Try Wyllo
Book a demo
Try Wyllo
Try Wyllo

Wyllo Global Data Processing Addendum (Global DPA)

WYLLO GLOBAL DATA PROCESSING ADDENDUM

This Wyllo Global Data Processing Addendum (Global DPA) is incorporated into by reference and forms part of the Merchant Terms of Service and/or other written or electronic agreement(s) entered into by and between Wyllo LLC (Wyllo) and the client identified in the Agreement (Client) for the provision and use of Wyllo services (the Services) (collectively, Agreement). Wyllo and Client are referred to herein individually as a Party and collectively as the Parties. This Global DPA is effective as of the effective date of the Agreement.

I. DEFINITIONS. All terms capitalized but not defined in this Global DPA have the meanings ascribed to such terms in the Agreement.

  1. Affiliate means any entity controlled by or under common control with a Party, directly or indirectly.
  2. Data Controller means the entity which determines the purposes and means of the Processing of Personal Data.
  3. Data Incident means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in the possession, custody, or control of Wyllo.
  4. Data Processor means an entity which Processes Personal Data pursuant to the instructions of a Data Controller and does not control the purposes and means of the Processing of Personal Data.
  5. Data Protection Laws means European Data Protection Laws and U.S. Data Protection Laws.
  6. Data Subject means the natural person to whom Personal Data relates.
  7. Data Subject Request means a valid request from or on behalf of a Data Subject to exercise rights granted under Data Protection Laws with respect to Personal Data.
  8. European Data Protection Laws means applicable European Union (EU), European Economic Area (EEA), United Kingdom (UK) and Swiss laws to the extent applicable to a Party’s Processing of Personal Data, including without limitation (i) the EU General Data Protection Regulation 2016/679 (GDPR); (ii) the GDPR as incorporated into UK law by the Data Protection Act 2018 (UK GDPR); (iii) the Swiss Federal Act on Data Protection (FADP); and (iv) other applicable EU, UK, and Swiss laws and regulations regulating the Processing of Personal Data as become applicable during the term of the Agreement, each as may be amended or replaced from time to time.
  9. Personal Data means to the extent such information is made available by or on behalf of Client to Wyllo through the Services: (i) any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household; and (ii) “personal data,” “personal information,” and analogous terms, as such terms are defined under applicable Data Protection Laws.
  10. Processing and conjugations thereof means any operation or set of operations which is performed on Personal Data, whether or not by automatic means.
  11. Restricted Transfer means (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations promulgated pursuant to Section 17A of the UK Data Protection Act 2018; and (iii) where the FADP applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
  12. Standard Contractual Clauses and SCCs means, collectively: (i) the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be updated, amended, or replaced from time to time, and (ii) the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018, as may be updated, amended or replaced from time to time (“UK Addendum”).
  13. Subprocessor means any third-party Data Processor (including without limitation any Wyllo Affiliates) engaged by Wyllo to process Personal Data under the Agreement.
  14. U.S. Data Protection Laws means U.S. federal and state data protection or privacy laws and regulations to the extent applicable to a Party’s Processing of Personal Data including without limitation: California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, and Montana Consumer Data Privacy Act, and other such applicable U.S. laws and regulations regulating the Processing of Personal Data as become applicable during the term of the Agreement, each as may be amended or replaced from time to time.

