Terms & Policies
Global Online GDPR Centre
Last updated: 8 June 2022
Welcome to the Airwallex Global Online GDPR Centre
Airwallex is committed to protecting the privacy of everyone who engages with our platform. We also value the importance of transparency with respect to our privacy practices.
We created this Airwallex Privacy Center to help you find answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by Airwallex, and how Airwallex complies with international data protection laws, such as the General Data Protection Regulation (GDPR) of the UK and EU.
This content is not legal advice, has been published for your general information purposes only, may not be exhaustive or current and may be amended from time to time without notice to you.
What is the GDPR?
The GDPR is the data protection regulation that gives individuals more control over their personal data. The European Union (EU) and United Kingdom (UK) have separate but similar versions of the GDPR.
Under the GDPR, organisations must take great care when processing personal data. Organisations must ensure there is a legal basis for every data processing activity and they must tell people how and why data is used. Individuals also have greater rights under the GDPR, and organisations must be accountable for all processing.
In addition, certain requirements must be satisfied before EU / UK individuals’ personal data may be transferred outside the EU or the UK, unless the organisation receiving the personal data is located in a permitted jurisdiction white listed by the European Commission or UK government. The list of white listed permitted jurisdictions may be found on the European Commission’s website here or the UK government website here.
What is personal data?
Personal data is any information that is related to an identified or identifiable natural person (e.g. you), such as your name, email address, username, ID, bank account number, card details, telephone number, personnel number, number plate, appearance, customer number or address. The definition under the GDPR is broad, and can include information that could be used indirectly and/or with other information to identify a natural person – such as device identifiers or IP address.
What does ‘processing’ mean in this context?
Processing means any operation that is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who does the GDPR apply to?
The GDPR applies to any data processor or data controller in the EU or UK that processes personal data, as well as any data processor or data controller outside the EU or UK that processes the personal data of individuals in the EU or UK residents where the processing activities are related to:
- offering goods or services to data subjects in the EU or UK (even if those goods or services are provided free of charge); or
- monitoring the behaviour of individuals taking place in the EU or the UK.
Is Airwallex acting as a data controller or a data processor?
We can be either or both, depending on the exact context of the data processing.
A “data controller” is the entity that determines the purposes and means of the data processing taking place, i.e. the main decision maker that exercises overall control over the data processing. For example, a data controller would make decisions on what types of personal data to collect and for what purpose(s).
A “data processor” is an entity that acts on behalf of and at the direction of a data controller in processing personal data. As the data processor is acting on the instructions of the data controller, it does not exercise control or decision making over the processing of personal data.
Data controllers and data processors have different responsibilities under the GDPR – for example, controllers are in charge of identifying a lawful purpose or legal basis, and must facilitate individual rights requests.
Airwallex is a data controller where we decide the purposes and means of the data processing taking place. Such data processing activities include (among other things):
- providing the Airwallex products and services;
- developing new, or enhancing existing, products;
- providing customer support;
- monitoring, detecting and preventing fraudulent activities on our platform; and
- complying with the legal and regulatory obligations that apply to Airwallex.
Under the above, Airwallex decides what personal data needs to be collected in order to pursue these actions, hence it is acting as a data controller in respect of these activities.
Airwallex is a data processor where we are given personal data by a third party (e.g. a business partner or service provider) and where we follow another party’s instructions on how to process personal data. In this case, Airwallex would not exercise control over how the personal data is to be processed.
What ‘lawful purpose’ or ‘legal basis’ does Airwallex rely on to process personal data?
Airwallex relies upon a number of legal grounds to process personal data.
What rights do I have over my data?
Who are Airwallex’s processors and sub-processors and how are they evaluated?
In circumstances where we are acting as a data controller, it may be necessary for us to provide personal data to our affiliates or third parties, in which case that affiliate or third party will usually be acting as an independent data controller (this means personal data is shared with another controller entity who processes the data for their own independent purposes). Airwallex also uses data processors or (where we ourselves act as a data processor) subprocessors to provide services to Airwallex such as technology and payment processing services. We make sure we have appropriate safeguards in place to protect any personal data that is processed, including through contractual obligations.
Before a particular data processor or sub-processor is engaged, Airwallex vets and evaluates that data processor or sub-processor through our vendor management program. As required under the GDPR, we enter into a contract with each data processor or sub-processor before sharing data with the data processor or sub-processor. All potential vendors are also vetted and approved through Airwallex’s information security review process before we use their services. This means we investigate their security standards, check their certifications, etc., before we consider sharing any data.
