Data Sharing Agreement

Last updated March  11, 2025

On this page

1. Definition of Terms2. Personal Data3. Purpose of Objectives of Data Sharing4. Processing of Personal Data5. Security Measures6. Breach and Issue Management7. Representation and Warranties

Other documents

Terms of Use
List of Third Parties
Restricted Businesses
Prohibited Businesses
Data Sharing Agreement

This Data Sharing Agreement (this “DSA”) is incorporated into, and is subject to the terms and conditions of, the Agreement between the Merchant that is a party to the Agreement (“Merchant”) and Paymongo Philippines, Inc. and/or Paymongo Payments, Inc. (“PayMongo”) and reflects the parties’ agreement with regard to the sharing and processing of Personal Data. In the course of providing the Services to the Merchant pursuant to the Agreement, Paymongo may process Personal Data (as defined below) on behalf of the Merchant and the parties agree to comply with the following provisions with respect to any Personal Data.

1. Definition of Terms

1.1. “Agreement” means PayMongo’s Terms of Use available at Terms, as updated from time to time, or other written or electronic agreement, which govern the provision of the Services to Merchant, as such terms or agreement may be updated from time to time. 

1.2. “Customer Data” means any Personal Data that PayMongo processes on behalf of Merchant via the Services, as more particularly described in this DSA.

1.3. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Data.

1.4. “Disclosing Party” shall refer to any party who discloses personal data to the other party under  this Agreement.

1.5. “End User” shall refer to the Merchant’s clients who transact through the  Merchant’s website and over the channels accepted by Paymongo.

1.6. “Merchant” shall refer to any entity or partner availing the Services from Paymongo. For the avoidance of doubt, this shall also include partners availing of the Services of PayMongo either as a Parent, Child Merchant or Sub-Merchant depending on the specific Paymongo Services availed of.

1.7. “Personal Data” shall refer to personal information or sensitive personal information as defined  in “Data Privacy Act, its implementing rules and regulations, and related issuances by the  National Privacy Commission (the “NPC”) or any applicable Data Protection Laws. 

1.8. “Personal Information Controller” shall refer to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. 

1.9. “Personal Information Processor” shall refer to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

1.10. “Receiving Party” shall refer to any party who receives personal data from the other party under  this Agreement.

1.11. “Services” means all services provided by PayMongo in accordance with, and as defined in, the Agreement which may include but is not limited to payment solutions services, electronic wallets, and onboarding API.

2. Personal Data

2.1. The documents and information that have been or will be provided by the Merchant  to Paymongo in compliance with the requirements of the latter in the review, renewal, and/or  maintenance of the Services in favor of and in providing the  Services to the Merchant may contain Personal Data which shall include, but shall  not be limited to, the information listed in Appendix A. 

2.2. The information from End Users that will be provided by Merchant to Paymongo, in  accordance with the Services to be provided by Paymongo, may contain  Personal Data, which shall include, but shall not be limited to the information listed in Appendix A.  Additional information, which may include Personal Data, will be provided throughout the term  of the Agreement, as long as such information is necessary to facilitate Paymongo's  Services.  

2.3. The information from the End Users that will be provided by Paymongo to the Merchant, in accordance with the Services to be provided by Paymongo, may  contain Personal Data, which shall include, but shall not be limited to the information listed in  Appendix A. 

2.4. The Disclosing Party shall only provide Personal Data for as long as it holds the Personal Data  and is legally able to provide it. In this connection, the Disclosing Party warrants that it has  notified the data subject and has secured the consent of the data subject prior to the sharing  of his/her Personal Data to the Receiving Party, except where such consent is not required for  the lawful processing of Personal Data, as provided by law. 

2.5. When required by law or upon reasonable request of the Receiving Party, the Disclosing Party  shall produce evidence of the consent provided by the data subject with respect to the  processing to be performed under this Agreement. 

3. Purpose of Objectives of Data Sharing

3.1. The sharing of Personal Data under this Agreement shall be for purposes of the Agreement. The Disclosing Party shall grant the Receiving Party access to the Personal Data  described under Appendix A of this DSA, in furtherance of allowing Paymongo to provide  its Services. 