II. CLIENT OBLIGATIONS

  1. Lawfulness of Data. Client acknowledges and agrees that, as between the Parties, Client is responsible for the collection, accuracy, quality, and lawfulness of Personal Data provided to Wyllo in connection with the Services. Client represents and warrants that: (i) Client will use the Services in compliance with Data Protection Laws, the Agreement, and this Global DPA; and (ii) Client has and shall maintain all rights, licenses, and permissions, has provided all notices, has obtained all consents and authorizations, and has otherwise met all obligations under Data Protection Laws necessary for Wyllo’s Processing of Personal Data in accordance with the Agreement and this Global DPA to comply with Data Protection Laws.
  2. Collection of Personal Data from Client Properties. Without limiting the foregoing, where Client (or Wyllo, with Client’s authorization) implements pixels, cookies, code, or other technical measures on a digital property that cause Personal Data about Data Subjects visiting such property to be transmitted to Wyllo for Processing in connection with the Services (“Collection Mechanisms”), Client shall provide all notices, obtain all consents, and comply with all obligations under Data Protection Laws necessary for the lawful operation of such Collection Mechanisms and Processing of Personal Data by Wyllo in connection therewith.
  3. Client Affiliates. All Affiliates of Client who use the Services or make available Personal Data to Wyllo will comply with the obligations of Client set out in this Global DPA, and Client shall be responsible for ensuring such compliance.

III. DATA SECURITY

  1. Security Measures. Each Party will implement and maintain appropriate technical, administrative, and organizational measures designed to protect against Data Incidents, taking into account the nature and sensitivity of the Personal Data and the risks of Data Incidents with respect thereto. Without limiting the foregoing, Wyllo will (i) implement and maintain safeguards, policies, and procedures designed to detect, prevent, and respond to attacks, intrusions, or other system failures and regularly test or otherwise monitor the effectiveness of the safeguards, policies, and procedures; (ii) designate an employee or employees to coordinate implementation and maintenance of its safeguards, policies, and procedures; and (iii) periodically identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of Personal Data, assess the reasonableness of any safeguards in place to control these risks, and where it deems necessary or appropriate, implement additional or compensating safeguards in its discretion to address such risks.
  2. Personnel and Subprocessors. Wyllo will take reasonable measures to inform its personnel who Process Personal Data of the confidential nature of the Personal Data and ensure they are subject to enforceable obligations of confidentiality with respect to the Personal Data. Wyllo may engage Subprocessors in connection with the provision of the Services and shall enter into a written agreement with each Subprocessor containing data protection obligations with respect to the protection and Processing of Personal Data consistent with the requirements of Data Protection Law and not less protective than this Global DPA.
  3. Data Incidents. Each Party will notify the other without undue delay when it becomes aware of a Data Incident and will take reasonable steps designed to investigate and mitigate the impact of such Data Incident. At Client’s request, Wyllo will provide Client with commercially reasonable assistance necessary to enable Client to notify governmental authorities and/or affected Data Subjects as required by Data Protection Laws. Client shall be solely responsible for complying with data breach notification requirements applicable to Client and fulfilling any third-party notification obligations under Data Protection Laws related to any Data Incident.

