Data Processing Agreement

1. Definitions and Interpretation

In this Data Processing Agreement (“DPA”), unless the context requires otherwise:

“Adequate Jurisdiction” means a country or territory recognised as providing an adequate level of protection for Personal Data by (i) the European Commission under the EU GDPR, and/or (ii) the Information Commissioner’s Office under the UK GDPR, as applicable.

“Applicable Data Protection Law” means all data protection and privacy legislation applicable to the processing of Personal Data under this DPA, including but not limited to: (a) the EU GDPR (Regulation (EU) 2016/679); (b) the UK GDPR (as defined in the Data Protection Act 2018); (c) the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act (“CCPA”); (d) any other applicable US state comprehensive privacy law; and (e) any laws implementing or supplementing the foregoing. Reference to ‘law’ in this agreement shall have this meaning.

“Controller” has the meaning given in the EU GDPR (or equivalent term under Applicable Data Protection Law), being the entity that determines the purposes and means of Processing of Personal Data.

“Data Protection Authority” means an independent public authority legally tasked with overseeing compliance with Applicable Data Protection Law

“Data Subject” means an identified or identifiable natural person whose Personal Data is Processed.

“Dodo Payments” means Dodo Payments Inc. (a Delaware corporation), together with its group entities Dodope Payments Limited (UK) and any other entities that operate under the trade name ‘Dodo Payments,’ as applicable. References to “we,” “us,” or “our” are to Dodo Payments.

“Personal Data” means any information relating to a Data Subject who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

“Process” / “Processing” has the meaning given in the EU GDPR (or equivalent term under Applicable Data Protection Law), and “Processed” shall be construed accordingly.

“Processor” has the meaning given in the EU GDPR (or equivalent term under Applicable Data Protection Law), being the entity that Processes Personal Data on behalf of the Controller.

“SCC” or “Standard Contractual Clauses” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914, as amended, supplemented, or replaced from time to time.

“Supplier” or “Merchant” means the entity identified as “Supplier” or “Seller” in the MSA that has entered into the Agreement with Dodo Payments, and references to “you” or “your” are to the Supplier.

“Sub-Processor” means any third party (excluding Dodo Payments group entities listed in Annex 3) engaged by Dodo Payments to Process Personal Data on behalf of the Supplier under this DPA.

“Master Service Agreement” or “MSA” means the agreement between Dodo Payments and the Supplier governing the provision of services, as available at dodopayments.com/terms-of-use.

“Agreement” means the MSA, this DPA, the Privacy Policy, and any other terms incorporated by reference, collectively.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (VERSION B1.0) issued by the ICO under Section 119A of the Data Protection Act 2018.

2. Scope and Application

1. This DPA forms part of the Agreement and supplements the data protection provisions in the MSA. To the extent of any conflict between this DPA and the MSA, solely regarding the Processing and protection of Personal Data, this DPA shall prevail.

2. By entering into the MSA, the Supplier agrees to this DPA as a legally binding component of the Agreement.

3. This DPA shall remain in effect for as long as Dodo Payments Processes Personal Data in connection with the Services provided under the Agreement.

4. This DPA may be amended by Dodo Payments from time to time to reflect changes in Applicable Data Protection Law or Processing activities. Material amendments shall be notified to the Supplier at least thirty (30) days in advance via the email address associated with the Supplier’s account. Continued use of the Services after such period constitutes acceptance of the amended DPA.

3. Roles of the Parties

(1) Dodo Payments as Independent Controller

As the Merchant of Record, Dodo Payments acts as an independent data Controller, to perform the services described in the MSA, in respect of Personal Data collected directly from end customers (buyers) in connection with: transaction processing and payment facilitation; fraud detection and prevention; risk analysis; sanctions screening and regulatory compliance; tax calculation and remittance; chargeback and dispute management; and any other processing necessary for Dodo Payments to fulfil its obligations as the legal seller.

(2) Supplier as Controller

The Supplier acts as Controller for Personal Data relating to its end users in connection with its own products and services, including decisions about what products to offer, marketing, and the Supplier’s own customer relationship management.

