Privacy at Nayax

NAYAX DATA PROTECTION ADDENDUM

This Data Protection Addendum (“DPA”), as well as the provisions of the agreement between Nayax and Customer (“Agreement”), govern the transfer and Processing of Personal Data between NAYAX and the Customer. Any capitalized terms that are used herein and not defined herein shall have the meaning ascribed to such terms in the Agreement.

Please, review our Privacy Policy in order to learn more regarding the precautions we take in order to ensure the protection of personal data as well as to comply with applicable privacy and data protection legislation.

  1. DEFINITIONS

    1. The terms “Personal Data,” “Processor,” “Controller,” and “Processing,” “Special Categories of Personal Data,” shall have the meaning ascribed to such terms in the GDPR. The terms “Business,” “Business Purpose,” “Consumer,” “California Consumer,” “Service Provider” and “Sell” or “Sale” shall have the meaning ascribed to them in the CCPA. The term “Personal Data” as used herein shall also mean and refer to “Personal Information” as such term is defined in the CCPA.
    2. Authorized User” means an individual who is authorized by Customer to use the Payment Services, to whom Customer has provided a sub-account, and/or to whom Customer has provided user credentials – identification and password enabling access to the Customer Account. Authorized Users may include, for example, employees, consultants, contractors and agents of Customer.
    3. CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
    4. Customer Account” shall have the meaning ascribed to such term in Section 3.
    5. Customer’s End-Users” means Customer’s end-users and consumers.
    6. Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, the GDPR and the CCPA) as may be amended or superseded from time to time.
    7. Data Subject” means a natural person regarding whom Personal Data or Personal Information is Processed and shall also mean and refer to a “Consumer” under the CCPA.
    8. End-User Data” means any and all Personal Data that is provided to the Customer by the Customer’s End-Users.
    9. GDPR” means EU General Data Protection Regulation (Regulation 2016/679).
    10. Payment Services” means the provision of NAYAX Unit and/or services associated with vending machines’ operation, and/or cashless payment services, including services provided by NAYAX via its designated system.
    11. Platform” shall have the meaning ascribed to such term in Section 3.
    12. Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and were adopted by the European Commission Decision 2021/914 on June 4, 2021, which are attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN
  2. DATA PROCESSING

    1. The parties acknowledge that in relation to all End-User Data, Customer shall be regarded as the Controller of End-User Data, and NAYAX shall be regarded and is acting as a Processor of the End-User Data on behalf of the Customer. For the purposes of the CCPA (and to the extent applicable), Customer is the Business and Nayax is the Service Provider. Without derogating from the above, it is hereby clarified that in addition to Nayax’s capacity as a Processor of the End-User Data, Nayax is also a Controller of certain Personal Data related to the Customer, such as (without limitation) Personal Data related to Customer’s Authorized Users or other employees and personnel of the Customer, to the extent provided. Any Personal Data Processed by Nayax as a Controller shall be used and processed in accordance with Nayax’s Privacy Policy available below and is not governed by this DPA which governs solely the Processing of Personal Data by Nayax as a Processor.
    2. NAYAX will Process Personal Data on behalf of Customer as specified in Appendix A attached hereto.
    3. NAYAX will Process Personal Data on behalf of Customer for the purposes included in its Privacy Policy.
  3. CUSTOMER ACCOUNT MANAGEMENT