IV. U.S. PERSONAL DATA PROCESSING

  1. General. This Section applies with respect to Wyllo’s Processing of Personal Data under U.S. Data Protection Laws.
  2. Wyllo as a Data Processor. Wyllo acts as a Data Processor under U.S. Data Protection Laws (which includes the term “service provider” as defined under the CCPA).
  3. Wyllo Processing of Personal Data.
    • Permitted Processing. Wyllo will Process Personal Data in compliance with the Agreement, this Global DPA, and applicable U.S. Data Protection Laws. Wyllo will Process Personal Data for the limited and specified purposes of providing the Services as instructed by Client through the terms of the Agreement and this Global DPA, performing and exercising its rights under and in compliance with the Agreement and this Global DPA, and as otherwise required to comply with applicable law and/or legal obligation. As part of providing the Services, Wyllo may (i) deidentify or aggregate Personal Data; (ii) obtain Personal Data directly from Client digital properties via Collection Mechanisms; (iii) Process Personal Data for purposes of providing Client support; verifying credentials; extracting usage and service performance information; detecting or protecting against potential fraud, security incidents or other illegal activity; and establishing, exercising or defending legal claims; and (iv) Process Personal Data for developing, building, maintaining and improving Wyllo’s Services, including developing, deriving or compiling data sets, insights, trends, benchmarks, algorithms, models and other analytics used in connection with the provision and improvement of the Services. Client acknowledges and agrees that, in connection with the provision of Services, Personal Data may be combined with data received from other Wyllo clients for purposes of providing the Services to Client and to other Wyllo clients, provided that the Personal Data will not be made available to other Wyllo clients and neither Client nor its Data Subjects will be identified to the extent the Personal Data contributes to the analytical results provided to other Wyllo clients.
    • Prohibited Processing. Wyllo will not, except to the extent expressly instructed by Client or permitted of a Processor by U.S. Data Protection Laws: (i) “sell” Personal Data nor disclose Personal Data to a third party for “cross-context behavioral advertising” or targeted online advertising, as such terms in quotation marks are defined by U.S. Data Protection Laws; (ii) Process Personal Data outside of the direct business relationship between Client and Wyllo; nor (iii) combine Personal Data with other personal data Wyllo obtains from other sources except as necessary to provide the Services and as permitted under U.S. Data Protection Laws.
    • Compliance. Wyllo will comply with U.S. Data Protection Laws, including without limitation by providing the same level of privacy protection for Personal Data as is required of Client under U.S. Data Protection Laws, and shall advise Client if Wyllo determines it can no longer meet its obligations under U.S. Data Protection Laws.
  4. Wyllo Obligations.
    • Client CCPA Rights. To the extent required by the CCPA, Client has the right to take reasonable and appropriate steps, upon prior notice to and in coordination with Wyllo as to such steps, to: (i) ensure that Wyllo Processes Personal Data transferred in a manner consistent with the Client’s obligations under the CCPA through the Audit and Assistance terms below; and (ii) stop and remediate unauthorized use of Personal Data.
    • Subprocessors. Upon request, Wyllo will provide Client with a list of the Subprocessors used in the provision of Services (“Subprocessor List”) and will update the Subprocessor List from time to time. Wyllo will provide notice to Client of a new or replacement Subprocessor by making updates to the Subprocessor List, and Client may object to Wyllo’s use of a new or replacement Subprocessor on reasonable grounds relating to data protection by notifying Wyllo in writing within 10 business days after Wyllo updates the Subprocessor List. If Client objects to a new Subprocessor as permitted in the preceding sentence, Wyllo will use commercially reasonable efforts in its sole discretion to address Client’s objection, make available to Client a change in Services, and/or recommend a change to Client’s configuration or use of Services to avoid processing of Personal Data by the objected-to Subprocessor.  
  5. Assistance
    • Data Subject Requests. If Wyllo receives a Data Subject Request or complaint concerning the Processing of Personal Data that specifically identifies or references Client, Wyllo will, to the extent legally permitted, notify Client, and Client shall be responsible for responding to such Data Subject Request or complaint. Wyllo shall not respond to the requestor of any Data Subject Request under U.S. Data Protection Laws except as required of a Processor under such laws. Wyllo will reasonably cooperate with Client to the extent necessary for Client to respond to or comply with a Data Subject Request, and without limiting the foregoing, Wyllo will stop Processing of Personal Data upon Client’s instructions made in response to a valid Data Subject Request.  Client shall be responsible for any reasonable costs arising from Wyllo’s provision of any assistance to Client in responding to Data Subject Requests or complaints.
    • Information Requests. Wyllo agrees that it will provide reasonable information and assistance as may be reasonably requested by Client to enable Client to comply with its legal obligations in relation to the Personal Data Processed by Wyllo hereunder. Wyllo will provide information pursuant to this Section only to the extent that the information concerns Wyllo’s Processing of Personal Data and will not violate applicable law, Wyllo’s confidentiality obligations or legal protections, or otherwise undermine the security or integrity of its systems or data. Subject to the foregoing obligations and the Audit provisions below, upon Client’s reasonable request, Wyllo will make available to Client all information in its possession necessary to demonstrate Wyllo’s compliance with U.S. Data Protection Laws.
  6. Audit
    • Independent Audit. To address Client’s audit obligations under U.S. Data Protection Laws, Wyllo may, at its own expense and no less often than annually, arrange for a qualified and independent assessor to assess Wyllo’s policies and technical and organizational measures in support of Wyllo’s Personal Data Processing and protection obligations under U.S. Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments (e.g., SOC 2 Type II) (“Independent Audit”) and provide a summary or report of the most recent Independent Audit in response to Client’s written request.
    • Client Audit. If the Independent Audit is not sufficient to meet Client’s obligations under U.S. Data Protection Laws, Wyllo will allow for and cooperate with reasonable assessments by Client or Client’s designated assessor (“Client Audit”). Any Client Audit conducted under this Global DPA will be conducted: (i) at Client’s sole expense; (ii) no more than once in a given twelve (12) month period; (iii) pursuant to a scope agreed upon by the Parties in advance that, at minimum, is limited to matters specific to Client; (iv) during Wyllo’s ordinary business hours and upon reasonable advance written notice which must be not less than 4 weeks; (v) pursuant to confidentiality and non-disclosure terms reasonably acceptable to Wyllo; and (vi) in a manner which does not interfere with Wyllo’s day-to-day business and operations or involve access to or disclosure of information about other Wyllo clients. Any such Client Audit must be conducted remotely, except Client or its regulatory agency, or both, may conduct an on-site audit at Wyllo’s premises if expressly required by the U.S. Data Protection Laws. In no event will any Customer Audit of a Subprocessor, beyond a review of reports, certifications, and documentation made available to Wyllo by the Subprocessor for such use, be permitted without the Subprocessor’s consent.