(3) Dodo Payments as Processor

To the extent Dodo Payments Processes Personal Data solely on the documented instructions of the Supplier and where Applicable Data Protection Law requires a processor arrangement (for example, providing platform onboarding support, merchant-specific analytics, or transmitting data at the Supplier’s direction), Dodo Payments acts as Processor. The details of such Processing are set out in Annex 1.

(4) No Joint Controller Relationship

Nothing in this DPA creates a joint controller relationship between the parties. Each party shall be independently responsible for its own compliance with Applicable Data Protection Law in respect of the Personal Data for which it is Controller.

(5) Data Subjects and Categories of Personal Data

Data Subjects include customers, end-users, and buyers who interact with the Supplier’s products or services through Dodo Payments. The categories of Personal Data Processed, the nature and purpose of Processing, and the categories of Data Subjects are set out in Annex 1.

4. Obligations of Dodo Payments as Processor

When acting as a Processor on behalf of the Supplier, Dodo Payments shall:

1. Process Personal Data only on documented instructions from the Supplier, including with regard to transfers of Personal Data outside the EEA or UK, unless required to do so by Applicable Data Protection Law, in which case Dodo Payments shall inform the Supplier of that legal requirement before Processing (unless prohibited by law from doing so);

2. comply with the conditions for engaging Sub-Processors set out in Section 6;

3. ensure that engaged sub-processors who Process Personal Data are subject to binding confidentiality obligations as set out herein.

4. implement and maintain appropriate technical and organisational security measures as described in Annex 2;

5. taking into account the nature of the Processing, assist the Supplier by appropriate technical and organisational measures, to the extent required by law, for the fulfilment of the Supplier’s obligation to respond to Data Subject requests under Applicable Data Protection Law, in accordance with Section 5;

6. taking into account the nature of the Processing and the information available, Dodo Payments shall assist the Supplier, to the extent required under Applicable Data Protection Law, in carrying out data protection impact assessments pursuant to Article 35 of the EU GDPR (and equivalent provisions under Applicable Data Protection Law), including by: (i) providing relevant information regarding the Processing, security measures, and Sub-Processors; (ii) making available documentation reasonably necessary to assess the risks to Data Subjects; and (iii) providing reasonable cooperation in connection with any prior consultation with a competent supervisory authority pursuant to Article 36 of the EU GDPR.

7. at the choice of the Supplier, delete or return all Personal Data to the Supplier after the end of the provision of Services, in accordance with Section 10,

8. To the extent required by applicable law, make available to the Supplier information necessary to demonstrate compliance with this Section 4 and allow for and contribute to audits and inspections, in accordance with Section 11;

9. without undue delay, inform the Supplier if, in Dodo Payments’ opinion, an instruction given by the Supplier infringes Applicable Data Protection Law. Dodo Payments may suspend performance of the relevant instruction until the Supplier confirms or modifies it.

5. Data Subject Requests

1. Where Dodo Payments receives a request from a Data Subject in respect of Personal Data Processed on behalf of the Supplier, Dodo Payments shall notify the Supplier within five (5) business days and shall not respond directly to the Data Subject unless: (i) directed to do so by the Supplier; or (ii) required by Applicable Data Protection Law.

2. Where Dodo Payments acts as an independent Controller (Section 3.1), Dodo Payments shall handle Data Subject requests directly in accordance with its Privacy Policy and Applicable Data Protection Law.

6. Sub-Processing

The Supplier provides general written authorisation for Dodo Payments to engage Sub-Processors to carry out Processing activities on behalf of the Supplier.

1. Dodo Payments shall inform the Supplier of any intended addition or replacement of Sub-Processors. The Supplier may raise objections on reasonable grounds relating to data protection by written notice to compliance@dodopayments.com within fourteen (14) days of such notification.

2. Dodo Payments shall impose on each Sub-Processor, by way of a written agreement, data protection obligations no less protective than those set out in this DPA.

3. Dodo Payments shall remain liable to the Supplier for the acts and omissions of its Sub-Processors to the extent required by Applicable Data Protection Law.

4. The Supplier acknowledges that Dodo Payments group entities may Process Personal Data in connection with the Services and are deemed approved Sub-Processors under this DPA.

5. Dodo Payments shall maintain an up-to-date list of Sub-Processors, which shall be made available to the Supplier upon written request.