    1. In order to use the Services, including the DCS (“Platform”), a designated Customer account will be created by Nayax for the use of the Customer and its Authorized Users ( “Customer Account”). Customer will be required to select a username and password and use a 2 factor authentication application in order to use the Platform. Customer may create sub-accounts and grant access authorizations to the Customer Account solely to its Authorized Users. Each of the Authorized Users will be required to select a username and password in order to access and use their sub-account in the Customer Account. Customer is solely responsible for setting-up applicable permissions and sub-accounts on the Platform for each of its Authorized Users.
    2. Customer acknowledges that under applicable laws access authorizations to systems containing Personal Data, including the Platform, should only be granted on a need-to-know basis, may require ongoing monitoring of access authorizations and should be used by Authorized Users only. Customer may need to remove Authorized Users who no longer have a “need to know” with respect to the Platform as a part of such monitoring, such as any of Customer’s former employees. Customer hereby undertakes to comply with applicable laws in this context.
    3. In order to create and use the User Account, Customer and any Authorized Users on its behalf, must be at least 18 years old, and will be required to provide certain Personal Data, such as their name and contact information. All such information provided must be truthful, and accurate and up-to-date. Customer undertakes that it and its Authorized Users will not, and will not enable others, to use any access authorizations in deviation of the specific authorization granted or by anyone who is not the Authorized User, and not to share their authorizations with any other person or third party. If Customer’s or its Authorized Users’ information provided during the Platform registration process changes at any time, Customer undertakes to update such information on the Customer Account or as otherwise instructed to do so by NAYAX.
    4. Customer hereby represents and warrants that it: (i) is solely responsible for Authorized Users’ compliance with this DPA, any applicable agreement with NAYAX, the Terms and Conditions, and any applicable laws and regulations; (ii) is solely responsible for the accuracy, quality and legality of any information provided by it or its Authorized Users; (iii) is solely responsible for its use and the Authorized Users’ use of the Payment Services and the Platform; (iv) will use appropriate efforts to prevent and detect unauthorized access to or use of the Payment Services and the Platform and notify Nayax of any such unauthorized access or use immediately upon discovery; and (v) will use the Payment Services and the Platform only in accordance with this DPA, the Terms and Conditions and applicable laws.
    5. For the avoidance of doubt, Nayax does not and cannot control or monitor the management of the Customer Account and use of the Platform by Customer and its Authorized Users, and Customer is solely and fully responsible for such management and use.
    6. In the event Customer or its Authorized Users violate any of the terms of this DPA, NAYAX may suspend or terminate the Customer Account or suspend or terminate Customer or its Authorized Users’ access to the Platform.
  4. REPRESENTATIONS AND UNDERTAKINGS OF THE PARTIES

    1. The Parties shall each implement appropriate technical and organizational measures to ensure a level of security appropriate for the risks to Personal Data.
    2. The security measures implemented by Nayax are further detailed in ANNEX II. Customer confirms that it has reviewed and approves such measures.
    3. NAYAX represents and warrants that NAYAX’s employees, authorized by NAYAX to Process Personal Data on behalf of Customer, are committed to customary confidentiality undertakings and privacy and data protection obligations, or are otherwise under appropriate statutory obligations of confidentiality.
    4. NAYAX shall only Process Personal Data on behalf of Customer, pursuant to the instructions as set forth herein and in accordance with the Agreement.
    5. Customer undertakes that Customer shall Process Personal Data only as lawful and compliant with applicable law and that it will comply with applicable Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data under the GDPR and the CCPA (if applicable).
    6. Customer acknowledges that NAYAX may not have any direct interaction with Customer’s End-Users, and therefore, Customer agrees that it is solely responsible to inform Customer’s End-Users of the Processing of End-User Data, including by NAYAX. To that end, Customer undertakes to notify its End-Users that Nayax’ acts as a Processor of Personal Data on behalf of Customer, and include in such disclosure a link to Nayax’ Privacy Policy.
    7. Customer further represents that Customer has all required authorizations to disclose Personal Data to NAYAX, including, procuring an affirmative act of consent from End-Users in the event Customer is required to do so in accordance with applicable Data Protection Law. Furthermore the Customer shall maintain all necessary notices and uphold any and all privacy requirements under applicable Data Protection Law that it will need in order to Process Personal Data in accordance with the terms of this DPA.
    8. Customer shall not disclose to NAYAX any Data that is considered Special Categories of Personal Data.
    9. NAYAX will delete or return to the Customer, any of Customer’s Personal Data and the End-User Data after the termination or expiration of the Agreement, unless permitted or required to retain it under applicable law.
  5. INSTRUCTIONS

