DEFINITION OF TERMS
The capitalized terms used herein which are defined in the Terms and Conditions, shall have the respective meanings assigned to them in the Terms and Conditions except as otherwise provided herein or unless the context otherwise requires. In addition to the definitions in the Terms and Conditions, the following definitions apply:
- GUI refers to the Graphical User Interface.
- Remittance Activities refer to activities relating to the transfer of funds, or the movement of funds or monetary instruments from the sender or originator to a receiver or beneficiary locally and/or internationally.
- User’s Clients refer to specific senders and corresponding receivers for whose benefit, the User avails of Services under the Terms and Conditions and these
GENERAL POLICY
The User is permitted to use the PDAX Account in order to conduct international Remittance Activities for User’s Clients. You may only use these Services if you are specifically permitted to do so by PDAX. PDAX may promulgate operational guidelines to govern Remittance Activities and related activities, which shall be deemed incorporated into, and shall form part of, these Remittance Rules.
CERTIFICATION
For some Users covered by these Remittance Rules, Digital Assets or Fiat Currency transferred to, or withdrawn from, the PDAX Account, constitute an aggregated sum composed of various sums pertaining to the User’s Clients. In these cases, the User hereby undertakes to execute a sworn certification in compliance with Applicable Laws and Rules, certifying that:
- the User has conducted, is conducting, and will continue to conduct, the prescribed identification procedures for the User’s Clients in accordance with the Applicable Laws and Rules, and the User’s own Money Laundering/Terrorist Financing Prevention Program (MLPP), including face-to-face contact, personal interviews, and/or such Information and Communications Technology (“ICT”) methods permitting customer identification in a similar manner, to validate the existence and establish the ultimate identity of the User’s Clients;
- if the standards of the country where the User is operating has User’s Clients’ identification process requirements which are less stringent than those of the Republic of the Philippines, the User shall follow the standards of the Republic of the Philippines, specifically with respect to customer due diligence, record keeping obligations, and the requirements prescribed in: (i) the AMLA and its implementing rules and regulations; (ii) Part Nine of Q-Regulations (Anti-Money Laundering Regulations) of the Manual of Regulations for Non-Banks Financial Institutions (MORNBFI), as may be amended from time to time; (iii) and related issuances of the BSP including but not limited to BSP Circular No. 706, as amended by BSP Circulars No. 950 and No. 1022 and as may be further amended from time to time (collectively, “Philippine AML/CTF laws”);
- upon request, the User shall inform PDAX of: (i) the jurisdictions where it has material operations; (ii) the nature of its business and reputation; (iii) the entities responsible for, and the quality of, its supervision, regulation, and monitoring; and (iv) any money-laundering or terrorist financing investigation or regulatory action which it may have been involved in;
- the User has measures in place to conduct due diligence and record-keeping requirements in relation to the User’s Clients in accordance with all requirements of all regulations enforced by the regulatory bodies of all jurisdictions where it operates;
- the User has conducted, and continues to conduct the required screening of its users against established sanctions lists, i.e. the “Specially Designated Nationals and Blocked Persons” list maintained by the Sanctions Authorities, or any similar list maintained by, or public announcement of Sanctions designation made by them, including, the “Specially Designated Nationals and Blocked Persons” list maintained by the OFAC, the Consolidated List maintained by the UNSC, the Consolidated List of Financial Sanctions Targets and the Investment Ban List maintained by HMT, those designated by the ATC, or any similar list maintained by, or public announcement of Sanctions designation made by any of the Sanctions Authorities;
- the User has not, does not, and will not endorse or allow access to PDAX’s Services any of the User’s Clients who is a positive match in any of the aforementioned sanctions lists;
- the User has not, at any time, been reprimanded cited, or subjected to regulatory examination or other similar actions on account of unsatisfactory, insufficient, inadequate Anti-money Laundering/Counter-Terrorist Financing policies, procedures or practices;
- upon request, the User undertakes to provide PDAX with the identification documents of all of the User’s Clients, including senders and receivers without delay. The User warrants that it has secured the consent of the User’s Clients to share such information; and
- the User permits PDAX to conduct periodic KYC reliance and MLPP (or equivalent MLPP procedures) account reviews as PDAX deems fit, and undertakes to provide additional documentation as may be necessary to fully accomplish reviews without delay.
The User acknowledges that PDAX has full discretion to terminate its Services in case of fraud, misconduct, misrepresentation, or breach of the foregoing certifications; breach by the User or the User’s Clients of Applicable Laws and Rules, including but not limited to the AMLA, or other related rules and regulations promulgated by the BSP; or to protect the legitimate interests of PDAX.