V. EU/UK/SWISS PERSONAL DATA PROCESSING

  1. General. This Section applies with respect to Wyllo’s Processing of Personal Data under European Data Protection Laws.
  2. Independent Data Controllers. Each Party acts as a separate Data Controller regarding their respective Processing of Personal Data under European Data Protection Laws.
  3. Permitted Processing. Wyllo will Process Personal Data in compliance with the Agreement, this Global DPA, and applicable European Data Protection Laws. Wyllo will Process Personal Data to provide the Services, perform and exercise its rights under and in compliance with the Agreement and this Global DPA, and as otherwise required to comply with applicable law and/or legal obligation. As part of providing the Services, Wyllo may (i) deidentify or aggregate Personal Data; (ii) obtain Personal Data directly from Client digital properties via Collection Mechanisms; (iii) Process Personal Data for purposes of providing Client support; verifying credentials; extracting usage and service performance information; detecting or protecting against potential fraud, security incidents or other illegal activity; and establishing, exercising or defending legal claims; and (iv) Process Personal Data for developing, building, maintaining and improving Wyllo’s Services, including developing, deriving or compiling data sets, insights, trends, benchmarks, algorithms, models and other analytics used in connection with the provision and improvement of the Services. Client acknowledges and agrees that, in connection with the provision of Services, Personal Data may be combined with data received from other Wyllo clients for purposes of providing the Services to Client and to other Wyllo clients, provided that the Personal Data will not be made available to other Wyllo clients and neither Client nor its Data Subjects will be identified to the extent the Personal Data contributes to the analytical results provided to other Wyllo clients.
  4. Assistance
    • Data Subject Requests.  Each Party agrees that it will reasonably cooperate with the other Party if it receives a Data Subject Request or complaint from concerning the other Party’s Personal Data Processing. Wyllo will, to the extent legally permitted, notify Client if Wyllo receives a Data Subject Request or complaint that specifically references Client. Each Party shall be responsible for any reasonable costs arising from the other Party’s provision of any assistance to such Party in responding to Data Subject Requests or complaints.
    • Information Requests.  Each Party agrees that it will provide necessary information as may be reasonably requested by the other Party to enable the other Party to comply with its obligations under applicable European Data Protection Laws in relation to the Personal Data shared between the Parties.  Wyllo will provide information pursuant to this Section only to the extent that the information concerns Wyllo’s Processing of Personal Data within Wyllo’s control and will not violate applicable law, Wyllo’s confidentiality obligations, or otherwise undermine the security or integrity of its systems or data.
  5. Restricted Transfers. In connection with the Services, Wyllo and its Subprocessors Process Personal Data in the U.S. and other jurisdictions in which Wyllo or its Subprocessors maintain facilities or systems. To the extent the transfer of Personal Data from Client to Wyllo is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards be put in place with respect to such transfer, such transfer shall be subject to the SCCs, which shall be incorporated by reference into this Global DPA as follows:
    • EEA: For Restricted Transfers of Personal Data that are subject to the GDPR, the SCCs will apply as follows: (i) Module One (controller to controller) will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) with respect to Clauses 17 and 18, the SCCs will be governed by the law, and disputes arising from the SCCs shall be brought in the venue, of the competent supervisory authority with jurisdiction over Client as provided in Clause 12; and (v) Annexes I and II of the SCCs will be deemed completed with the information in Appendix A to this Addendum, respectively
    • UK: For Restricted Transfers of Personal Data that are subject to the UK GDPR, the SCCs: (i) shall apply as completed in accordance with the first bullet point in Section V.5 above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes I and II of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “Data Importer.”
    • Switzerland: For Restricted Transfers of Personal Information that are subject to the FADP, the SCCs shall apply as completed in accordance with the first bullet point in Section V.5 above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the FADP and references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP; (ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iii) the term “member state” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (iv) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; and (v) with respect to transfers to which the FADP applies, with respect to Clauses 17 and 18, the SCCs will be governed by the law, and disputes arising from the SCCs shall be brought in the venue, of Switzerland.
    • Replacement Transfer Mechanism. If necessary to lawfully conduct Restricted Transfers, the Parties will work together in good faith to revise or replace the SCCs with a valid and effective mechanism for lawfully conducting Restricted Transfers under European Data Protection Laws.