    1. Customer hereby instructs NAYAX to Process, on behalf of Customer, Personal Data, in connection with the Payment Services to Customer, and as set forth under Article 28(3) of the GDPR solely for the purposes and in accordance with the terms specified herein and in the Agreement and for the pursuit of a Business Purpose as set forth under the CCPA. Notwithstanding the above, in the event NAYAX is required under applicable laws to Process End-User Data, other than as instructed by the Customer, NAYAX shall make reasonable efforts to inform the Customer of such requirement prior to Processing such End-User Data, unless prohibited under applicable law from doing so.
    2. Notwithstanding the above, NAYAX will not be obligated to perform any instruction which in NAYAX’s determination, is in violation of applicable law.
  6. AUDITS

Upon Customer’s reasonable request, NAYAX will provide Customer with relevant documentation or records (which may be redacted to remove confidential commercial information) which will enable it to verify NAYAX’s compliance with its data protection and security obligations under the terms of this DPA. NAYAX shall supply such documentation to Customer within thirty (30) days from its receipt of such request in writing.

  1. DATA SUBJECTS’ RIGHTS AND AUTHORITY REQUESTS

    1. Customer shall have the sole liability to comply with its obligations in connection with the rights and freedoms of Data Subjects pursuant to applicable laws. It is therefore hereby agreed, that in the event NAYAX receives a request from a Data Subject or an applicable authority in respect of the Personal Data Processed by NAYAX on behalf of the Customer, where relevant and unless otherwise required under applicable law, NAYAX will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws.
    2. NAYAX shall make reasonable commercial efforts to assist the Customer, in the fulfilment of the Customer’s obligations to respond to Data Subjects’ request to exercise their rights, to the extent permitted under Data Protection Law.
  2. NO SALE OF PERSONAL DATA

It is hereby agreed that any sharing of Personal Data between the parties is done solely in order to fulfill a Business Purpose and NAYAX does not receive or process any Personal Data in consideration for the Payment Services. As such, the Processing of such Personal Data shall not be considered a Sale under the CCPA.

  1. CUSTOMER’S PERSONNEL DATA RIGHTS

Nayax will Process certain Personal Data regarding Customer’s personnel interacting with Nayax in relation to the Payment Services. Such Processing will be done in accordance with NAYAX’s Privacy Policy and User Rights Policy. undertakes to inform its personnel of such Processing and refer them to the above mentioned policies.

  • Customer’s personnel have certain rights with respect to their Personal Data as further explained in Nayax’s Privacy Policy. Customer undertakes to inform its personnel regarding any Processing activities conducted by Nayax, including referring them to Nayax’s Privacy Policy for further information.
  1. SUBPROCESSING AND TRANSFER OF PERSONAL DATA TO THIRD PARTIES

    1. Customer hereby grants NAYAX express authorization to engage with third party data Processor’s (“Sub-Processors”) for the provision of the Payment Services, as determined by NAYAX in NAYAX’s reasonable determination. A list of NAYAX’s Sub-Processors can be found here, as may be updated from time to time by Nayax (“Authorised Sub-processors”).
    2. Customer represents that it has reviewed and approves the transfer of its Personal Data to the third parties listed in the list of Authorised Sub-processors. Customer confirms that Nayax will update the list of Authorised Sub-processors from time to time, and Customer agrees to review the list periodically to review any updates and modifications. In the event that Customer has an objection to the transfer of its Personal Data to any third party listed in the list of Authorised Sub-processors, Customer will provide written notification to Nayax, specifying the relevant third party and the grounds for the objection. Following the receipt of such notification, Nayax may either: (i) replace the relevant third party in relation to sub-processing of Customer’s Personal Data; or, if such replacement is not practical (ii) terminate the Agreement by written notification to Customer.
    3. Customer acknowledges that certain third parties with which Nayax shares Personal Data in the framework of providing the Customer with the Payment Services, may be considered as a Controller under the GDPR or under the applicable credit card scheme, or a Business under the CCPA. In relation to such third parties, Customer confirms that they have separate and independent responsibility to Process Personal Data in compliance with applicable Data Protection Laws, and that Nayax will not be liable for such entities’ Processing activities and their compliance with applicable Data Protection Laws.
    4. NAYAX may also share Personal Data with its affiliated companies in the Nayax group, as reasonably required to conduct its business and provide Customer with the Payment Services.
  2. INTERNATIONAL TRANSFERS OF DATA

