Data processing
A summary of our data processing terms (GDPR Art. 28). The full DPA is available for countersignature — ask and it arrives the same day.
Last updated: 2 July 2026
Roles
For order metadata and end-customer data flowing through your store's agent channel, you are the controller and NeuralPay acts as your processor. For your own account data, we are the controller (see the privacy policy).
What we process as your processor
- Order metadata: items, quantities, amounts, currency, shipping country/postcode.
- Agent verification records: operator identity, signature validity, timestamps.
- No cardholder data — payment credentials never reach NeuralPay.
Where
Production data is hosted in the European Union. Sub-processors are bound by Art. 28 contracts; where any processing occurs outside the EEA, standard contractual clauses apply.
Current sub-processors
- Cloud infrastructure & database hosting (EU regions)
- Transactional email delivery
- Error monitoring (EU data residency)
The named, current list ships with the DPA and account holders are notified 30 days before any addition.
Security measures
Encryption in transit (TLS 1.2+) and at rest, role-based access with hardware-key MFA for production systems, audit logging, and documented incident response with notification without undue delay (and within 72 hours where Art. 33 applies). Details in the security overview.
Deletion & return
On termination, service data is deleted within 30 days, excepting records we must retain by law (e.g. invoices). Deletion is confirmed in writing on request.
Request the full DPA: contact@neural-pay.com.