3.2. The Parties acknowledge and agree that, with respect to the processing of Personal Data  pursuant to this DSA, they shall each be a separate and independent Controller for the  purposes of Data Protection Laws and that they shall each independently determine the  purpose and means of processing such Personal Data. 

3.3. Notwithstanding its role set out in Clause 3.2, the Receiving Party shall not use the Personal Data for any purpose other than for purposes of the Agreement.

4. Processing of Personal Data

4.1. The Parties warrant that in their respective capacities as a Disclosing Party, they will not create,  collect, use, store, disclose, or transfer any of the Personal Data except to the extent necessary  to perform their contractual obligations under the Agreement.  

4.2. The Parties further agree that the processing of Personal Data shall be subject to the provisions  of the Data Privacy Act, its implementing rules and regulations, the relevant issuances of the  NPC, and other applicable and relevant laws and regulations and shall comply with the same. 

4.3. The Parties shall exercise at least the same degree of care as it uses with its own Personal Data  and confidential information, but in no event less than reasonable care, to protect the Personal  Data from misuse and unauthorized access or disclosure. 

4.4. The Parties may process the Personal Data through automated, automatic or electronic means,  or through manual or paper-based processing, provided that the Personal Data is contained or  are intended to be contained in a filing system. 

4.5. The Parties may disclose the Personal Data only: 

  • To the extent necessary to enable the Recipient to perform its services; 
  • To carry out the purposes of the Agreement; 
  • To authorized persons and third parties; 
  • With notice to the other party; and 
  • With the consent of the data subject or when expressly authorized by law. 

4.6. With respect to PayMongo, the authorized persons and third parties referred to in clause 4.5(c)  of this Agreement are its authorized employees and the third party service providers listed in  PayMongo's website with URL at https://www.paymongo.com/third-parties. It shall be the  Merchant’s duty and obligation to check the list of third-party service providers at  the Paymongo website for any updates. 

4.7. The Sponsored Merchant warrants that it will not further disclose the Personal data from  Paymongo. 

4.8. The parties acknowledge that the data subject retains all his/her rights granted to him/her under  the Data Privacy Act, its implementing rules and regulations, relevant issuances of the NPC,  and other relevant and applicable laws and regulations. 

4.9. Each party shall be responsible for any Personal Data under its control or custody, including  those it has outsourced or subcontracted to a personal information processor. This extends to Personal Data it shares with or transfers to a third party located outside the Philippines, subject  to cross-border arrangement and cooperation.

5. Security Measures

The Parties shall implement appropriate organizational, physical, and technical security measures to protect the Personal Data from misuse and unauthorized access or disclosure. These controls include, but are not limited to, Access Controls, Host Security, Business Continuity Plan, perimeter security, and any other measures reasonably necessary to prevent any use or disclosure of the data other than as allowed under this DSA.

6. Breach and Issue Management

6.1. Within twenty-four (24) hours of becoming aware of any unauthorized use or disclosure of the  Personal Data or any security incident or possible security breach, the Receiving Party shall  promptly report such fact to the Disclosing Party. Both Parties shall, within seventy-two (72)  hours from such occurrence, notify the NPC and the concerned data subjects in accordance  with NPC Circular 16-03 and any applicable data protection law. 

6.2. Upon becoming aware of any unauthorized use or disclosure of the Personal Data or any  security incident or possible security breach, both Parties shall commence their respective  investigations in order to determine its origin. 

6.3. The Receiving Party shall cooperate with the Disclosing Party for any remediation that is  necessary to address any applicable reporting requirements and mitigate any effects of such  unauthorized use or disclosure of Personal Data.

7. Representation and Warranties

7.1. Both parties hereby represent and warrant that they are duly authorized to enter into this  DSA. 

7.2. Neither party is under any restriction or obligation that could affect its performance of its  obligations under this DSA. 