    1. Customer acknowledges and agrees that in order to be provided with the Payment Services the parties shall transfer and Nayax may access and Process Personal Data form territories different than those where the data was collected. In the event the Processing includes transferring of Personal Data which is subject to GDPR to a country outside the EEA, that has not received an adequacy decision from the European Commission, and where no exemptions under Article 49 of the GDPR apply (“Restricted Transfer”), the following shall apply:
      1. In order to maintain the integrity, security and confidentiality of Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which event Nayax shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter.
      2. The purpose and description of the transfer are detailed in ANNEX I.
      3. The Customer further agrees that where Nayax engages a Sub-Processor, in accordance with Section 10 above for carrying out specific processing activities (on behalf of the Customer) and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of the GDPR, Nayax and the Sub-Processor can ensure compliance with Chapter V of GDPR by using Standard Contractual Clauses in which event Nayax shall be deemed as the Data Exporter and the respective Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Nayax and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
      4. For the sake of clarity and without derogating from Section 2.1 above, to the extent that Nayax acts as a Controller of Personal Data, any Restricted Transfer shall be governed by the terms and obligations of Module II of the Standard Contractual Clauses in which event Nayax shall be deemed as the Data Exporter and its respective Processors shall be deemed as the Data Importers.
      5. Customer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses, all Subject to Clause 13 of the Standard Contractual Clauses.
      6. The parties agree that subject to Clause 17 and 18 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be governed by the laws of the Lithuania dispute arising from Standard Contractual Clauses shall be resolved by the courts of Lithuania, without giving rise to any conflict of laws principles included therein. Notwithstanding the above, subject to Clause 18 the Standard Contractual Clauses, a Data Subject may also bring legal proceedings against the parties before the courts of the Member State in which he/she has his/her habitual residence.. Notwithstanding the above, subject to Clause 18 the Standard Contractual Clauses, a Data Subject may also bring legal proceedings against the parties before the courts of the Member State in which he/she has his/her habitual residence.
      7. Specifically for EU-US Transfers: Following Schrems II, Case No. C-311/18, and related guidance from Supervisory Authorities, including the European Data Protection Board, the parties acknowledge that supplemental measures may be needed with respect to EU-U.S. data transfers where Personal Data of the Customer may be transferred and Processed in the US. The Customer acknowledges and warrants that Customer’s EU operations involve merely ordinary commercial services, and any EU-U.S. transfers of Personal Data contemplated by this DPA involve ordinary commercial information, which is not the type of data that is of interest to, or generally subject to, surveillance by U.S. intelligence agencies. Accordingly, Nayax acknowledges that it will not provide access to Customer’s Personal Data to any US government or intelligence agency, except where under Nayax’s sole discretion and legal counsels advice it is necessary under the US law or a valid and binding order of a government authority (such as pursuant to a court order). In any such case, Nayax will attempt to redirect the law enforcement agency to request the data directly from the Customer. Unless Nayax is legally prohibited from doing so, in any such case Nayax will: (1) give the Customer a notice of the demand no later than 7 days after such demand is received to allow the Customer to seek recourse or other appropriate remedy to adequately protect the privacy of Data Subjects who are EEA residents; and (2) in any event, provide access only to such Customer’s Personal Data as is strictly required by the relevant law or binding order (having used reasonable efforts to minimize and limit the scope of any such access), as determined solely by Nayax’s legal advisors.
    2. Customer shall bear the sole responsibility of obtaining and documenting all necessary consents from Data Subjects for the transferring of such Personal Data, if required to do so under applicable law.
  3. NOTIFICATIONS