VI.         DATA RETENTION. Wyllo will retain Personal Data only as long as necessary to provide, improve, and develop the Services, and/or to the extent required to establish, exercise or defend against legal claims or comply with legal obligations under applicable law. Any such retained Personal Data shall remain subject to the terms of this Global DPA, which shall survive for so long as such Personal Data is retained, and shall only be Processed for the purpose(s) for which it is retained. Subject to the foregoing, Wyllo will delete or deidentify Personal Data when it is no longer necessary to retain the Personal Data consistent with this Section VI and, where Wyllo acts as a Processor, as required of a Processor under Data Protection Laws upon termination of the Agreement. 

VII.         MISCELLANEOUS. The term of this Global DPA continues for the duration of the Agreement, and this Global DPA will automatically terminate upon the termination or expiration of the Agreement. If there is a conflict between any or all of the SCCs, this Global DPA, and/or the Agreement, the Global DPA governs, except that (i) the SCCs shall govern with respect to any Restricted Transfers governed thereby; and (ii) in all instances the limitations of liability and waivers and disclaimers of damages in the Agreement apply to this Global DPA. This Global DPA constitutes the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior or contemporaneous negotiations, agreements, and representations, whether oral or written, related to this subject matter. No modification or waiver of any term of this Global DPA is effective unless both parties sign it.

Appendix A:

Standard Contractual Clauses (Module 1: Controller-to-Controller) Annexes

ANNEX I

A. LIST OF PARTIES

Data exporter(s): Name: As set forth in the Agreement Address: As set forth in the Agreement Contact person’s name, position and contact details: As set forth in the Agreement Activities relevant to the data transferred under these Clauses: Provision of Personal Data to the data importer for Processing to provide, improve, and develop fraud detection and anti-fraud services. Role: Controller  
Data importer(s): Name: Wyllo LLC Address: 228 Park Ave S, PMB 17422, New York, New York 10003-1502 US Contact person’s name, position and contact details: Wyllo Chief Financial Officer, privacy@wyllo.ai. Activities relevant to the data transferred under these Clauses: Processing of Personal Data from and on behalf of the data exporter to provide, improve, and develop fraud detection and anti-fraud Services Role: Controller  

B. DESCRIPTION OF TRANSFER

Data subjects

Categories of data subjects whose personal data is transferred:

  • Visitors to and customers of the data exporter’s digital properties (e.g., websites, digital applications, and ecommerce platforms).