7.3. Neither party’s execution, delivery, and performance of this DSA and the other  documents to which it is a party, and the consummation of the transactions contemplated in  this Agreement, do or will result in its violation or breach of the Data Privacy Act, its IRR and  other issuances of the NPC, and other related and applicable laws, or conflict with, result in a  violation or breach of, constitute a default under, or result in the acceleration of any material  contract.

8. Return, Destruction, or Disposal of Personal Data

8.1. Subject to clause 9, on the expiration or termination of the Agreement, or on the Disclosing  Party’s request, the Receiving Party shall promptly return or destroy the Personal Data and any other property, information, and documents provided by it, including any copies thereof. If  requested, the Disclosing Party may require that the Receiving Party provide a certification  confirming its compliance with the return or destruction obligation under this clause. 

8.2. Upon termination or expiration of this DSA, the Recipient shall cease all further use of  any Personal Data, whether in tangible or intangible form. 

8.3. Notwithstanding anything to the contrary contained in this DSA, the Receiving Party may  retain Personal Data as required by law, regulation, or record retention policies of the Receiving  Party. In such case, the Receiving Party shall continue to keep such Personal Data confidential  and secured in accordance with this DSA and all applicable privacy laws and regulations. 

9. Term and Termination

9.1. This DSA is effective and shall bind the Parties for as long as the Agreement between the Parties is in full force and effect, unless earlier  terminated in accordance with clause 9.3. 

9.2. Considering that this DSA is in reference to the Agreement, the former  shall be renewed together with the latter upon mutual consent of both parties. 

9.3. As long as the rights and welfare of the data subjects will not be prejudiced, each party may  terminate this DSA with immediate effect by delivering notice of the termination to the  other party, if the other party fails to perform, has made or makes any inaccuracy in, or  otherwise materially breaches, any of its obligations, covenants, or representations herein, and  such failure, inaccuracy, and the breach continues for a period of seven (7) days after the  injured party delivers notice to the breaching party, reasonably detailing the breach.

10. Indemnification

10.1. The defaulting party shall indemnify the aggrieved party against all losses and expenses arising  out of: (a) any proceeding brought by either a third party or by the aggrieved party; (b) the  defaulting party’s breach of its obligations, representations, warranties, or covenants under this  DSA; and (c) the defaulting party’s willful misconduct or gross negligence. 

10.2. The defaulting party shall defend, indemnify, and hold the aggrieved party, its affiliates, and  its officers, directors, stockholders, employees, and agents harmless from and against any and  all claims, suits, causes of action, liability, loss, costs, and damages, including attorney’s fees  and costs of litigation, in connection with or as a result of any third-party claim arising from the  defaulting party’s Personal Data breach. 

10.3. In case the Personal Data breach is material and substantial, and such will cause the aggrieved  party irreparable injury for which it would have no adequate remedy at law and for which there  is an urgent and permanent necessity to prevent serious damage, the aggrieved party shall be entitled to immediately seek an injunctive relief prohibiting any violation of this DSA in  addition to any other rights and remedies available to it.

11. Inquiries and Complaints

Data subjects may inquire or request for this DSA or any information regarding any matter relating to the processing of their Personal Data under the custody of the Receiving Party, including the data privacy and security policies implemented to ensure the protection of their Personal Data.

11. General Provisions

12.1. Neither party may assign this Agreement or any of their rights or obligations under this  DSA without the other party’s written consent and notice to the data subjects. 

12.2. No waiver of any provision of this DSA shall be effective unless it is in writing and signed  by the party against which it is sought to be enforced. 

12.3. This DSA shall be governed, construed, and enforced in accordance with the laws of  the Republic of the Philippines. 

12.4. In case of a court suit, the venue shall be the courts of competent jurisdiction in Taguig City to  the exclusion of all other courts subject to prior resort to alternative dispute resolution as herein  prescribed. 

12.5. The Parties agree that this DSA is the complete and exclusive statement of the  agreement between the parties relating to the subject matter of the DSA. This  DSA supersedes all requests for proposals, proposals or other prior agreements, oral or  written, and all other communications between the parties relating to the subject matter hereof.