7. International Data Transfers

1. Dodo Payments may transfer Personal Data to countries outside the EEA and the UK in connection with the purposes set out in this DPA, including to Dodo Payments group entities and Sub-Processors.

2. Where Personal Data originating from the EEA is transferred to a recipient outside the EEA that is not in an Adequate Jurisdiction, Dodo Payments shall ensure that one of the following transfer mechanisms applies: (i) the Standard Contractual Clauses (as incorporated below); (ii) the EU-US Data Privacy Framework, to the extent Dodo Payments Inc. maintains a valid self-certification; or (iii) another valid transfer mechanism under Article 46 or a derogation under Article 49 of the EU GDPR.

3. Where the Standard Contractual Clauses apply, the following modules are incorporated by reference:

   Module 1 (Controller to Controller): applies where both Dodo Payments and the Supplier act as independent Controllers.

   Module 2 (Controller to Processor): applies where the Supplier acts as Controller and Dodo Payments acts as Processor.

   The parties’ details, processing descriptions, and technical measures required to complete the SCC Annexes are set out in Annexes 1 and 2 of this DPA respectively. The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs.

4. For transfers subject to UK data protection law, the UK Addendum is incorporated by reference and shall apply to the extent required. The information required to complete Part 1 of the UK Addendum is set out in Annexes 1 and 2, of this DPA. For the purposes of Table 4 of the UK Addendum, neither party may end the UK Addendum in accordance with Section 19 of the UK Addendum.

5. Notwithstanding Section 13 of this DPA, the SCCs and the UK Addendum shall be governed by the law specified therein.

6. Where Personal Data originating from the EEA or the UK is transferred to a country that is not an Adequate Jurisdiction and such transfer relies on SCCs or other safeguards as included in Section 7(2), Dodo Payments shall:

   i. conduct and document a transfer impact assessment prior to such transfer,

   ii. implement supplementary technical, organisational, or contractual measures where necessary to ensure an essentially equivalent level of protection; and

   iii. make available to the Supplier, upon reasonable request, a summary of the assessment sufficient to demonstrate compliance with Applicable Data Protection Law.

8. Security and Personal Data Breach

(1) Security Measures

Dodo Payments shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access, as required under Article 32 of the EU GDPR (or equivalent provisions under Applicable Data Protection Law). These measures are described in Annex 2 and shall be reviewed and updated as necessary to ensure an appropriate level of security.

(2) Breach Notification

i. In the event of a confirmed Personal Data Breach affecting Personal Data Processed on behalf of the Supplier, Dodo Payments shall notify the Supplier without undue delay and in any event within forty-eight (48) hours of becoming aware of the breach.

ii. The notification shall include, to the extent reasonably available: (1) the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and records concerned; (2) the likely consequences of the breach; (3) the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; and (4) the contact point from whom more information can be obtained.

iii. Where it is not possible to provide all information at the same time, information may be provided in phases without further undue delay.

iv. Dodo Payments shall cooperate with and assist the Supplier in relation to any investigation, mitigation, or remediation of any Personal Data Breach and in meeting the Supplier’s obligations to notify supervisory authorities and Data Subjects under Applicable Data Protection Law.

9. US State Privacy Law Provisions

To the extent that the CCPA or any other US state comprehensive privacy law applies to Dodo Payments’ Processing of Personal Data on behalf of the Supplier:

1. Dodo Payments shall Process Personal Data only for the specific business purposes set out in this DPA and the Agreement, and shall not Process Personal Data for any purpose other than the performance of the Services or as otherwise permitted by Applicable Data Protection Law.

2. Dodo Payments shall not Sell or Share (as those terms are defined under the CCPA) any Personal Data received from or on behalf of the Supplier.

3. Dodo Payments shall not combine Personal Data received from or on behalf of the Supplier with Personal Data that Dodo Payments receives from or on behalf of another person or persons, or collects from its own interaction with a consumer, except to the extent permitted by the CCPA.

4. Dodo Payments shall provide the same level of privacy protection as required by Applicable Data Protection Law, including the CCPA.

5. Dodo Payments shall notify the Supplier if it determines that it can no longer meet its obligations under Applicable Data Protection Law, including the CCPA.

6. The Supplier shall have the right to take reasonable and appropriate steps to help ensure that Dodo Payments uses Personal Data in a manner consistent with the Supplier’s obligations under the CCPA.