We have set out in the below table examples of where the above will occur:
|Third party service providers||We engage a variety of service providers to enable us to provide our Services to you. For example, service providers may be used to: facilitate payment processing, support technology or infrastructure, cloud storage, conduct market research, marketing analytics, detect fraud, verify identity and perform audits or other functions. We will share your personal information with such service providers only to the extent necessary to allow the performance of their intended engagement. All service providers and business partners that receive your personal information are contractually bound to protect and use your information only in accordance with this Policy.|
|Our corporate affiliates||To facilitate or support us in providing our Services to you, we may share your personal information within our worldwide corporate family of companies among entities that are related by common control or ownership. All related group companies may only use your personal information in accordance with this Policy.|
|Enterprise Partners||Our Services may be offered to you in conjunction with or facilitated by other financial institutions or other enterprise (an “Enterprise”). Such Enterprises may have access to your personal information but only to the extent required to enable use by you of such products.|
|Regulatory Authorities: regulators, judicial authorities and law enforcement agencies, and other third parties for safety, security, or compliance with the law.||There are circumstances in which we are legally required to disclose information about you to authorities, such as to comply with a legal obligation or processes, address issues relating to security or fraud, or protect our users. These disclosures may be made with or without your consent, and with or without notice, in compliance with the terms of valid legal process such as a subpoena, court order, or search warrant. We are usually prohibited from notifying you of any such disclosures by the terms of the legal process. We may seek your consent to disclose information in response to a governmental entity’s request when that governmental entity has not provided the required subpoena, court order, or search warrant. We may also disclose your information to: enforce our User Agreement or other applicable agreements or policies, including investigation of any potential violation thereof; detect, prevent or otherwise address security, fraud or technical issues; protect our rights, property, privacy, or security, or that of others, as permitted by law; or comply with applicable law, legal process or governmental orders.|
|Other Authorised Parties||If you provide your consent, we may share your information including your personal information with a third party not defined in this Policy. Such disclosure will only be carried out in the manner described to you at the time you agreed to the sharing. Authorising a third-party application or website to access your Airwallex account or participating in certain promotional activities constitutes such consent to share your information.|
For your reference, we have listed below Airwallex’s typical third party processors and sub-processors:
|Vendor||Data||Purpose of processing||Country of primary contracting entity|
|i2c||User data and user's customers' data||Transaction processing, card issuing and maintenance||United States|
|Google Cloud Platform||User data and user's customers' data||Cloud service provider||United States|
|Alibaba Cloud Platform||User data and user's customers' data||Cloud service provider||Hong Kong|
|Zendesk||User data and information provided to Airwallex support by users||Customer support services||United States|
|Trulioo Information Services||User data and User's customers' data||User identity verification and fraud detection||Canada|
|Refinitiv||User data and User's customers' data||User identity verification and fraud detection||United Kingdom|
|Visa||User data and User's customers' data||Transaction processing, card issuing, and maintenance||United States|
|Mastercard||User data and User's customers' data||Card payment acquiring||United States|
|Megaport||Encrypted data shared between cloud providers||Network connectivity between cloud providers||United States|
|Cloudflare||User data and User's customers data||Network security and anti-DDoS||United States|
|Valitor||User data and User's customers data||Card payment acquiring||Iceland|
|Splunk||Airwallex platform analytics and User data||Platform analytics, outage detection, and security monitoring||United States|
|Limited User data and internal data||Document creation and processing, mail provider||United States|
|Zoom Video Communications||User data, insofar as that is shared in spoken word between the conversing parties, or recorded on the system||Video conferencing system||United States|
|Idemia||Cardholder name, PAN, CVV, expiration date, shipping address||Printing the cards for issuing||United States / Australia|
|Concentrix||Customer data||Customer service support function||Philippines|
|Salesforce||User data||Customer relationship management platform which stores User contact information as well as supporting information about the business relationship||United States|
|New Relic||Airwallex platform analytics||Platform analytics and outage detection||United States|
|Sumologic||Airwallex platform analytics||Platform analytics and outage detection||United States|
|Equinix||User data||Hardware data centre services||United States|
|Hubspot||User data||Customer relationship management||United States|
What is a Data Processing Agreement and how can I get one with Airwallex?
A Data Processing Agreement (DPA) is a contract between a data controller and a data processor, which sets out the roles and responsibilities of the parties when personal data is processed. The GDPR sets out requirements that a DPA must satisfy in order to be compliant, including guarantees around security and that the processor will only act on our instructions. We have made our template DPAs available to our users. You may access our Data Processing Agreement here and our Data Sharing Agreement here, or you can request one using the contact details set out under the relevant heading below.