12.6. If any part of this DSA is declared unenforceable or invalid, the remainder will continue  to be valid and enforceable.

APPENDIX A

Appendix A: PERSONAL DATA

A. APPLICABLE IF MERCHANT WILL ONLY USE PAYMONGO'S API PRODUCT

I. PAYMONGO AS RECEIVING PARTY

Paymongo requires the following documents for purposes of account activation and performance of its services:

Types of Data Summary/Description Method of Processing
Personal Information

Paymongo shall require from the Merchant, Business registration documents such as:

  • Certificate of Incorporation issued by the Securities & Exchange Commission (for Corporations);
  • Articles of Incorporation (or Amended AOI) filed with the Securities & Exchange Commission (for Corporations);
  • By Laws filed with the Securities & Exchange Commission (for Corporations);
  • Certificate of Registration issued by the Securities & Exchange Commission (for Partnerships);
  • Articles of Partnership (for Partnerships);
  • Secretary's Certificate to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Corporations);
  • Partnership Resolution to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Partnerships);
  • Valid DTI Registration (for Sole Proprietors);
  • Notarized Affidavit for the purpose of receiving payouts (for Individuals and Sole Proprietors); and
  • Industry-specific licenses or permits.

These business registration documents may include the following personal information:

  1. Name;
  2. Address;
  3. Contact Number;
  4. Email Address;
  5. Position in the corporation and
  6. Shares owned in the corporation.
 Electronic collection, use, and storage
Sensitive Personal Information

Paymongo shall also require the Latest General Information Sheet ("GIS") (for Corporations and Partnerships) and valid government-issued identification card(s) of the designated authorized representative(s).

These requirements may include the following sensitive personal information:

  1. Social security numbers;
  2. Nationality; and
  3. TIN.
 Electronic collection, use, and storage

Paymongo requires the following information in furtherance of Paymongo's Services from the Merchant:

Types of Data Summary/Description Method of Processing
Personal Information

Transaction or Payment Details from the End User, such as the following:

  1. Name;
  2. Address;
  3. Email Address;
  4. Contact Number;
  5. Card Details;
  6. Payment Method;
  7. Date of Payment;
  8. Time of Payment; and
  9. Payment Origin.
 Electronic collection, use, and storage

II. MERCHANT AS RECEIVING PARTY

The Merchant require the following information for purposes of payment confirmation and record purposes:

Types of Data Summary/Description Method of Processing
Personal Information

Transaction or Payment Details from the End User, such as the following:

  1. Gross Amount of End User's Payment;
  2. Withholding Tax for End User's Transaction;
  3. Net Amount of End User's Transaction;
  4. Last four digits of End User's Debit/Credit Card Number; and
  5. Expiry month and year of End User's Debit/Credit Card.
 Electronic collection, use, and storage

B. APPLICABLE IF MERCHANT WILL ONLY USE PAYMONGO'S NON-API PRODUCT/S

I. PAYMONGO AS RECEIVING PARTY

Paymongo requires the following documentary requirements for purposes of account activation and performance of its services:

Types of Data Summary/Description Method of Processing
Personal Information

Paymongo shall require from the Merchant, Business registration documents such as:

  • Certificate of Incorporation issued by the Securities & Exchange Commission (for Corporations);
  • Articles of Incorporation (or Amended AOI) filed with the Securities & Exchange Commission (for Corporations);
  • By Laws filed with the Securities & Exchange Commission (for Corporations);
  • Certificate of Registration issued by the Securities & Exchange Commission (for Partnerships);
  • Articles of Partnership (for Partnerships);
  • Secretary's Certificate to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Corporations);
  • Partnership Resolution to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Partnerships);
  • Valid DTI Registration (for Sole Proprietors);
  • Notarized Affidavit for the purpose of receiving payouts (for Individuals and Sole Proprietors); and
  • Industry-specific licenses or permits.

