Ceylon Cash shall confirm to the Customer in writing once deletion or return is complete.

11.3 Backup copies of Personal Data retained solely for business continuity purposes shall be deleted in accordance with Ceylon Cash’s standard backup rotation schedules, which shall not exceed 180 days from the date of the relevant backup.

12. CCPA / US State Privacy Laws

12.1 To the extent the CCPA or other US state privacy laws apply to processing of Personal Data under this DPA:

(a) Ceylon Cash processes Personal Data solely for the business purposes specified in this DPA and the Agreement, and not for any other commercial purpose;

(b) Ceylon Cash shall not sell or share (as defined under the CCPA) Personal Data;

(c) Ceylon Cash shall not retain, use, or disclose Personal Data outside the scope of the business relationship with the Customer;

(d) Ceylon Cash shall assist the Customer in fulfilling its obligations to respond to consumer rights requests under applicable US state privacy laws.

12.2 The parties agree that the Customer discloses Personal Data to Ceylon Cash for the limited and specified business purposes described in this DPA, and such disclosure does not constitute a “sale” under applicable US state privacy laws.

13. Liability

13.1 Each party’s liability under this DPA (including in relation to the Standard Contractual Clauses) shall be subject to the limitations and exclusions set out in the Agreement, to the maximum extent permitted by Applicable Privacy Law.

13.2 Notwithstanding Section 13.1, limitations of liability shall not apply to:

(a) obligations under the Standard Contractual Clauses where such limitations are not permitted by the applicable SCCs;

(b) either party’s indemnification obligations to Data Subjects under Applicable Privacy Law.

14. Term and Termination

14.1 This DPA shall remain in effect for as long as Ceylon Cash processes Personal Data on behalf of the Customer under the Agreement.

14.2 Termination of the Agreement automatically terminates this DPA, subject to the survival of obligations under Sections 5, 10, 11, and 13 and any obligations required to survive under Applicable Privacy Law.

15. General

15.1 Governing Law. This DPA shall be governed by the laws of Sri Lanka, except where the Standard Contractual Clauses impose a different governing law, in which case those clauses shall govern with respect to transfers subject to them.

15.2 Entire Agreement. This DPA, together with the Agreement and any executed Standard Contractual Clauses, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements relating to data processing.

15.3 Amendments. Ceylon Cash may update this DPA from time to time. If changes are material, Ceylon Cash shall provide at least 30 days’ notice prior to the changes taking effect. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

15.4 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.5 Contact. For data protection enquiries, the Customer may contact Ceylon Cash at: privacy@ceyloncash.com.

Exhibit A — Details of Processing

  
Subject matterProcessing of Personal Data in connection with the provision of the Ceylon Cash payment and financial services platform
DurationFor the term of the Agreement, plus any retention period required by law or this DPA
Nature and purposeProcessing necessary to provide the Services, including payment processing, transaction management, fraud prevention, identity verification, customer support, and regulatory compliance
Types of Personal DataName, email address, phone number, postal address, government-issued ID details, financial account information, transaction history, IP address, device identifiers, usage data, and any other Personal Data submitted by the Customer through the Services
Categories of Data SubjectsThe Customer’s end-users, customers, and employees whose Personal Data is submitted to or generated through the Services
Special categoriesNot ordinarily processed. Customer must not submit special category data (e.g. health, biometric, political) without prior written agreement with Ceylon Cash
FrequencyContinuous / ongoing
RetentionFor the term of the Agreement, plus applicable legal retention periods (e.g. AML/CFT record-keeping obligations)

Exhibit B — Authorised Sub-processors

Ceylon Cash’s current list of authorised Sub-processors is maintained at:

ceyloncash.com/legal/subprocessors

This list includes the Sub-processor name, country of processing, and the service they provide. Ceylon Cash updates this list in accordance with Section 6 of this DPA.

Exhibit C — Technical and Organisational Security Measures

Ceylon Cash implements and maintains the following technical and organisational security measures to protect Personal Data:

C.1 Access Control

  • Role-based access control (RBAC) with least-privilege principles
  • Multi-factor authentication (MFA) required for all personnel accessing production systems
  • Regular access reviews and prompt revocation of access upon personnel changes
  • Audit logging of all access to systems containing Personal Data

C.2 Data Encryption

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256 or equivalent
  • Secure key management practices, including regular key rotation

C.3 Network and Infrastructure Security

  • Network segmentation and firewall rules limiting access to production environments
  • Intrusion detection and prevention systems
  • Regular vulnerability scanning and penetration testing (at least annually)
  • Patching and hardening of systems in accordance with industry best practices

C.4 Availability and Resilience

  • Regular automated backups with defined recovery time and recovery point objectives
  • Disaster recovery and business continuity plans, tested at least annually
  • Redundant infrastructure to minimise service interruptions

C.5 Incident Response

  • Documented incident response procedures, including roles and escalation paths
  • Monitoring and alerting for security events
  • Post-incident review and remediation processes

C.6 Organisational Measures

  • Information security policies reviewed and updated at least annually
  • Security awareness training for all personnel with access to Personal Data
  • Background checks on personnel in accordance with applicable law and risk level
  • Data protection impact assessment (DPIA) processes for high-risk processing activities
  • Designated data protection point of contact (hello@ceyloncash.com)

C.7 Vendor Management

  • Security due diligence on Sub-processors before engagement
  • Contractual data protection obligations on all Sub-processors

Exhibit D — Standard Contractual Clauses

Where the transfer of Personal Data from the EEA, the UK, or Switzerland to a Third Country requires a lawful transfer mechanism, the parties agree that the relevant Standard Contractual Clauses are incorporated into this DPA by reference as follows:

Module Two (Controller to Processor): applies where the Customer (as Controller) transfers Personal Data to Ceylon Cash (as Processor) in a Third Country.

Clause 7 (Docking Clause): The optional docking clause is not incorporated.

Clause 9 (Use of Sub-processors): Option 2 (General Written Authorisation) applies, as described in Section 6 of this DPA.

Clause 11 (Redress): The optional language is not incorporated.

Clause 17 (Governing Law): The SCCs shall be governed by the law of the Republic of Ireland (for EEA transfers).

Clause 18 (Choice of Forum): Disputes under the SCCs shall be resolved by the courts of the Republic of Ireland (for EEA transfers).

UK Transfers: The UK International Data Transfer Addendum (IDTA) issued by the ICO applies to transfers from the UK, with the relevant information completed as set out in this DPA and its Exhibits.

The Annexes to the SCCs are completed as follows:

  • Annex I.A (List of Parties): as identified in the Agreement and this DPA
  • Annex I.B (Description of Transfer): as set out in Exhibit A of this DPA
  • Annex I.C (Competent Supervisory Authority): the supervisory authority of the Customer’s EU/UK establishment
  • Annex II (Technical and Organisational Measures): as set out in Exhibit C of this DPA
  • Annex III (List of Sub-processors): as set out in Exhibit B of this DPA

For questions about this DPA, please contact us at:

Ceylon Cash / Ceylabs (Pvt) Ltd Email: hello@ceyloncash.com Website: ceyloncash.com