7. Dodo Payments shall assist the Supplier, to the extent required by law, in responding to verifiable consumer requests under the CCPA, including requests to know, delete, and correct Personal Data, and requests to opt-out of sale or sharing.

10. Termination and Data Deletion

1. Upon termination or expiry of the Agreement, and upon written request from the Supplier, Dodo Payments shall delete or return all Personal Data Processed on behalf of the Supplier within thirty (30) business days, unless retention is required by Applicable Data Protection Law. The Supplier shall provide instructions regarding the return or deletion of data in writing prior to or upon termination.

2. Dodo Payments may retain Personal Data to the extent necessary to: (i) comply with legal or regulatory obligations; (ii) establish, exercise, or defend legal claims; or (iii) prevent fraud. Any retained data shall be subject to the protections of this DPA and shall be Processed only for the purpose(s) for which retention is required. Dodo Payments shall delete such retained data as soon as the applicable retention ground ceases to apply.

3. Upon request, Dodo Payments shall provide the Supplier with written certification of deletion.

11. Audit Rights

1. Upon reasonable written request, and to the extent required by Applicable Data Protection Law, Dodo Payments shall make available to the Supplier information necessary to demonstrate compliance with this DPA.

2. Dodo Payments shall allow for and contribute to audits and inspections conducted by the Supplier or an independent third-party auditor mandated by the Supplier, subject to the following conditions:

   1. audits shall be limited to once per twelve (12) month period, unless a Personal Data Breach has occurred or a supervisory authority requires additional audits;

   2. audits shall be conducted during normal business hours with at least thirty (30) days’ written notice;

   3. auditors shall be subject to confidentiality obligations no less protective than those in the Agreement;

   4. on-site audits shall be conducted only where a remote or documentary audit is insufficient to demonstrate compliance, or where required by a competent supervisory authority;

   5. the Supplier shall bear its own audit costs, unless the audit reveals material non-compliance by Dodo Payments, in which case Dodo Payments shall bear reasonable audit costs.

3. Where Dodo Payments holds a valid, current certification (such as SOC 2 Type II or ISO 27001) or has completed an audit by a qualified third party within the preceding twelve (12) months, Dodo Payments may provide such report or certification to the Supplier in satisfaction of an audit request, provided that the scope adequately addresses the Supplier’s concerns.

12. Liability

1. Each party shall be responsible for its own acts and omissions and those of its personnel in connection with this DPA.

2. Subject to Section 12(3), liability under this DPA shall be governed by the liability provisions of the MSA.

3. Nothing in this DPA or the MSA shall limit either party’s liability: (i) for breaches of Applicable Data Protection Law to the extent that such limitation is prohibited by law; (ii) for fraud or fraudulent misrepresentation; or (iii) for any liability that cannot be limited by law.

13. Governing Law and Jurisdiction

1. This DPA shall be governed by and construed in accordance with the law specified in the MSA (the laws of the State of Delaware, USA), and subject to the same jurisdiction and dispute resolution provisions.
2. Notwithstanding the foregoing, the SCCs shall be governed by the law of the EU Member State specified therein, and the UK Addendum shall be governed by the laws of England and Wales, in each case to the extent required for their validity.

14. Contact

For data protection matters arising under this DPA, the Supplier may contact Dodo Payments at: support@dodopayments.com. For Sub-Processor objections: compliance@dodopayments.com.

15. Survival

Sections 1 (Definitions), 8 (Security and Personal Data Breach), 9 (US State Privacy Law Provisions), 10 (Termination and Data Deletion), 11 (Audit Rights), 12 (Liability), 13 (Governing Law), and this Section 15 shall survive the termination or expiry of the Agreement.

Annex 1: Details of Processing

(This Annex also serves as Annex I to the Standard Contractual Clauses and Part 1, Table 2 of the UK Addendum.)