LETTERS OF INSTRUCTION
- The User may send remittance instructions via GUI, a set of API provided by PDAX (hereinafter referred to as “PDAX API”) or, if necessary, execute a letter, or any other written or digital document that will contain: (i) process flow for quotes for and acceptance of conversion rates; (ii) the Parties’ respective authorized sender(s) and receiver(s); (iii) Authorized Communication Channels for Quotes and acceptance; and (iv) authorized accounts for the transfer and remittance of Fiat Currency and Digital Assets (hereinafter referred to as “Letters of Instruction”).
- The User hereby irrevocably authorizes PDAX to act in accordance with and upon the instructions and orders given in accordance with the Letters of Instruction, unless otherwise amended. Should there be any conflict between the Letters of Instruction and any oral or written agreement between the parties, the Letters of Instruction shall be controlling.
- When Letters of Instruction are sent by letter or other written or digital document, the parties must signify their conformity with the Letters of Instruction before it becomes binding.
- PDAX’s forms and other documents, including but not limited to, account opening forms and whitelisting forms may supplement or take the place of Letters of Instruction.
INDEMNITY AND LIMITATIONS OF LIABILITY
In addition to Section 17 (Limitation of Liability) and Section 18 (Indemnity) of the PDAX Terms and Conditions, applicable Platform Rules and unless as otherwise provided in a separate written agreement, User agrees to fully defend, hold harmless, and indemnify PDAX or the PDAX Group from and against all claims, disputes, settlements, awards, damages, losses, expenses and costs (including legal costs) suffered or incurred by PDAX or the PDAX Group, in connection with or arising from:
- any dispute between or among the User, the User’s Clients, and any entity to which the User may be related to or associated with through the use of the Services covered by these Remittance Rules;
- any claim, demand, or suit that may be instituted by the User’s Clients, or by any entity to which the User may be related to or associated with through the use of the Services covered by these Remittance Rules, against PDAX; and
- any claim, demand, or suit between the User and its credit providers.
FEES
You may be charged additional fees for availing of this Service Fees which shall be communicated to you in writing before you are charged.
PERSONAL DATA PROTECTION
The User shall abide by all Applicable Laws and Rules in relation to personal data processing and the Privacy Policy.
To the extent that PDAX could potentially process the Personal Data of the User’s Clients to facilitate Remittance Activities as defined herein, the User may be required to execute a notarized Data Outsourcing Agreement with PDAX to ensure compliance with Applicable Laws and Rules, in substantially the following form:
- Term– The Data Outsourcing Agreement shall have the duration indicated in the DOD, as defined below.
- Adherence to the Data Privacy Act of 2012 –The Parties hereby adhere to the DPA, recognizing the importance of appropriate privacy protections for data subjects.
- Definitions
- DOD refers to the Data Outsourcing Details, to be executed separately by the Parties, which contains the subject matter of processing, duration of processing, purposes of processing, Data Subjects and Personal Data types, geographic location of processing, and details of sub-contracting to third-parties.
- Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Sensitive Personal Information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
- Personal Data refers to both personal information, sensitive personal information, and privileged information.
- Processing rrefers to any operation or any set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system.
- Data Outsourcing refers to the disclosure or transfer of Personal Data by a Personal Information Controller to a Personal Information Processor.
- DPA refers to the Republic Act 10173, also known as, Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the National Privacy Commission.
- Data Protection Officer refers to any individual designated by the Personal Information Controller or Personal Information Processor who is accountable for compliance with the DPA.
- Data Subject refers to an individual whose personal, sensitive personal, or privileged information is processed. Security Incident refers to an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of Personal Data. It includes incidents that would result in a Personal Data breach, if not for safeguards that have been put in place.
- Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. A Personal Data breach may be in the nature of:
- An availability breach resulting from loss, accidental or unlawful destruction of Personal Data;
- Integrity breach resulting from alteration of Personal Data; and/or
- A confidentiality breach resulting from the unauthorized disclosure of or access to Personal Data.
- Personal Information Controller refers to a natural or juridical person, or any other body who controls the processing of Personal Data, or instructs another to process Personal Data on its behalf. The term excludes:
- A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
- A natural person who processes Personal Data in connection with his or her personal, family, or household affairs.
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing.
- Personal Information Processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of Personal Data pertaining to a Data Subject.
- Receiving Party refers to the party to whom the Personal Data was disclosed to.
- Sharing Party refers to the party disclosing the Personal Data.