International data transfers
The information presented below is for general information purposes only and is not legal advice. As rules surrounding international data transfers may vary across jurisdictions, please consult with your own legal counsel to familiarise yourselves with the requirements that govern your specific situations.
How does Airwallex deal with international data transfers?
Airwallex uses a set of Standard Contractual Clauses (SCCs) published by the European Commission for cross-border data transfers (in the form of a legal contract) to provide a legal mechanism to transfer EU or UK personal data outside of the EEA/UK/Switzerland. These are required under European and UK data protection laws and are incorporated into our agreements.
Airwallex continues to adopt appropriate measures to ensure an adequate level of protection of personal data transferred outside the UK, EEA and Switzerland. Our measures include the SCCs to accommodate international data transfers, as well as a range of technical and organisational measures (described in more detail under the relevant heading below).
Airwallex’s technical and organisational measures
We apply technical and organisational measures to protect the security of personal data. These include an information security management system aligned with ISO27001 and SOC2 Type II as described below:
● A.5: Information security policies
Airwallex has implemented security policies and standards that are constantly reviewed in line with the overall direction of the organisation’s information security practices. Risk assessments are performed on a regular basis and agreed mitigating controls are included in the policies, standards and procedures to address security globally.
● A.6: Organization of information security
Airwallex’s information security policies and standard assign responsibilities for information security related tasks. It ensures that the organisation has established a framework that can adequately implement and maintain information security practices within the organisation supported by senior leadership.
● A.7: Human resource security
Airwallex ensures individuals are screened before employment, makes sure that employees and contractors understand their responsibilities and addresses their responsibilities when they no longer hold that role – either because they’ve left the organisation or changed positions.
● A.8: Asset management
Airwallex identifies, classifies information assets to define the appropriate level of defence required and defines appropriate protection responsibilities for them. Endpoints are hardened, protected and monitored to help prevent the unauthorised disclosure, modification, removal or destruction of sensitive data.
● A.9: Access control
Policies and procedures for logical security are formally established and documented. User accounts belonging to Airwallex’s employees and contractors are approved, added, modified, or disabled in a timely manner and are reviewed on a periodic basis.
● A.10: Cryptography
Airwallex deploys industry standard encryption technologies to protect business data and confidential information at rest and in transit and applies proper key management to the protection of its cryptographic keys.
● A.11: Physical and environmental security
Airwallex offices have implemented rigorous physical and environmental controls for its security. Airwallex uses security certified GCP and Aliyun data centers and follows its Supplier relationship management process and controls.
● A.12: Operations security
Airwallex applies management controls, operation controls and technological controls to protect business data and confidential information to provide for sustainable operation of business and application systems. Endpoints are protected against malware to mitigate the risk of infections, critical systems are logged and monitored, systems are hardening following CIS Benckmarks, periodically tested via automatic and manual means.
● A.13: Communications security
Airwallex networks are managed and controlled in order to protect information within systems and applications. Airwallex uses technology to perform endpoint verification, has implemented firewalls to segregate environments, has clear segregation between production and non-production environments, access control lists, 2 factor authentication (i.e. software and hard token). Airwallex has also implemented strict endpoint controls for employees connecting to public networks (e.g. WFH arrangements) to consider the increased risk levels and to manage these risks. Airwallex also monitors its platforms to detect any anomalies that may present a threat to the company.
● A.14: System acquisition, development and maintenance (13 controls)
Airwallex has implemented a DevSecOps model and embedded security into the SDLC. It has integrated the security, availability and confidentiality into product design, and provides related functions to meet the user entities’ requirements on security, availability and confidentiality. It has applied a secured change management process which encapsulates secure coding, configuration, scanning, patching monitoring and frequent testing.
● A.15: Supplier relationships (5 controls)
Before onboarding Subprocessors, Airwallex conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Airwallex has assessed the risks presented by the Subprocessor, then subject to the engagement requirements the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
● A.16: Information security incident management
Security incidents and unauthorized disclosures of customer data are communicated to customers, relevant legal and regulatory authorities, and others as required by law, contract, or at the advice of legal counsel, as per defined in the information security management and data breach standards.”
● A.17: Information security aspects of business continuity management
Airwallex has established corresponding service cycles and service availability commitments to provide high availability of user entities’ business and systems.
● A.18: Compliance
Airwallex has implemented compliance processes to guarantee it addresses internal requirements, such as policies and standards, and with external requirements, such as laws and regulations and contractual requirements to mitigate the risks of non-compliance and the penalties that come with that.
Your rights and choices
● Airwallex information security team: [email protected]
● Airwallex privacy team: [email protected]