A. List of Parties

	Data Exporter (Supplier/Merchant)	Data Importer (Dodo Payments)
Name	The entity identified as the “Supplier” or “Merchant” in the applicable Master Services Agreement with Dodo Payments Inc.	Dodo Payments Inc.
Address	The address provided by the Supplier in the applicable Master Services Agreement or account registration process.	8, The Green, STE A Dover, County of Kent, Delaware 19901, United States
Contact	The contact details provided by the Supplier in the applicable Master Services Agreement or account registration process.	compliance@dodopayments.com
Role	Controller	Processor (for processing described below) / Independent Controller (as set out in Section 3.1)

B. Description of Processing

Element	Description
Subject matter	Provision of platform services, onboarding support, merchant analytics, and related services under the Agreement.
Duration	The term of the Agreement, plus any period during which Dodo Payments retains Personal Data in accordance with Section 10.
Nature of Processing	Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, and destruction.
Purpose of Processing	Provision of Services under Supplier instructions; platform administration; analytics and reporting to the Supplier; customer support at Supplier’s direction.
Categories of Data Subjects	End customers (buyers); Supplier personnel and authorised users.
Categories of Personal Data	Identification data (name, email address, user ID); contact data (billing address, phone number); transaction metadata (order IDs, amounts, timestamps, currency, payment method type); online identifiers (IP address, device identifiers, browser type); commercial information (purchase history, subscription status); support communications (tickets, chat transcripts); and any other Personal Data necessary to perform the Services.
Sensitive data (if any)	None anticipated. If Sensitive Personal Data is Processed, the parties shall agree to additional safeguards in writing.

C. Competent Supervisory Authority

For EEA transfers: the Autoriteit Persoonsgegevens (Netherlands). For UK transfers: the Information Commissioner’s Office (ICO). The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.

Annex 2: Technical and Organisational Measures

(This Annex also serves as Annex II to the Standard Contractual Clauses.)

Dodo Payments implements the following technical and organisational security measures, which are informed by and consistent with the controls validated during its PCI DSS v4.0.1 assessment. These measures are reviewed and updated periodically to maintain an appropriate level of security in accordance with Article 32 of the EU GDPR.