- Technical, Physical, and Organizational Security Measures, or TPOSM refer to those measures aimed at protecting Personal Information transmitted, stored, or otherwise processed against improper, unauthorized, accidental or unlawful processing, destruction or loss, disposal, alteration, disclosure, or access, and against all other unauthorized and unlawful forms of processing.
- Roles of the Parties – User is the Personal Information Controller of the Personal Data disclosed to PDAX. PDAX is a Personal Information Processor, i.e., it processes such Personal Data upon the instruction of the User.
In the event that either party takes on the role of a Personal Information Controller or Personal Information Processor, as defined under the DPA, such party herein undertakes to implement the necessary measures, and execute its role as Personal Information Controller or Personal Information Processor, as the case may be, in relation to any Personal Data which comes into its possession by virtue of the Terms and Conditions and these Remittance Rules, in accordance with the DPA.
- Personal Data to be Collected and Processed – PDAX shall process only the Personal Data listed in the DOD, in accordance with the terms of the Data Outsourcing Agreement.
The terms of the Data Outsourcing Agreement shall apply to Personal Data in all its forms. It may be on paper, stored electronically, held on film, microfiche, or other media. It includes text, pictures, audio, and video. It covers information transmitted by post, by electronic means, and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the data from creation, collection, storage, utilization, to disposal. The terms of the Data Outsourcing Agreement apply to all officers, employees, and clients of both Parties where they are performing their duties in relation to the Data Outsourcing Agreement.
**f. Purposes of Processing **– PDAX shall process the Personal Data only for the purposes listed in the DOD. The User may, at any time and upon written instructions to PDAX, require PDAX to process the Personal Data pursuant to and consistent with the following purposes:
- Comply with statutory and regulatory requirements, including directives, issuances by, or obligations of User to any competent authority, regulator, supervisory body, enforcement agency, exchange, court, quasi-judicial body, or tribunal;
- Enable User to exercise sound corporate governance over its businesses, ensure that risks arising therefrom are duly identified, measured, managed and mitigated, and enhance risk assessment and prevent fraud;
- Enable User to conduct User audits or investigate a complaint or security threat;
- Other legitimate business purposes of the User and PDAX;
- Establish, exercise, or defend PDAX’s legal claims; or
- Fulfill any other purposes directly related to the above-stated purposes.
- Geographic Location of the Processing – The Personal Data shall be processed by PDAX at the geographic location specified in DOD.
PDAX shall, at least thirty (30) days prior to effecting any change in the geographic location, notify the User in writing of such intended change and provide reasonable proof that such change shall not adversely affect the TPOSM currently in place or impact the privacy rights of the Data Subjects.
- Obligations of User – Pursuant to the requirements of the DPA, the User hereby undertakes to:
- Secure the written consent of each Data Subject;
- Process Personal Data to the extent allowed by the Data Subject;
- Specify the persons and/or entities authorized to receive, access, process, and/or transmit the information obtained and processed by PDAX, giving PDAX the right to refuse to give information to persons or entities not designated by User.
- Obligations of PDAX– Pursuant to the requirements of the DPA, PDAX hereby undertakes to:
- Process Personal Data only upon the documented instructions of User, including transfers of Personal Data to another country or an international organization, to the extent contemplated under the DOD, unless such transfer is authorized by Applicable Laws and Rules;
- Ensure that an obligation of confidentiality is imposed on persons authorized to process the Personal Data;
- Implement appropriate security measures and comply with the DPA;
- Not engage another processor without prior instruction from User: provided, that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
- Assist the Personal Information Controller, by appropriate TPOSM and to the extent possible, fulfill the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
- Make available to the User all information necessary to demonstrate compliance with the obligations laid down in the DPA, and allow for and contribute to audits, including inspections;
- Immediately inform the User if, in its opinion, an instruction infringes the DPA;
- Assist User in ensuring compliance with the DPA, taking into account the nature of processing and the information available to PDAX;
- At the choice of the User, delete or return all Personal Data to the User upon termination of, and subject to, the Terms and Conditions and the Remittance Rules; and
- Report all available information to the User within forty-eight (48) hours from knowledge of, or reasonable belief that, a Personal Data Breach or a Security Incident has occurred, and extend full cooperation to the User to enable the User to comply with its obligations under the DPA.
**j. Security Obligations of PDAX **– Pursuant to its obligation to maintain the appropriate TPOSM, PDAX warrants that, at minimum, it shall have the following security measures:
Organizational Security Measures
- That it has a designated individual who functions as a Data Protection Officer.