    1. NAYAX shall notify Customer in writing in the event that it becomes aware of a data breach that affected Customer’s Personal Data or End-User Data, and/or as otherwise required under applicable law. NAYAX’s notification regarding or response to a data breach shall not be construed as an acknowledgment by NAYAX of any fault or liability with respect to such data breach. NAYAX will take any necessary steps to contain, remediate and minimize the effects of the data breach and co-operate with the Customer with respect to the handling of such data breach (as applicable and necessary).
    2. NAYAX may disclose Data to law enforcement, regulatory or other government agencies, or third parties, if NAYAX reasonably believes that such disclosure is necessary to comply with a judicial proceeding, court order, or a legal process.
  4. LIABILITY AND INDEMNIFICATION

Customer will indemnify, and hold harmless NAYAX, and its officers, directors, employees, successors, and agents, from all damages and liabilities (including, without limitation, reasonable attorneys’ fees and legal expenses), resulting from any claim by a third party (including supervisory authorities) that arises out of a violation of the Customer’s representations and/or obligations under this DPA or applicable laws.

  1. TERM

The term of this DPA shall continue until the termination or expiration of the engagement between NAYAX and Customer.

  1. GENERAL TERMS.

    1. Some of the above Sections shall be in force only in the event the GDPR or the CCPA (as applicable) applies to the Processing of Personal Data pursuant to this DPA.
    2. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses apply, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
    3. NAYAX may amend this DPA from time to time, and make the amended DPA available to Customer.
    4. In the event this DPA is translated into a different language other than English and in the event there are any discrepancies between the English version of this Agreement and the translated versions, the English version of this DPA shall prevail.

ANNEX I: DETAILS OF PROCESSING AND TRANSFERRING OF PERSONAL DATA

This ANNEX I includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and the transferring Personal Data subject to the Standard Contractual Clauses.

  1. LIST OF PARTIES:
  • Data Exporter details (i.e., Customer):

The identity and contact details of the Customer shall be the same as indicated in the Agreement.

Activities relevant to the data transferred under these Clauses: Data Processing for the performance of the Agreement.

Signature and date: Signature of the Agreement and the DPA incorporated therein, shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Appendices.

Role (Controller/processor): Controller.

Data Exporter details (i.e., Nayax):

Nayax’s contact details shall be the same as indicated in the Agreement.

Activities relevant to the data transferred under these Clauses: Personal Data Processing for the performance of the Agreement.

Signature and date: Signature of the Agreement and the DPA incorporated therein, shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Appendices.

Role (Controller/processor): Processor.

    1. DESCRIPTION OF TRANSFER
      1. Subject matter and duration of the Processing of Personal Data

The subject matter and duration of the Processing of the Personal Data are set out in Section 2 of this DPA.

      1. The nature and purpose of the Processing of Personal Data

NAYAX will be providing Customer with Payment Services which involve the processing of Personal Data. The scope of the Payment Services is set out in the Agreement, and the Personal Data will be processed by NAYAX in order to provide the Payment Services to Customer and to comply with the terms of the Agreement and this DPA.