Categories of personal data

Categories of personal data transferred, to the extent permitted by applicable law:

  • Name; contact information (such as email, shipping and billing address); payment card information; purchase information and history (products or services purchased); activity on data exporter’s digital properties; device information, including device identifiers, device specifications, and device activity and sensor readings; and Internet connection information, including IP addresses.

Sensitive data (if applicable)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

  • Not applicable.

The frequency of the transfer

For example, whether the data is transferred on a one-off or continuous basis:

  • The transfer takes place on a continuous basis under the terms of the Global DPA.

Nature of the processing

  • Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, access, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose(s) of the transfer and further processing

The transfer is made for the following purposes:

  • For the provision, improvement, and development of Wyllo’s Services performed under the Agreement, which include Services that detect, prevent, and address fraud.

Data retention

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

  • As specified in the Global DPA.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 12:

  • The supervisory authority responsible for the supervision of the data processing activities of the data exporter as set forth in the SCCs.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Categories of Data Security Measures Data Importer’s Data Security Measures  
Measures of pseudonymisation and encryption of personal data Pseudonymization, where possible;Encryption at rest and encryption in transit;
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Confidentiality arrangements;Information security policies and procedures; Backup procedures;Remote storage;Uninterruptible power supply;Anti-virus/firewall protection, security patch management;Intrusion prevention, monitoring and detection;Availability controls to protect personal data against accidental destruction or loss;
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Business continuity processes;Disaster recovery processes;Incident response processes;  
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Audit program, reports and documentation;Testing of back up and business continuity processes;Risk evaluation and system monitoring;Vulnerability and penetration testing;
Measures for user identification and authorisation Internal policies and procedures;User authentication controls, including secure methods of assigning selecting and storing access credentials and blocking access after a reasonable number of failed authentication access;Restricting access to certain users;Access granted based on a need-to-know, supported by protocols for access authorization, establishment, modification and termination of access rights;Logging and reporting systems;Differentiated access rights (profiles, roles, transactions and objects); Monitoring and logging of accesses;Disciplinary action against employees who access personal data without authorization;Reports of access;Access procedure;Change procedure;
Measures for the protection of data during transmission Encryption in transit; Pseudonymization, where possible;Transport security;Network segregation;Logging;Electronic signatures;
Measures for the protection of data during storage Encryption at rest;Access controls;Segregation of functions (production/testing);Processes for storage, amendment, deletion, transmission of data for different purposes;
Measures for ensuring physical security of locations at which personal data are processed Establishing security areas, restriction of access paths; Establishing access authorizations for employees and third parties with a need-to-know;Access control system; Key management, card-keys procedures;Door locking;Security staff;Surveillance facilities, video/CCTV monitor, alarm system; Securing decentralized processing equipment and personal computers;
Measures for ensuring events logging User identification and authentication procedures;ID/password security procedures (special characters, minimum length, change of password);Automatic blocking (e.g., password or timeout);Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;Encryption and pseudonymization;
Measures for ensuring system configuration, including default configuration Baseline configuration settings;  
Measures for internal IT and IT security governance and management Information security policies and procedures;Incident response processes;Regular audit: Review and supervision of information security program;
Measures for certification/assurance of processes and products N/A
Measures for ensuring data minimisation Documentation regarding which data categories need to be processed;Ensure that the minimum amount of data is processed to fulfill the purpose of the processing;  
Measures for ensuring data quality Processes to keep personal data accurate and up to date;Data is corrected upon request or where necessary;
Measures for ensuring limited data retention Records retention schedule;Data retention policy;Personal data is deleted or irreversibly anonymized after expiration of the retention period;
Measures for ensuring accountability Internal policies and procedures;Records of data processing activities;Adequate agreements with third parties;Criteria for selecting the processors or sub-processors;Vendor onboarding process and questionnaire;Monitoring of contract performance;GDPR and InfoSec training program;
Measures for allowing data portability and ensuring erasure Personal data in made available upon request in an electronically portable format using industry standards;Data redaction methods are used, where necessary;Secure disposal of information stored on magnetic and non-magnetic media that prevents potential recovery of the information;

Processors

For transfers to processors, also describe the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

  • The data importer requires processors to enter into appropriate data processing agreements that include terms required by applicable privacy laws, including security and confidentiality safeguards, assistance obligations, and processing restrictions.