These business registration documents may include the following personal information:

  1. Name;
  2. Address;
  3. Contact Number;
  4. Email Address;
  5. Position in the corporation and
  6. Shares owned in the corporation.
 Electronic collection, use, and storage
Sensitive Personal Information

Paymongo shall also require the Latest General Information Sheet ("GIS") (for Corporations and Partnerships) and valid government-issued identification card(s) of the designated authorized representative(s).

These requirements may include the following sensitive personal information:

  1. Social security numbers;
  2. Nationality; and
  3. TIN.
 Electronic collection, use, and storage

II. MERCHANT AS RECEIVING PARTY

The Merchant shall require the following information for purposes of payment confirmation and record purposes:

Types of Data Summary/Description Method of Processing
Personal Information

Transaction or Payment Details from the End User, such as the following:

  1. Name;
  2. Address;
  3. Email Address;
  4. Contact Number;
  5. Gross Amount of End User's Payment;
  6. Withholding Tax for End User's Transaction;
  7. Net Amount of End User's Transaction;
  8. Payment Method;
  9. Last four digits of End User's Debit/Credit Card Number;
  10. Date of Payment;
  11. Time of Payment; and
  12. Payment Origin.
 Electronic collection, use, and storage

C. APPLICABLE IF MERCHANT WILL USE PAYMONGO'S API PRODUCT, NON-API PRODUCT/S, SEEDS, AND/OR ONBOARDING API PRODUCTS

I. PAYMONGO AS RECEIVING PARTY

Paymongo requires the following documentary requirements for purposes of account activation and performance of its services:

Types of Data Summary/Description Method of Processing
Personal Information

Paymongo shall require from the Merchant, Business registration documents such as:

  • Certificate of Incorporation issued by the Securities & Exchange Commission (for Corporations);
  • Articles of Incorporation (or Amended AOI) filed with the Securities & Exchange Commission (for Corporations);
  • By Laws filed with the Securities & Exchange Commission (for Corporations);
  • Certificate of Registration issued by the Securities & Exchange Commission (for Partnerships);
  • Articles of Partnership (for Partnerships);
  • Secretary's Certificate to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Corporations);
  • Partnership Resolution to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Partnerships);
  • Valid DTI Registration (for Sole Proprietors);
  • Notarized Affidavit for the purpose of receiving payouts (for Individuals and Sole Proprietors); and
  • Industry-specific licenses or permits.

These business registration documents may include the following personal information:

  1. Name;
  2. Address;
  3. Contact Number;
  4. Email Address;
  5. Position in the corporation and
  6. Shares owned in the corporation.
 Electronic collection, use, and storage
Sensitive Personal Information

Paymongo shall also require the Latest General Information Sheet ("GIS") (for Corporations and Partnerships) and valid government-issued identification card(s) of the designated authorized representative(s).

These requirements may include the following sensitive personal information:

  1. Social security numbers;
  2. Nationality; and
  3. TIN.
 Electronic collection, use, and storage

In relation to the use of API Product, Paymongo requires the following information in furtherance of Paymongo's Services to the Merchant:

Types of Data Summary/Description Method of Processing
Personal Information

Transaction or Payment Details from the End User, such as the following:

  1. Name;
  2. Address;
  3. Email Address;
  4. Contact Number;
  5. Card Details;
  6. Payment Method;
  7. Date of Payment;
  8. Time of Payment; and
  9. Payment Origin.
 Electronic collection, use, and storage

II. MERCHANT AS RECEIVING PARTY

In relation to the use of the API Product, the Merchant require the following information for purposes of payment confirmation and record purposes:

Types of Data Summary/Description Method of Processing
Personal Information

Transaction or Payment Details from the End User, such as the following:

  1. Gross Amount of End User's Payment;
  2. Withholding Tax for End User's Transaction;
  3. Net Amount of End User's Transaction;
  4. Last four digits of End User's Debit/Credit Card Number; and
  5. Expiry month and year of End User's Debit/Credit Card.
 Electronic collection, use, and storage

In relation to the use of the Non-API Product/s, the Merchant require the following information for purposes of payment confirmation and record purposes:

Types of Data Summary/Description Method of Processing
Personal Information

Transaction or Payment Details from the End User, such as the following:

  1. Name;
  2. Address;
  3. Email Address; and
  4. Contact Number;
  5. Gross Amount of End User's Payment;
  6. Fees;
  7. Withholding Tax for End User's Transaction;
  8. Net Amount of End User's Transaction;
  9. Payment Method;
  10. Last four digits of End User's Debit/Credit Card Number;
  11. Date of Payment;
  12. Time of Payment; and
  13. Payment Origin.
 Electronic collection, use, and storage

PAYMONGO PAYMENTS, INC. (PPAY) AS RECEIVING PARTY

PPAY requires the following documents for purposes of account activation and performance of its services:

Types of Data Summary/Description Method of Processing
Personal Information

PPAY shall require from the Merchant, its Business registration documents, such as:

  • Certificate of Incorporation issued by the Securities & Exchange Commission (for Corporations);
  • Articles of Incorporation (or Amended AOI) filed with the Securities & Exchange Commission (for Corporations);
  • By Laws filed with the Securities & Exchange Commission (for Corporations);
  • Certificate of Registration issued by the Securities & Exchange Commission (for Partnerships);
  • Articles of Partnership (for Partnerships);
  • Secretary's Certificate to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Corporations);
  • Partnership Resolution to designate the authorized person to transact with the Recipient and the bank account where payouts will be deposited (for Partnerships);
  • Valid DTI Registration (for Sole Proprietors);
  • Notarized Affidavit for the purpose of receiving payouts (for Individuals and Sole Proprietors); and
  • Industry-specific licenses or permits.

These business registration documents may include the following personal information:

  1. Name;
  2. Address;
  3. Contact Number;
  4. Email Address;
  5. Position in the corporation and
  6. Shares owned in the corporation.

PPAY shall require from the Merchant, for record and monitoring purposes and in compliance with the Anti-Money Laundering Act, the following personal information of the authorized user:

  • Full Name; and
  • Address
 Electronic collection, use, and storage
Sensitive Personal Information

PPAY shall also require the Latest General Information Sheet ("GIS") (for Corporations and Partnerships) and valid government-issued identification card(s) of the designated authorized representative(s).

These requirements may include the following sensitive personal information:

  • Social security numbers;
  • Nationality; and
  • TIN.

PPAY shall require from Merchant, for record and monitoring purposes and in compliance with the Anti-Money Laundering Act, the following sensitive personal information of the authorized user:

  • Citizenship
 Electronic collection, use, and storage

PPAY requires the following information in furtherance of PPAY's integration and maintenance of an e-wallet in Merchant's systems:

Types of Data Summary/Description Method of Processing
Personal Information

Transaction Details such as the following from the recipient of the e-money disbursed by the Merchant:

  • Name of Recipient of E-Money;
  • Address of Recipient of E-Money;
  • Name of Bank/Financial Institution; and
  • Bank Account Number.

Transaction Details such as the following from the sender of e-money to Merchant:

  • Name of Sender of E-Money;
  • Address of Sender of E-Money;
  • Name of Bank/Financial Institution; and
  • Bank Account Number.

Other information are as follows:

  • Amount of the transaction, including the conversion rates (when applicable); and
  • Purpose of the transaction.
 Electronic collection, use, and storage

MERCHANT AS THE RECEIVING PARTY

PPAY shares the following data for its Treasury services to Merchant:

Types of Data Summary/Description Method of Processing
Personal Information

PPAY shall share to the Merchant, transfer resource data, which may include personal data, such as:

  • Transfer amount
  • Direction
  • Livemode
  • Metadata
  • Provider ("pesonet" or "instapay")
  • Purpose
  • Receiver account number
  • Receiver bank
  • Receiver name
  • Sender account number
  • Sender bank
  • Sender name
  • Status
  • Transfer creation date
  • Transfer update date

dev docs: https://developers.paymongo.com/reference/transfer-resource

 API; Electronic collection, use, and storage