If your marketing agency is based in the EU or UK, or if you work with EU/UK clients, the way you handle payment data is regulated by law. GDPR and PSD2 are not optional — and the fines for non-compliance are serious. GDPR violations can result in fines of up to 4% of global annual turnover or €20 million, whichever is higher.
The good news: if you use payment software that is built for compliance, you get this protection automatically. Here is what you need to know.
What is PSD2 and why does it matter for agencies?
PSD2 (Payment Services Directive 2) is EU legislation that governs how financial data and payment services can be accessed. For marketing agencies, it matters in two specific ways:
- Bank connections — any software that connects to your bank account and initiates payments must use a licensed PSD2 provider. You cannot simply use unofficial bank integrations.
- Strong Customer Authentication (SCA) — payments above certain thresholds require multi-factor authentication, reducing fraud risk.
Paylo connects to banks exclusively through licensed PSD2 Open Banking providers. This means every bank connection is authorised, regulated, and compliant with EU law. Your bank credentials are never shared with Paylo — you authorise through your bank's own interface using OAuth.
🏦 Paylo is a PSD2-compliant payment platform built in Berlin. All bank connections use licensed Open Banking providers. No bank credentials are ever stored.
GDPR and payment data — what agencies need to know
GDPR applies to any personal data your agency processes — including vendor contact details, payment information, and invoice data that contains personal information.
Where your data is stored
Under GDPR, you have a right to know where your data is processed and stored. Paylo uses the following EU-based infrastructure:
- Application server — Hetzner CPX22, Nuremberg, Germany
- Database — Supabase (PostgreSQL), EU region
- Email — Resend, GDPR-compliant transactional email
- AI processing — Proprietary AI engine (invoice text processed in-memory, not stored or retained)
No data is transferred to the United States or other non-EU countries without appropriate safeguards.
The audit trail — your compliance safety net
GDPR and financial regulations both require that you can demonstrate what happened with payment data. Paylo maintains a permanent, immutable audit log of:
- Who submitted each invoice and when
- Who approved or rejected it and at what time
- When payment was initiated and the amount
- Any changes to vendor bank details
- Any AI fraud flags triggered
This audit trail is exportable as CSV at any time — ready for your accountant, a compliance audit, or a GDPR data subject access request.
Checklist — is your agency payment process GDPR and PSD2 compliant?
- ✅ Bank connections use a licensed PSD2 Open Banking provider
- ✅ Bank credentials are not stored in your payment software
- ✅ Invoice and vendor data is stored in the EU
- ✅ You can export all payment data on request
- ✅ You can delete vendor and user data on request
- ✅ Payment data is encrypted at rest and in transit
- ✅ An audit trail exists for every payment decision
If you use Paylo, all seven of these are handled automatically.
GDPR-compliant payment automation from €79/month
Built in Berlin. PSD2 partner. AES-256 encrypted. 14-day free trial.
Start free trial →