Sensitive data

  • For transfers of sensitive data, the data importer implements additional safeguards such as purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, and restrictions for onward transfers or additional security measures.
  • N/A

 

Install Wyllo

Select your ecommerce platform to start your free two-week trial.​
Wyllo and Shopify
Install
Bigcommerce Logo
Install
Other Ways to Integrate

See Wyllo in Action

Contact the Wyllo team and we’ll be in touch within one business day to schedule your personalized demo. 

Schedule a demo
Self-Guided Demo

Let's find those
bad actors.

Contact the Wyllo team and we’ll review your system together to identify the bad actors.

Diagnose
“Normally not one to write reviews but absolutely must applaud Wyllo. I switched over from a big name competitor that dropped the ball huge on support. I’ve had no such issues with NoFraud — their support agents has been super responsive. The sales folks answered my every detailed question — even digging into API documentation. Their onboarding team was top notch. I was up and running super quick! Very happy.”
Hak5Shopify Customer
“We can’t say enough wonderful things about the team at NoFraud. They are extremely responsive, knowledgeable, and easy to work with. The peace of mind we get from knowing that they are handling the fraud check process is invaluable. NoFraud’s system consistently delivers accurate order ratings and recommendations.”
Judith LeiberShopify Customer
“5 stars across the board! We switched to NoFraud a year ago and not only did my approval rate increase drastically but pricing was also a lot more competitive. The integration is seamless and literally worked out of the box with zero changes to our current workflow.”
DailySale.comShopify Customer
“The NoFraud app is really easy to install and set up. NoFraud’s analysis has been much more effective than the standard default Shopify fraud analysis. It catches fraud missed by Shopify and passes orders that Shopify said were high risk. Best part is, you can contact NoFraud and speak with someone.”
JDA PerformanceShopify Customer
“HydroMistUSA.com has been using Wyllo Checkout for several months and there have been customer comments about how much simpler the checkout experience is. The backend has a very nice selection of setup options including allowing customer notes, newsletter sign-up, company colors, custom scripting, checkout A-B testing and several other things. On top of all this, the Wyllo support staff are friendly and knowledgeable.”
HydroMistBig Commerce Customer
“NoFraud was so simple I couldn’t believe it would work. It not only works but we don’t have to double check anything. The time saved has this service paying for itself in no time. 0 chargebacks in almost a year now and hundreds if not thousands of labor hours saved. The service and support is great! The best fraud prevention service on the market!”
Big Commerce Customer
“This is some of the best money we have ever spent. Integrating the app was quick and smooth, the support is fantastic and far superior to the service offered by some of their competitors. Our fraudulent orders have dropped by almost 60% since integrating NoFraud as compared to Signifyd and all orders that are charged-back are quickly reimbursed.”
NixPlayAdobe Commerce Customer
“This is some of the best money we have ever spent. Integrating the app was quick and smooth, the support is fantastic and far superior to the service offered by some of their competitors. Our fraudulent orders have dropped by almost 60% since integrating NoFraud as compared to Signifyd and all orders that are charged-back are quickly reimbursed.” “The team at NoFraud are amazing. They have been a strong partner against the fraudsters. Right before we signed up we were hit with several thousand dollars of Mule Fraud. The addition of this app has definitely saved us money. Worth every penny. I would totally recommend them.”
PC MagazineAdobe Commerce Customer
Install Wyllo
Book a Demo
Pricing Calculator
Linkedin-in Youtube