GDPR compliance

A brief summary of measures taken at Hyperswitch to ensure GDPR compliance
In this section you will learn about our initiatives to prioritise and improve the security and privacy of Customer Data and Personally Identifiable Information (PII).
The General Data Protection Regulation (GDPR) lays out the definition of Data Controller, Data Processor and Data Subject as below:
Data Controller
A Data Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities.
Data Processor
A Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and under the instructions of the controller
Data Subject
The term 'data subject' refers to any living individual whose personal data is collected, held or processed by an organization.
Hyperswitch plays the role of a ‘Data Processor’ and takes all the below initiatives to ensure compliance.

Data Protection and Privacy Principles

Lawfulness, fairness, and transparency
Lawful - We gather data and process it with a valid legal basis which is vetted by our legal team
Fair - We process personal data in the best interest of the people and scope of our processing can be reasonably expected by the person.
Transparent - We clearly communicate what, how, and why we process data and what role do we play in the data lifecycle via our Privacy Notice on the website. It is written in a clear, plain language that enables everyone to easily understand the scope and methods of our processing. We also enable our merchants to be compliant to the Transparency principle by enabling them to respond to Data Subject Rights Requests in a better, sustainable way via our Data Compliance APIs.
Purpose limitation
We only process data for clear, defined purposes and have strict processes in place to avoid function creep or utilisation of data in any other way than intended. We also verify on a periodic basis that our purposes are valid and essential to deliver services to our merchants and avoid any unnecessary processing.
We maintain records of our purposes via RoPA to ensure compliance to Purpose Limitation
Data minimisation
We ensure and evaluate that we gather only essential personal data that we need to deliver the service. In other words, we only gather and process the exact amount of data that is needed.
We as a data processor take reasonable measures to ensure that the personal data we are processing is correct and up to date by employing various security and privacy centric principles:
  • Access Control (maker and checker system)
  • Encrypted communication channels
  • Encryption of data during transmission and storage
  • Automated Backups
Storage limitations
We ensure that we get a defined retention period requirements from our merchants so we do not end up storing data that is no longer of use for the purpose it was intended.
We have implemented a process for destroying data in a secure way that helps us ensure that the data no longer needed is really removed and not still stored on a device or in the cloud, where it could be a potential security risk.
Integrity and confidentiality
We have developed, implemented, and maintain effective information security and privacy policies and procedures that include administrative, technical and physical safeguards designed to:
  • Ensure the security and confidentiality of confidential information and systems provided
  • Protect against anticipated threats or hazards to the security or integrity of such confidential information and systems
  • Protect against unauthorised access or use of such confidential information and systems
We employ various security measures to ensure that the integrity and confidentiality of data is maintained throughout the lifecycle of the data:
  • Restriction of access to data (need to know principle)
  • Encryption of PII
  • Implementing a data retention policy
  • Antivirus programs,
  • Firewalls,
  • Intrusion detection systems,
  • Multi-factor authentication,
  • Software updates
  • Cyber Security and Privacy awareness trainings
  • Non Disclosure Agreements with our employees, merchants and vendors.
We abide by this principle by taking responsibility for our data processing. It means that we, the data processor, are accountable for the proper processing of personal data and compliance with the rules of the GDPR and we ensure that the responsibilities on each side (controller and processor) are captured in our agreements/DPAs with all our merchants.


Hyperswitch is engineered with a meticulous focus on safeguarding sensitive data aligning with PCI standards. The application also employs various strategies that encompasses various stage, which includes
  • Encryption of Data at rest and Data in Transit
  • Masking of PII information at source
  • Minimizing PII data exposure across the application
  • Secure software development practices
  • SOC Type I and Type II certification
Read more about Data security at Hyperswitch.

Data Retention and Deletion

In the spirit of Data Minimisation principle, we capture data retention and deletion requirements with all our merchants in our DPAs and Master Service Agreement to avoid processing data longer than required. We regularly audit our processes to ensure that the data retention requirements are met.
We support the right to erasure through a permanent deletion of personal data upon request. The Deletion API is published and accessible for all merchants to permanently delete Customer PII Data.

Data Protection Team

Juspay Technologies Private Limited (doing business as Hyperswitch) has a Privacy and Data Protection team and a designated Data Protection Officer to look after Data Protection, Privacy and Compliance Obligations

Data Protection Agreement

Hyperswitch Master Services Agreement includes a Data Protection Agreement which clearly articulates our privacy commitment to merchants. We have evolved these terms and specifically updated these terms to reflect the GDPR from the perspective of payment processing, and, to facilitate merchants’ compliance assessment and GDPR readiness when using Hyperswitch.

Standards and Certifications

We hold ourselves to the highest standards of data security and reliability. We believe in protecting sensitive information and ensuring the utmost trust in our services by our merchants. To achieve that goal we undergo regular audits to address any gaps and strengthen our security and privacy posture.
ISO/IEC 27001:2013
(Upgrading to ISO 27001:2022 during 2024)
ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS (information security management system). ISO 27001's best-practice approach helps us manage our information security by addressing people, processes and technology.This certification signifies our establishment of a robust Information Security Management System (ISMS) and the mastery of a comprehensive suite of controls to ensure the highest level of data protection.
SOC 2 Type 1 and 2
System and Organisation Control 2 is a security framework that specifies how we should protect customer data from unauthorized access, security incidents, and other vulnerabilities. Type 2 controls examines how well our system and controls perform over a period of time (typically 3-12 months).
PCI DSS v3.2.1
(Certification under process for PCI 4.0)
PCI DSS is one of the stringent compliance requirements for entities that process, store, or transmit credit card information to maintain a secure environment - It talks about the necessary framework for developing complete payment card data security systems & processes that encompasses prevention, detection, and appropriate reaction to security incidents. This accomplishment marks a significant milestone in our commitment to safeguarding sensitive cardholder data and ensuring the highest level of security for our merchants.

Use of Sub processors

Below is the list of sub-processors we use at Hyperswitch, as well as the purpose of their use.
Sub processor
Hosted region
Cloud processing of user data and merchant data
Global server (US)
EU Data Residency server (EU)
Merchant communication
Google Workspace
Merchant communication and documentation
Other use cases such as Data Infrastructure, Monitoring Systems are solved by using a self-deployed version of popular open source technologies - Clickhouse, Grafana and Sentry. This provides more control and reduces the need for sharing data and the data being shared across more sub-processors.
Last modified 20d ago