Measure	Description
Encryption and Cryptographic Controls	Personal Data is encrypted in transit using TLS 1.2 and TLS 1.3 protocols for all communications with connectors, processors, and end-user applications. Personal Data at rest, including stored cardholder data within the Dodo Payments secure vault, is encrypted using strong cryptographic algorithms (e.g., AES-256) in encrypted and hashed formats. Encryption keys are managed through a dedicated key management system with defined key lifecycle procedures including generation, distribution, storage, rotation, and destruction. Manual cleartext cryptographic key-management operations are not performed by personnel. Disk-level or partition-level encryption is not used to render Primary Account Numbers (PAN) unreadable; instead, field-level encryption and tokenisation are applied.
Access Control	Role-based access control (RBAC) is enforced with least-privilege principles across all systems processing Personal Data. Unique identification is assigned to all personnel with access to system components. Multi-factor authentication (MFA) is required for access to the cardholder data environment and all administrative access. A compensating control is in place for Requirement 8 as noted in the AOC. Access privileges are reviewed on a regular basis to ensure appropriateness. Third parties are not provided direct access to the scoped environment, and no service providers have remote access into the cardholder data environment. There are no system or application accounts with interactive login capabilities within the scoped environment.
Network Security	Network security controls, including firewalls (AWS WAF), intrusion detection and prevention systems (Suricata), and network segmentation, are implemented to isolate and protect systems processing Personal Data. The cardholder data environment is hosted on Amazon Web Services (AWS) in the Mumbai ap-south-1 region, utilising AWS infrastructure including EC2 instances (Amazon Linux 2), RDS, CloudFront, Internet Gateway, NAT Gateway, AWS S3, AWS Elasticache, and AWS Load Balancer (ELB). No segmentation is employed to reduce the scope of the assessment; the entire environment is in scope (as confirmed in the AOC Part 2c). Wireless networks are not present in the environment. Regular vulnerability scanning and penetration testing are conducted. External penetration testing identified no exploitable vulnerabilities or security weaknesses.
Secure System Configuration	Secure configurations are applied to all system components in accordance with industry-accepted hardening standards. Vendor-supplied defaults for system passwords and security parameters are changed before deployment into the production environment. System components are maintained with current security patches and updates.
Malware Protection	Anti-malware solutions (ClamAV) are deployed on all system components within scope to protect against malicious software. Anti-malware mechanisms are kept current, actively running, and generating audit logs. All system components within scope are considered at risk for malware, and protections are applied accordingly. Removable electronic media is not used in the scoped environment.
Secure Software Development	A secure software development lifecycle (SDLC) is maintained, incorporating security considerations at each phase of development. Public-facing web applications are protected against common attacks. Automated technical solutions (e.g., web application firewalls via AWS WAF) are deployed to detect and prevent web-based attacks. Custom application code is reviewed through automated static and dynamic analysis tools and security testing before deployment. Manual code review is not used in the scoped environment. Changes to system components are managed through a formal change management process.
Logging and Monitoring	Centralised logging of access to and actions on systems containing Personal Data is implemented using Wazuh for security information and event management (SIEM), along with AWS monitoring services. Audit logs are retained for a sufficient period to support forensic investigations and are monitored for anomalous or suspicious activity. Automated mechanisms are used to perform audit log reviews as required under PCI DSS Requirement 10.7.2.
Incident Response	A documented incident response plan is in place with defined roles, responsibilities, escalation procedures, and post-incident review processes. The incident response team is trained, and response drills are conducted periodically. In the context of this DPA, Personal Data Breach notification is provided to the Supplier within forty-eight (48) hours of becoming aware of a confirmed breach, as set out in Section 8(2).
Physical Security	All data processing infrastructure is hosted at AWS data centres, which are certified to SOC 2 and ISO 27001 standards, with physical access controls, surveillance, and environmental safeguards. Point-of-interaction (POI) devices are not used in the environment; all transactions are card-not-present. Physical media is not used to store cardholder data or Personal Data.
Data Backup and Recovery	Regular automated backups are performed with tested restoration procedures. Backups are encrypted and stored in geographically separate locations within the AWS infrastructure. Business continuity and disaster recovery plans are maintained and tested regularly.
Vendor and Sub-Processor Management	Third-party service providers that manage system components or could impact the security of the cardholder data environment are identified, assessed for security posture, and monitored on an ongoing basis. Current third-party service providers include: Amazon Web Services, Inc. (cloud hosting), Airwallex (payment processor), Stripe (payment processor), and Cashfree (payment processor). Written agreements are maintained with each Sub-Processor imposing data protection obligations no less protective than those in this DPA, consistent with Section 6.
Employee Security and Awareness	Background checks are conducted for personnel with access to Personal Data and cardholder data. Mandatory data protection and security awareness training is provided upon hire and annually thereafter. Confidentiality obligations are included in employment contracts. Personnel with access to the cardholder data environment are limited, and unique identification is enforced for all access.
Data Minimisation and Retention	Processing is limited to Personal Data strictly necessary for the specified purposes. Sensitive authentication data (e.g., CVV) is not stored electronically after completion of transaction authorisation. Automated data lifecycle management policies are applied to ensure timely deletion of Personal Data in accordance with Section 10 of this DPA. When card data is stored at the customer’s request for future use, only card numbers and expiry data are retained in encrypted and hashed formats within the secure vault. Tokenisation is used to replace card details with non-sensitive tokens for subsequent transactions.
Tokenisation	Dodo Payments implements tokenisation to protect stored cardholder data. When a customer opts to save card details for future use, the card data is encrypted and stored in a secure vault, and a unique token is generated linking the stored card to the customer and merchant. For subsequent transactions, temporary tokens are generated from the stored token, and masked card details are presented for customer selection. Card details are decrypted only at the point of transaction processing and transmitted securely via HTTPS with TLS 1.2/1.3.
Security Certifications and Assessments	Dodo Payments Inc. has been assessed as compliant with PCI DSS v4.0.1 as a Service Provider (Level 1 Report on Compliance), with the assessment completed on October 31, 2025. The assessment was conducted by ControlCase (QSA Certificate No. 204-435), led by Alok Kumar Keshri. The assessment scope covered Payment Orchestrator and Merchant of Record services, classified under Payment Gateway/Switch. A full assessment was completed with all applicable requirements assessed. All twelve PCI DSS principal requirements and their applicable sub-requirements were found to be “In Place” or “Not Applicable,” resulting in an overall Compliant rating. Copies of the Attestation of Compliance (AOC) may be provided to the Supplier upon reasonable written request, in satisfaction of audit rights under Section 11 of this DPA.