      1. The types of Personal Data to be processed and transferred [Review and update in accordance with the specific transaction]
      • Customer’s contact person’s full name and contact details;
      • The following information will be collected regarding Customers in connection with KYC and AML checks: if the Customer is an individual or if Customer is a legal entity then regarding its shareholders: personal identification number, date of birth, country of residence, citizenship, confirmation of whether the Customer or a shareholder is a politically engaged person, email address, phone and mobile number, snapshot of the Customer’s or the relevant signatory’s face, 5 second video of his/her face, copy of identification document;
      • Customer’s and/or Customers’ Authorized Users IP addresses, device identifiers.
      • Customer’s Authorized Users’ contact information, such as name, email, phone number, etc.
      • Customer’s End-Users’ personal data related to the processing of payments and the provision of the Payment Services to Customer, including name and contact details, billing information, purchase history, approximate and precise location.
      1. The categories of Data Subjects to whom the Personal Data relates
      • Customer (to the extent the Customer is an individual)
      • Customers’ shareholders;
      • Customers’ Authorized Users;
      • Customers’ End-Users
      1. Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:
      • N/A
      1. The obligations and rights of Customer

The obligations and rights of Customer are set out in the Agreement and this DPA.

      1. The processing operations carried out in relation to the Personal Data

Collection, recording, hosting, organizing, adapting, analyzing, retrieving, sharing with Sub-Processors, structuring, storing, deleting, in each case for the purposes of providing the Services to Customer, the scope of which are set out in the Agreement and this DPA.

      1. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
      • Continuous
      1. For transfers to sub- processors, also specify subject matter, nature and duration of the processing
      • [fill in]
      1. Competent Authority in accordance with Clause 13 of the Standard Contractual Clauses
      • The Competent Authority of the shall be in accordance with Clause 13 alternatives.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

      • Measures of pseudonymisation and encryption of personal data

Data in transit is transferred by a secured protocol (HTTPS encryption),

Data in transit from device to server and vice versa  is encrypted AES 128.

Data at reset is encrypted AES 256.

      • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Nayax is implementing strong authentication, multiple replicated sites for full redundancy, all security tools that are implemented are reviewed\updated regularly and the Information security is continuously improving\updating the security settings\policy.

      • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Nayax has 3 on-premise data centers over the world that are fully replicated, in addition Nayax has an off line DR data center.

      • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Nayax’s production environment is undergoing an external penetration testing once a year and all vulnerabilities that are found are fixed urgently, in addition Nayax is performing regular quarter internal vulnerability scans and all vulnerabilities that are found fixed according to the severity of the findings.

      • Measures for user identification and authorization

Access to DB is limited to small group of employees, that are identified by strong authentication (Complex password, certificate on the laptop and 2FA).

Every access to the DB is logged and alert is sent to the DBA manager.

Access to DB in non-working hours is verified by phone call to the employee.

Access to DCS is authenticated by MFA and strong complex password.

      • Measures for the protection of data during transmission

Data is transferred by encrypted range (HTTPS encryption)

      • Measures for the protection of data during storage

Data in storage is encrypted (AES 256) and the encryption keys are kept separately.

Access to the DB is limited to small group of employees.

Every entry and action on the DB is logged and monitored.

      • Measures for ensuring physical security of locations at which personal data are processed

All Nayax data centers are located in secured facilities that are PCI DSS certified.

The office is located in a secure building (watchman 24/7), access to the building is limited only for employees from the building, access to the office is only by personal RFID of the employee (every access is logged) there are CCTV 24/7 and an alarm system.

      • Measures for ensuring events logging

All security logs are monitored by SIEM/SOC service 24/7.

Security logs are stored for 2 years.

      • Measures for ensuring system configuration, including default configuration

Nayax is performing a review of all system’s configuration every quarter and updating the settings if needed.

      • Measures for internal IT and IT security governance and management

There is a formal information security policy that is updated and approved by the board annually.

The policy is implemented and all security stuff are reporting to the company CISO.

      • Measures for certification/assurance of processes and products

Nayax has 2 certifications:

      1. ISO 27001
      2. PCI-DSS Level 1
      • Measures for ensuring limited data retention

All data and information is stored and kept according to the regional law.

      • Measures for allowing data portability and ensuring erasure

The organization is aligned with the privacy laws (GDPR and Israeli privacy Law) every request of data erasure is reviewed DPO and taken care according to the relevant privacy law.

action / 9 - action, cancel, close, delete, exit, remove, x icon