- That it has implemented appropriate data protection policies that provide for TPOSM, taking into account the nature, scope, context, and purposes of the processing, as well as the risks posed to the rights and freedoms of Data Subjects.
- The policies shall implement data protection principles both at the time of the determination of the means for processing and at the time of the processing itself.
- The policies shall implement appropriate security measures that, by default, ensure only Personal Data which is necessary for the specified purpose of the processing are processed. They shall determine the amount of Personal Data collected, including the extent of processing involved, the period of their storage, and their accessibility.
- The policies shall provide for documentation, regular review, evaluation, and updating of the privacy and security policies and practices.
- That it shall maintain records that sufficiently describe its data processing system and identify the duties and responsibilities of those individuals who will have access to Personal Data. Records shall include:
- Information about the purpose of the processing of Personal Data, including any intended future processing or data sharing;
- A description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the processing;
- General information about the data flow within the organization, from the time of collection, processing, and retention, including the time limits for disposal or erasure of Personal Data;
- A general description of the TPOSM in place; and
- The name and contact details of each Party, its representatives, the sub-Users (if applicable), and the compliance officer or Data Protection Officer, or any other individual or individuals accountable for ensuring compliance with the Applicable Laws and Rules for the protection of data privacy and security.
- That its employees shall operate and hold Personal Data under strict confidentiality. This obligation shall continue even upon termination of the employee’s employment.
Physical Security Measures
- That it has implemented policies and procedures to monitor and limit access to and activities in the room, workstation or facility, including guidelines that specify the proper use of and access to electronic media;
- That the design of its office space and workstations, including the physical arrangement of furniture and equipment, shall provide privacy to anyone processing Personal Data, taking into consideration the environment and accessibility to the public;
- That the duties, responsibilities and schedule of individuals involved in the processing of Personal Data are clearly defined to ensure that only the individuals actually performing official duties shall be in the room or work station, at any given time;
- That it has implemented policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of Personal Data; and
- That it has implemented policies and procedures that prevent the mechanical destruction of files and equipment. The room and workstation used in the processing of Personal Data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.
Technical Security Measures
- That it has implemented safeguards to protect their computer network against accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access through an electronic network;
- That it has the ability to ensure and maintain the confidentiality, integrity, availability, and resilience of their processing systems and services;
- That it performs regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive, corrective, and mitigating action against security incidents that can lead to a Personal Data Breach;
- That it has the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- That it has a process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
- That it encrypts Personal Data during storage and while in transit, authentication process, and it has implemented other technical security measures that control and limit access.
- Indemnification – User agrees to irrevocably, unconditionally, and fully indemnify and hold PDAX, the PDAX Group, its directors, officers, employees, sub-contractors, and agents, free and harmless from and against any and all claims, suits, actions or demands or losses, damages, costs and expenses including, without limiting the generality of the foregoing, attorney’s fees and costs of suit that User may face, suffer or incur by reason or in respect of:
- User’s or the User’s Client’s breach of any of the warranties and obligations set forth in the Data Outsourcing Agreement, regardless of the cause of such breach; or
- Any act, omission or negligence of the User or the User’s Clients that causes or results in the breach of obligations under the DPA.
**l. Data Subject Rights **– Each Party shall respect the following rights accorded to Data Subjects by the DPA:
- Right to be informed. Data Subjects have the right to be informed whether Personal Data pertaining to them shall be, are being, or have been processed, including the existence of automated decision-making and profiling. This Data Outsourcing Agreement may be accessed by the Data Subject upon written request submitted to any of the Parties.
- Right to object. Subject to the limitations set forth in the DPA and other Applicable Laws and Rules, Data Subjects have the right to object to the processing of their Personal Data, including processing for direct marketing, automated processing or profiling. They may withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the Data Subject.
- Right to access. Subject to the limitations set forth in the DPA and other Applicable Laws and Rules, Data Subjects have the right to request access to any of their Personal Data.
- Right to rectification. Data Subjects have the right to dispute the inaccuracy or error in the Personal Data and have the PIC correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
- Right to erasure or blocking. Subject to the limitations set forth in the DPA and other applicable laws and regulations, Data Subjects have the right to suspend, withdraw or order the blocking, removal or destruction of his or her Personal Data from the PIC’s filing system.
- Right to damages. Data Subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, taking into account any violation of the rights and freedoms of the Data Subject.
- Right to lodge a complaint with the National Privacy Commission.
- Communications Regarding Data Privacy Concerns – For questions, requests, and notifications, communication may be directed to each Party’s designated Data Protection Officer or his/her replacement or substitute.