Skip to Content
Square
No items in your cart
Square
  • Business types
  • Products
  • What's new
Discover
Types
Capabilities
Discover
Types
Capabilities
Discover
Types
Capabilities
Discover
Types
Capabilities
Hardware
Discover
Discover
Discover
Discover
Discover
Editions
No items in your cart
Contact sales
Get started

General

Square Data Processing Agreement

Last Updated: March 16, 2026

This Data Processing Agreement (“DPA”) supplements and forms part of the General Terms of Service (“General Terms”) between you (“Seller”) and Block, Inc. (“Square,” “we,” “our,” or “us”). If your Square Account is located in the European Economic Area or the United Kingdom, the EEA/UK Data Processing Terms apply. If your Square Account is located elsewhere, this DPA governs the processing of Personal Data by Square in connection with the provision of its services.

1. Definitions

"Applicable Data Protection Law" means all applicable laws and regulations relating to privacy, data protection, and data security, including amendments, updates, or successor laws as applicable, including, but not limited to, the following:

  • Australia’s Privacy Act 1988 and the Australian Privacy Principles;
  • Canada’s Personal Information Protection and Electronic Documents Act;
  • Japan’s Act on the Protection of Personal Information;
  • U.S. state laws, including:
    • California Consumer Privacy Act (CCPA);
    • Colorado Privacy Act;
    • Connecticut Data Privacy Act;
    • Utah Consumer Privacy Act;
    • Virginia Consumer Data Protection Act;
    • Delaware Personal Data Privacy Act;
    • Iowa Consumer Data Protection Act;
    • Nebraska Data Privacy Act;
    • New Hampshire Data Privacy Act Relative to the Expectation of Privacy;
    • New Jersey Data Privacy Act;
    • Florida Digital Bill of Rights;
    • Texas Data Privacy and Security Act;
    • Oregon Consumer Privacy Act;
    • Montana Consumer Data Privacy Act;
    • Tennessee Information Protection Act;
    • Minnesota Consumer Data Privacy Act;
    • Maryland Online Data Privacy Act;
    • Rhode Island Data Transparency and Privacy Protection Act;
    • Indiana Consumer Data Protection Act;
    • Kentucky Consumer Data Protection Act.

"Personal Data" means information relating to an identified or identifiable natural person that is Processed in connection with the Services.

"Process," "Processing," "Controller," and "Processor" have the meanings given in Applicable Data Protection Law.

“Security Breach” has the meaning that term, or substantially similar terms, have in the Applicable Data Protection Law relevant to the Personal Data at issue.

2. Description of Square’s Processing

Square as Processor and Controller.

Depending on the context of the data collection and Processing, Square may act as a Processor or Controller, as described in the table below.

Purpose and Scope of Processing. Square will Process Personal Data to:

Square as Data Processor Square as Data Controller
Provide and facilitate the Services on behalf of Seller in accordance with the General Terms. - Provide products and services directly to buyers, including as described in the Privacy Notice for Buyer Features and Square Pay or Cash App Privacy Notice;
  • Comply with legal obligations;
  • Monitor, prevent and detect fraudulent payment transactions and other fraudulent activity; and
  • Analyze, improve, and develop products and services.

Categories of Data Subjects. Seller’s Buyers and employees.

3. Square’s Obligations as Processor

When acting as a Processor, Square shall:

  • Process Personal Data only on documented instructions from Seller, unless required by law;
  • Ensure all personnel authorized to Process Personal Data are subject to confidentiality obligations;
  • Implement appropriate technical and organizational security measures to protect Personal Data;
  • To the extent required by Applicable Data Protection Law, assist Seller in responding to data subject rights requests;
  • Notify Seller promptly if Square determines that it can no longer meet its obligations under this DPA or Applicable Data Protection Law;
  • Upon request, assist with data protection impact assessments or consultations with supervisory authorities, to the extent required by Applicable Data Protection Law;
  • Upon notice from Seller, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including providing documentation to verify deletion of such data where applicable;
  • At the end of service provision, delete or return Personal Data, unless retention is required by law;
  • To the extent required by Applicable Data Protection Law and following your written request, contribute to audits or inspections by making audit reports available to you. Following this request, and no more frequently than once annually, Square will promptly provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding Square's Processing of Personal Data. All reports and documentation provided, including any response to a security questionnaire, are Square’s confidential information.

4. CCPA

Whenever Square acts as a Processor under this DPA, Square is deemed a "service provider" under the CCPA. In such cases, and to the extent Square processes Personal Data subject to the CCPA in its role as a service provider to Seller, Square will not:

  • Sell or share (as defined under CCPA) Personal Data;
  • Retain, use, or disclose Personal Data for any purpose other than providing the services specified in this DPA or as otherwise permitted by the CCPA; ; or
  • Combine Personal Data received from or through you with Personal Data received from or on behalf of an individual or collected from Square's own interactions with the individual, except to provide Square’s products and services and as permitted by Law.

Square certifies that it understands and will comply with the requirements in this DPA relating to the CCPA and will provide the same level of privacy protection to Personal Data as required by the CCPA. Square will inform you if it determines that it can no longer meet its obligations under the CCPA and will take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.

5. Subprocessors

Square may engage Subprocessors, provided that:

  • It maintains a list of current Subprocessors and notifies Sellers of any material changes;
  • Each Subprocessor is bound by a written agreement imposing substantially similar data protection obligations;
  • Square remains liable for the performance of its Subprocessors.

6. Seller’s Obligations as Controller

Seller shall:

  • Ensure it has a lawful basis for the Processing and transfer of Personal Data to Square;
  • Provide required notices to and obtain any necessary consents from data subjects;
  • Comply with all Applicable Data Protection Laws.

7. Data Transfers

Square may transfer Personal Data to its affiliates and Subprocessors globally as necessary for service provision. Where required, Square shall ensure appropriate safeguards such as standard contractual clauses or equivalent mechanisms are in place.

8. Security Breach Notification

In the event of a confirmed Security Breach involving Seller’s Personal Data, Square will notify Seller without undue delay and provide information necessary to meet its obligations under Applicable Data Protection Law.

9. Conflict

In case of conflict between this DPA and the General Terms, this DPA shall prevail with respect to data protection and privacy obligations.